ProcDRI2GetBuffers() function call do not check that its calculations for how much memory is needed to handle the client's request have not overflowed, so can result in out of bounds reads or writes. These calls all occur only after a client has successfully authenticated itself. Introduced in xorg-server-1.7.0 (2009).
Created attachment 962135 [details] 0006-dri2_integer_overflow_in_ProcDRI2GetBuffers_CVE-2014-8094.patch
Authenticated client can cause integer overflow on the server which later results in OOB read and consequent crash.
External References: http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html