CVSROOT: /cvs
Module name: xenocara
Changes by: matth...@cvs.openbsd.org 2016/10/04 09:09:40
Modified files:
lib/libXv/src : Xv.c
Log message:
Protocol handling issues in libXv
The Xv query functions for adaptors and encodings suffer from out of boundary
accesses if a hostile X server sends a maliciously crafted response.
A previous fix already checks the received length against fixed values but
ignores additional length specifications which are stored inside the received
data.
These lengths are accessed in a for-loop. The easiest way to guarantee a
correct processing is by validating all lengths against the remaining size
left before accessing referenced memory.
This makes the previously applied check obsolete, therefore I removed it.
>From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
