libXfixes: Changes to 'master'
Alan Coopersmith
alanc at kemper.freedesktop.org
Thu May 23 08:34:50 PDT 2013
configure.ac | 7 +++++++
src/Cursor.c | 34 ++++++++++++++++++++--------------
src/Region.c | 2 +-
src/Xfixesint.h | 14 ++++++++++++++
4 files changed, 42 insertions(+), 15 deletions(-)
New commits:
commit c480fe3271873ec7471b0cbd680f4dac18ca8904
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 10:24:08 2013 -0700
integer overflow in XFixesGetCursorImage() [CVE-2013-1983]
If the reported cursor dimensions or name length are too large, the
calculations to allocate memory for them may overflow, leaving us
writing beyond the bounds of the allocation.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit b031e3b60fa1af9e49449f23d4a84395868be3ab
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 10:20:59 2013 -0700
Use _XEatDataWords to avoid overflow of _XEatData calculations
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list