[3.4] libXfixes: Integer overflow on illegal server response (CVE-2016-7944)ID: oval:org.secpod.oval:def:1800740 | Date: (C)2018-03-29 (M)2023-11-10 |
Class: PATCH | Family: unix |
When receiving a response from the server protocol data is not validated sufficiently. The 32 bit field "rep.length" is not checked for validity, which allows an integer overflow on 32 bit systems. A malicious server could send INT_MAX as length, which gets multiplied by the size of XRectangle. In that case the client won"t read the whole data from server, getting out of sync. Affected versions : libXfixes Fixed In Version: libXfixes 5.0.3
Platform: |
Alpine Linux 3.4 |