<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - Security - Fix heap overflow with X cursor files" href="https://bugs.freedesktop.org/show_bug.cgi?id=103961">103961</a> </td> </tr> <tr> <th>Summary</th> <td>Security - Fix heap overflow with X cursor files </td> </tr> <tr> <th>Product</th> <td>Wayland </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>wayland </td> </tr> <tr> <th>Assignee</th> <td>wayland-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>tobias@stoeckmann.org </td> </tr></table> <p> <div> <pre>Created <span class=""><a href="attachment.cgi?id=135783" name="attach_135783" title="wayland-xcursor.patch">attachment 135783</a> <a href="attachment.cgi?id=135783&action=edit" title="wayland-xcursor.patch">[details]</a></span> wayland-xcursor.patch Fix heap overflows when parsing malicious files. It is possible to trigger heap overflows due to an integer overflow while parsing images. The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads. This patch is ported from libXcursor: <a href="https://cgit.freedesktop.org/xorg/lib/libXcursor/patch/?id=4794b5dd34688158fb51a2943032569d3780c4b8">https://cgit.freedesktop.org/xorg/lib/libXcursor/patch/?id=4794b5dd34688158fb51a2943032569d3780c4b8</a></pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>