integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8] - xorg/lib/libXi - X.org libXi Client library for XInput. (mirrored from https://gitlab.freedesktop.org/xorg/lib/libxi)

diff options

author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-03-09 22:55:23 -0800
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-05-23 08:13:26 -0700
commit	528419b9ef437e7eeafb41bf45e8ff7d818bd845 (patch)
tree	d3cb5f094541bbfd954790eb05a3469b608d1627 /src/XGetDProp.c
parent	242f92b490a695fbab244af5bad11b71f897c732 (diff)

integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8]

If the number of events or masks reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, or the sizes overflow as they are totaled up, then memory corruption can occur when more bytes are copied from the X server reply than the size of the buffer we allocated to hold them. v2: check that reply size fits inside the data read from the server, so that we don't read out of bounds either Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

Diffstat (limited to 'src/XGetDProp.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: