libFS: Changes to 'master'
Alan Coopersmith
alanc at kemper.freedesktop.org
Thu May 23 08:33:13 PDT 2013
src/FSOpenServ.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
New commits:
commit 26dc23446c2e7818fdebfb46e101bac4883df07e
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Apr 14 09:07:32 2013 -0700
Sign extension issue and integer overflow in FSOpenServer() [CVE-2013-1996]
> altlen = (int) *ad++; <-- if char is 0xff, will sign extend to int (0xffffffff == -1)
> alts[i].name = (char *) FSmalloc(altlen + 1); <-- -1 + 1 == 0
> ...
> memmove(alts[i].name, ad, altlen); <-- memory corruption
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list