mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2025-12-20 04:40:02 +01:00
fce91bcbe2
A client might send a request causing an integer overflow when computing
the total size to allocate in RRChangeProviderProperty().
To avoid the issue, check that total length in bytes won't exceed the
maximum integer value.
CVE-2025-49180
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| meson.build | ||
| randr.c | ||
| randrstr.h | ||
| randrstr_priv.h | ||
| rrcrtc.c | ||
| rrdispatch.c | ||
| rrinfo.c | ||
| rrlease.c | ||
| rrmode.c | ||
| rrmonitor.c | ||
| rroutput.c | ||
| rrpointer.c | ||
| rrproperty.c | ||
| rrprovider.c | ||
| rrproviderproperty.c | ||
| rrscreen.c | ||
| rrsdispatch.c | ||
| rrtransform.c | ||
| rrtransform.h | ||
| rrxinerama.c | ||