libXcursor -- integer overflow that can lead to heap buffer overflow
The freedesktop.org project reports:
It is possible to trigger heap overflows due to an integer
overflow while parsing images and a signedness issue while
The integer overflow occurs because the chosen limit 0x10000
for dimensions is too large for 32 bit systems, because each pixel
takes 4 bytes. Properly chosen values allow an overflow which in
turn will lead to less allocated memory than needed for subsequent
The signedness bug is triggered by reading the length of a comment
as unsigned int, but casting it to int when calling the function
XcursorCommentCreate. Turning length into a negative value allows
the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
addition of sizeof (XcursorComment) + 1 makes it possible to
allocate less memory than needed for subsequent reads.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright