reply.length & reply.size are CARD32s and need to be bounds checked before multiplying or adding to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
||
---|---|---|
.. | ||
dmx | ||
kdrive | ||
vfb | ||
xfree86 | ||
xnest | ||
xquartz | ||
xwin | ||
Makefile.am |