https://bugzilla.redhat.com/show_bug.cgi?id=1311882
Bug ID: 1311882 Summary: CVE-2014-9766 pixman: integer overflow in create_bits function Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: ajax@redhat.com, alonbl@redhat.com, bmcclain@redhat.com, cfergeau@redhat.com, dblechte@redhat.com, erik-fedora@vanpienbroek.nl, fedora-mingw@lists.fedoraproject.org, gklein@redhat.com, lsurette@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, ogabbay@redhat.com, rbalakri@redhat.com, rh-spice-bugs@redhat.com, rjones@redhat.com, sherold@redhat.com, ydary@redhat.com, yeylon@redhat.com, ykaul@redhat.com
In create_bits() both height and stride are ints, so the result is also an int, which will overflow if height or stride are big enough and size_t is bigger than int.
External references:
https://web.archive.org/web/20141227044037/http://lists.freedesktop.org/arch...
CVE assignment:
http://seclists.org/oss-sec/2016/q1/425