Various RandR extension calls do not check that the lengths and/or indexes sent by the client are within the bounds specified by the caller or the bounds of the memory allocated to hold the request read from the client, so could read or write past the bounds of allocated memory while processing the request. These calls all occur only after a client has successfully authenticated itself.
Created attachment 962152 [details] 0013-randr_unvalidated_lengths_in_RandR_extension_swapped_procs_CVE-2014-8101.patch
OOb read via client request causing X server crash.
External References: http://www.x.org/wiki/Development/Security/Advisory-2014-12-09/
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1982 https://rhn.redhat.com/errata/RHSA-2014-1982.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2014:1983 https://rhn.redhat.com/errata/RHSA-2014-1983.html