Description of the problem:
On 32-bit systems, a large args->num_cliprects from userspace via ioctl may overflow the allocation size, leading to out-of-bounds access.
FYI. This was fixed in 3.3.5 (stable commit 4a265435c87b19175c3906ff49ffe5bf4a4cc228). All Fedora branches are on that or newer already.
Sorry, that should have been stable commit 9f4660213e58b3b78dc75bf3e3b4126dbe9a0b14
This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise MRG 2. This issue was addressed in Red Hat Enterprise Linux 6 via RHSA-2012:1304 https://rhn.redhat.com/errata/RHSA-2012-1304.html.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2012:1304 https://rhn.redhat.com/errata/RHSA-2012-1304.html