blob: 9e5c16f7d3b90ca4a328ee5290d536d2a3989da7 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
|
Description: overflow of cliprect kmalloc as args->num_cliprects is not bounded and passed in via a user ioctl
References:
Notes:
Bugs:
upstream: released (3.4) [ed8cd3b2cd61004cab85380c52b1817aca1ca49b]
2.6.32-upstream-stable: N/A "Introduced in 2.6.39 with 8408c282"
sid: released (3.2.17-1)
2.6.32-squeeze-security: N/A "Introduced in 2.6.39 with 8408c282"
3.2-upstream-stable: released (3.2.17) [a9206caacef21a1eeee7083d8fb188cfeb15fd52]
|
