Bug 103961 - Security - Fix heap overflow with X cursor files
Summary: Security - Fix heap overflow with X cursor files
Alias: None
Product: Wayland
Classification: Unclassified
Component: wayland (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Wayland bug list
QA Contact:
Depends on:
Reported: 2017-11-28 20:41 UTC by Tobias Stoeckmann
Modified: 2017-11-29 09:41 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

wayland-xcursor.patch (1.56 KB, patch)
2017-11-28 20:41 UTC, Tobias Stoeckmann
Details | Splinter Review

Description Tobias Stoeckmann 2017-11-28 20:41:52 UTC
Created attachment 135783 [details] [review]

Fix heap overflows when parsing malicious files.

It is possible to trigger heap overflows due to an integer overflow
while parsing images.

The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.

This patch is ported from libXcursor:
Comment 1 Olivier Fourdan 2017-11-29 07:46:46 UTC
Thanks for the patch.

Can you post it to the xorg-devel mailing list where it can be reviewed (see https://www.x.org/wiki/Development/Documentation/SubmittingPatches/), copying wayland-devel mailing list as well (for Xwayland it's always good to copy both) ?

Also, for security issues (although I don't think this qualifies here, at worst you'd get a DOS) it's better to send an email to the X.Org security team at xorg-security@lists.x.org (see https://www.x.org/wiki/Development/Security/)
Comment 2 Olivier Fourdan 2017-11-29 07:48:36 UTC
Oh, sorry, my bad, this is for libwayland, please ignore my last post...
Comment 3 Olivier Fourdan 2017-11-29 07:49:45 UTC
Well, the part about sending the patch to the wayland-devel mailing list would still help with the review :)
Comment 4 Pekka Paalanen 2017-11-29 08:00:38 UTC
The patch looks good to me, and while we usually do reviews on the mailing list indeed, I decided to take this and push it, since the change is trivial and looks good to me.

   2420056..5d201df  master -> master

I'll see about stable branches a bit later, so let's not close this bug quite yet.
Comment 5 Pekka Paalanen 2017-11-29 09:41:56 UTC
should let the fix trickle into distributions before we get to making a new release.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.