libwayland-cursor heap overflow fix
ppaalanen at gmail.com
Wed Nov 29 09:39:09 UTC 2017
I would like to bring to your attention a patch I have just merged into
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date: Tue Nov 28 21:38:07 2017 +0100
cursor: Fix heap overflows when parsing malicious files.
It is possible to trigger heap overflows due to an integer overflow
while parsing images.
The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.
See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
Signed-off-by: Tobias Stoeckmann <tobias at stoeckmann.org>
[Pekka: add link to the corresponding libXcursor commit]
Signed-off-by: Pekka Paalanen <pekka.paalanen at collabora.co.uk>
This fix is not yet in any release, so would be nice if distributions
cherry-picked this into what they ship, the pick should be trivial for
any release so far.
The issue has existed in libwayland-cursor ever since it was
introduced, before wayland 1.0.0 release.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the wayland-devel