Skip to content
Commit c00fdf2c authored by Tobias Stöckmann's avatar Tobias Stöckmann Committed by Julien Cristau
Browse files

render: Fix out of boundary heap access 



ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must
be protected against an integer overflow during length check. This is
already included in ProcRenderCreateLinearGradient since the fix for
CVE-2008-2362.

This can only be successfully exploited on a 32 bit system for an
out of boundary read later on. Validated by using ASAN.

Reviewed-by: default avatarAdam Jackson <ajax@redhat.com>
(cherry picked from commit ac15d4ce)
parent 2ab093a5
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment