Created attachment 135783 [details] [review]
Fix heap overflows when parsing malicious files.
It is possible to trigger heap overflows due to an integer overflow
while parsing images.
The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.
This patch is ported from libXcursor:
Thanks for the patch.
Can you post it to the xorg-devel mailing list where it can be reviewed (see https://www.x.org/wiki/Development/Documentation/SubmittingPatches/), copying wayland-devel mailing list as well (for Xwayland it's always good to copy both) ?
Also, for security issues (although I don't think this qualifies here, at worst you'd get a DOS) it's better to send an email to the X.Org security team at email@example.com (see https://www.x.org/wiki/Development/Security/)
Oh, sorry, my bad, this is for libwayland, please ignore my last post...
Well, the part about sending the patch to the wayland-devel mailing list would still help with the review :)
The patch looks good to me, and while we usually do reviews on the mailing list indeed, I decided to take this and push it, since the change is trivial and looks good to me.
2420056..5d201df master -> master
I'll see about stable branches a bit later, so let's not close this bug quite yet.
should let the fix trickle into distributions before we get to making a new release.