[Wayland-bugs] [Bug 103961] Security - Fix heap overflow with X cursor files
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue Nov 28 20:41:52 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=103961
Bug ID: 103961
Summary: Security - Fix heap overflow with X cursor files
Product: Wayland
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: wayland
Assignee: wayland-bugs at lists.freedesktop.org
Reporter: tobias at stoeckmann.org
Created attachment 135783
--> https://bugs.freedesktop.org/attachment.cgi?id=135783&action=edit
wayland-xcursor.patch
Fix heap overflows when parsing malicious files.
It is possible to trigger heap overflows due to an integer overflow
while parsing images.
The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.
This patch is ported from libXcursor:
https://cgit.freedesktop.org/xorg/lib/libXcursor/patch/?id=4794b5dd34688158fb51a2943032569d3780c4b8
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/wayland-bugs/attachments/20171128/ab4b25a9/attachment-0001.html>
More information about the wayland-bugs
mailing list