diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-09 14:40:33 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-26 17:32:22 -0700 |
commit | d05f27a6f74cb419ad5a437f2e4690b17e7faee5 (patch) | |
tree | 9516240caef811a674c6fce9ab4d4dddeccbdb25 /man | |
parent | ca84a813716f9de691dc3f60390d83af4b5ae534 (diff) |
integer overflow in XcupGetReservedColormapEntries() [CVE-2013-1982 1/6]
If the computed number of entries is large enough that it overflows when
multiplied by the size of a xColorItem struct, or is treated as negative
when compared to the size of the stack allocated buffer, then memory
corruption can occur when more bytes are read from the X server than the
size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'man')
0 files changed, 0 insertions, 0 deletions