libwayland-cursor heap overflow fix

Pekka Paalanen ppaalanen at
Wed Nov 29 09:39:09 UTC 2017

Hi all,

I would like to bring to your attention a patch I have just merged into
wayland master:

commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
Author: Tobias Stoeckmann <tobias at>
Date:   Tue Nov 28 21:38:07 2017 +0100

    cursor: Fix heap overflows when parsing malicious files.
    It is possible to trigger heap overflows due to an integer overflow
    while parsing images.
    The integer overflow occurs because the chosen limit 0x10000 for
    dimensions is too large for 32 bit systems, because each pixel takes
    4 bytes. Properly chosen values allow an overflow which in turn will
    lead to less allocated memory than needed for subsequent reads.
    See also:
    Signed-off-by: Tobias Stoeckmann <tobias at>
    [Pekka: add link to the corresponding libXcursor commit]
    Signed-off-by: Pekka Paalanen <pekka.paalanen at>

This fix is not yet in any release, so would be nice if distributions
cherry-picked this into what they ship, the pick should be trivial for
any release so far.

The issue has existed in libwayland-cursor ever since it was
introduced, before wayland 1.0.0 release.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the wayland-devel mailing list