Created attachment 135783 [details] [review] wayland-xcursor.patch Fix heap overflows when parsing malicious files. It is possible to trigger heap overflows due to an integer overflow while parsing images. The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads. This patch is ported from libXcursor: https://cgit.freedesktop.org/xorg/lib/libXcursor/patch/?id=4794b5dd34688158fb51a2943032569d3780c4b8
Thanks for the patch. Can you post it to the xorg-devel mailing list where it can be reviewed (see https://www.x.org/wiki/Development/Documentation/SubmittingPatches/), copying wayland-devel mailing list as well (for Xwayland it's always good to copy both) ? Also, for security issues (although I don't think this qualifies here, at worst you'd get a DOS) it's better to send an email to the X.Org security team at xorg-security@lists.x.org (see https://www.x.org/wiki/Development/Security/)
Oh, sorry, my bad, this is for libwayland, please ignore my last post...
Well, the part about sending the patch to the wayland-devel mailing list would still help with the review :)
The patch looks good to me, and while we usually do reviews on the mailing list indeed, I decided to take this and push it, since the change is trivial and looks good to me. 2420056..5d201df master -> master I'll see about stable branches a bit later, so let's not close this bug quite yet.
https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html should let the fix trickle into distributions before we get to making a new release.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.