This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.6.x in repository nx-libs. commit c1225fe6451d7a5f3741ce0fff8f54e38e0a14da Author: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Wed Jan 22 21:11:16 2014 -0800 dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4] ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dix/dispatch.c --- nx-X11/programs/Xserver/dix/dispatch.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c index 6941456..5ad2f5a 100644 --- a/nx-X11/programs/Xserver/dix/dispatch.c +++ b/nx-X11/programs/Xserver/dix/dispatch.c @@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client) tmpImage = (char *)&stuff[1]; lengthProto = length; - + if (lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + (sizeof(xPutImageReq) >> 2)) != client->req_len) return BadLength; -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git