FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

libXcursor -- integer overflow that can lead to heap buffer overflow

Affected packages
libXcursor < 1.1.15

Details

VuXML ID ddecde18-e33b-11e7-a293-54e1ad3d6335
Discovery 2017-11-28
Entry 2017-12-17

The freedesktop.org project reports:

It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments.

The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads.

The signedness bug is triggered by reading the length of a comment as unsigned int, but casting it to int when calling the function XcursorCommentCreate. Turning length into a negative value allows the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following addition of sizeof (XcursorComment) + 1 makes it possible to allocate less memory than needed for subsequent reads.

References

CVE Name CVE-2017-16612
URL http://seclists.org/oss-sec/2017/q4/339
URL https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8