From 2c67fab8415a1d32395de87f056bc5f3b37fedb0 Mon Sep 17 00:00:00 2001 From: Matthieu Herrb Date: Thu, 13 Aug 2020 18:02:58 +0200 Subject: [PATCH] Fix an integer overflow in init_om() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2020-14363 This can lead to a double free later, as reported by Jayden Rivers. Signed-off-by: Matthieu Herrb (cherry picked from commit acdaaadcb3d85c61fd43669fc5dddf0f8c3f911d) Signed-off-by: Michel Dänzer --- modules/om/generic/omGeneric.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/om/generic/omGeneric.c b/modules/om/generic/omGeneric.c index 22f826ec..bcfb9ab8 100644 --- a/modules/om/generic/omGeneric.c +++ b/modules/om/generic/omGeneric.c @@ -1908,7 +1908,8 @@ init_om( char **required_list; XOrientation *orientation; char **value, buf[BUFSIZ], *bufptr; - int count = 0, num = 0, length = 0; + int count = 0, num = 0; + unsigned int length = 0; _XlcGetResource(lcd, "XLC_FONTSET", "on_demand_loading", &value, &count); if (count > 0 && _XlcCompareISOLatin1(*value, "True") == 0) -- 2.28.0