[3.4] libxcursor: heap overflows when parsing malicious files (CVE-2017-16612)
It is possible to trigger heap overflows due to an integer overflow
while parsing images and a signedness issue while parsing comments.
The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.
Fixed In Version:
libXcursor 1.1.15
References:
http://openwall.com/lists/oss-security/2017/11/28/6
Patch:
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
(from redmine: issue id 8230, created on 2017-12-01, closed on 2018-02-20)
- Relations:
- parent #8227 (closed)
- Changesets:
- Revision 88aa8f79 by Natanael Copa on 2018-02-20T11:59:17Z:
main/libxcursor: security upgrade to 1.1.15 (CVE-2017-16612)
fixes #8230