Tobias Stoeckmann ac15d4cecc render: Fix out of boundary heap access ...

ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must
be protected against an integer overflow during length check. This is
already included in ProcRenderCreateLinearGradient since the fix for
CVE-2008-2362.

This can only be successfully exploited on a 32 bit system for an
out of boundary read later on. Validated by using ASAN.

Reviewed-by: Adam Jackson <ajax@redhat.com>

2017-03-13 16:54:20 -04:00

..

animcur.c

render: Use OsTimer for animated cursor timing

2015-12-01 13:56:12 -05:00

filter.c

Convert top level extensions to new *allocarray functions

2015-04-21 16:57:08 -07:00

glyph.c

render: Hide/unexport some implementation details

2015-07-08 16:40:57 -04:00

glyphstr.h

render: Hide/unexport some implementation details

2015-07-08 16:40:57 -04:00

Makefile.am

…

matrix.c

Introduce a consistent coding style

2012-03-21 13:54:42 -07:00

miindex.c

Convert top level extensions to new *allocarray functions

2015-04-21 16:57:08 -07:00

mipict.c

render: Hide/unexport some implementation details

2015-07-08 16:40:57 -04:00

mipict.h

render: Hide/unexport some implementation details

2015-07-08 16:40:57 -04:00

mirect.c

render: Always store client clip as a region

2014-10-23 14:35:49 -07:00

mitrap.c

Introduce a consistent coding style

2012-03-21 13:54:42 -07:00

mitri.c

Introduce a consistent coding style

2012-03-21 13:54:42 -07:00

picture.c

render: free already allocated formats in PictureInit failure case

2016-03-08 10:20:10 -05:00

picture.h

exa: only draw valid trapezoids

2016-06-17 11:21:30 +02:00

picturestr.h

render: Hide/unexport some implementation details

2015-07-08 16:40:57 -04:00

render.c

render: Fix out of boundary heap access

2017-03-13 16:54:20 -04:00