Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server.
DescriptionVasyl Kaigorodov
2014-11-27 16:03:59 UTC
Various Render extension calls do not check that the lengths and/or indexes sent by the
client are within the bounds specified by the caller or the bounds of
the memory allocated to hold the request read from the client, so could
read or write past the bounds of allocated memory while processing the
request. These calls all occur only after a client has successfully
authenticated itself.
Affected functions: ProcRenderQueryVersion(), SProcRenderQueryVersion(),
SProcRenderQueryPictFormats(), SProcRenderQueryPictIndexValues(),
SProcRenderCreatePicture(), SProcRenderChangePicture(),
SProcRenderSetPictureClipRectangles(), SProcRenderFreePicture(),
SProcRenderComposite(), SProcRenderScale(), SProcRenderCreateGlyphSet(),
SProcRenderReferenceGlyphSet(), SProcRenderFreeGlyphSet(),
SProcRenderFreeGlyphs(), SProcRenderCompositeGlyphs()
Introduced in XFree86 4.0.1 (2000).
Included in X.Org releases starting in X11R6.7 (2004).