Description: overflow of cliprect kmalloc as args->num_cliprects is not bounded and passed in via a user ioctl
References:
Notes:
Bugs:
upstream: released (3.4) [ed8cd3b2cd61004cab85380c52b1817aca1ca49b]
2.6.32-upstream-stable: N/A "Introduced in 2.6.39 with 8408c282"
sid: released (3.2.17-1)
2.6.32-squeeze-security: N/A "Introduced in 2.6.39 with 8408c282"
3.2-upstream-stable: released (3.2.17) [a9206caacef21a1eeee7083d8fb188cfeb15fd52]