diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-01 22:49:01 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-09 18:59:50 -0700 |
commit | 39515b7c3ba8cae9021bf6695e378ae19487082f (patch) | |
tree | cbd40cbf1c6c83f21dd9e18165b87060db4ba766 /COPYING | |
parent | 5669a220816b7d58fcaf0c302ead16fbe5c87817 (diff) |
integer overflow in XListFontsWithInfo() [CVE-2013-1981 3/13]
If the reported number of remaining fonts is too large, the calculations
to allocate memory for them may overflow, leaving us writing beyond the
bounds of the allocation.
v2: Fix reply_left calculations, check calculated sizes fit in reply_left
v3: On error cases, also set values to be returned in pointer args to 0/NULL
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'COPYING')
0 files changed, 0 insertions, 0 deletions