libwayland-cursor heap overflow fix

Pekka Paalanen ppaalanen at gmail.com
Wed Nov 29 09:39:09 UTC 2017


Hi all,

I would like to bring to your attention a patch I have just merged into
wayland master:

https://cgit.freedesktop.org/wayland/wayland/commit/?id=5d201df72f3d4f4cb8b8f75f980169b03507da38

commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date:   Tue Nov 28 21:38:07 2017 +0100

    cursor: Fix heap overflows when parsing malicious files.
    
    It is possible to trigger heap overflows due to an integer overflow
    while parsing images.
    
    The integer overflow occurs because the chosen limit 0x10000 for
    dimensions is too large for 32 bit systems, because each pixel takes
    4 bytes. Properly chosen values allow an overflow which in turn will
    lead to less allocated memory than needed for subsequent reads.
    
    See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
    
    Signed-off-by: Tobias Stoeckmann <tobias at stoeckmann.org>
    [Pekka: add link to the corresponding libXcursor commit]
    Signed-off-by: Pekka Paalanen <pekka.paalanen at collabora.co.uk>

This fix is not yet in any release, so would be nice if distributions
cherry-picked this into what they ship, the pick should be trivial for
any release so far.

The issue has existed in libwayland-cursor ever since it was
introduced, before wayland 1.0.0 release.


Thanks,
pq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20171129/6ba6ff37/attachment.sig>


More information about the wayland-devel mailing list