https://bugzilla.redhat.com/show_bug.cgi?id=1037975
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2013 |impact=moderate,public=2013 |0716,reported=20131204,sour |0716,reported=20131204,sour |ce=osssec,cvss2=5.0/AV:N/AC |ce=osssec,cvss2=5.0/AV:N/AC |:L/Au:N/C:N/I:N/A:P,fedora- |:L/Au:N/C:N/I:N/A:P,fedora- |all/pixman=new,fedora-all/m |all/pixman=affected,fedora- |ingw-pixman=new,epel-5/ming |all/mingw-pixman=affected,e |w32-pixman=new,rhel-5/pixma |pel-5/mingw32-pixman=affect |n=affected,rhel-6/pixman=ne |ed,rhel-5/pixman=affected,r |w,rhel-7/pixman=new |hel-6/pixman=affected,rhel- | |7/pixman=affected Flags| |needinfo?(ajax@redhat.com)
--- Comment #4 from Huzaifa S. Sidhpurwala huzaifas@redhat.com --- Adam,
If you look at the valgrind output from the above reproducer, there is an invalid read and an invalid write on the heap, which really seems to be user controllable. Looking at the code the issue is in pixman/pixman-edge.c:
210 WRITE (image, ap + lxi, 211 clip255 (READ (image, ap + lxi) + rxs - lxs));
This leads me to conclude that there could be a possible of arbitrary user-controlled code execution. (which means i need to raise the impact to important etc). Was wondering if you could take a look and let me know if you think otherwise?