[3.2] libXfixes: Integer overflow on illegal server response (CVE-2016-7944)
When receiving a response from the server protocol data is not validated
sufficiently.
The 32 bit field “rep.length” is not checked for validity, which allows
an integer overflow on 32 bit systems.
A malicious server could send INT_MAX as length, which gets multiplied
by the size of XRectangle.
In that case the client won’t read the whole data from server, getting
out of sync.
Affected versions :
libXfixes <= 5.0.2
Fixed In Version:
libXfixes 5.0.3
References:
https://lists.x.org/archives/xorg-announce/2016-October/002720.html
http://seclists.org/oss-sec/2016/q4/17
Patch:
https://cgit.freedesktop.org/xorg/lib/libXfixes/commit/?id=61c1039ee23a2d1de712843bed3480654d7ef42e
(from redmine: issue id 6310, created on 2016-10-07, closed on 2016-10-25)
- Relations:
- parent #6306 (closed)
- Changesets:
- Revision b405df05 on 2016-10-20T13:24:58Z:
main/libxfixes: securiti fix (CVE-2016-7944). Fixes #6310