CVE-2010-4819
Description
The ProcRenderAddGlyphs function in the Render extension (render/render.c) in X.Org xserver 1.7.7 and earlier allows local users to read arbitrary memory and possibly cause a denial of service (server crash) via unspecified vectors related to an "input sanitization flaw."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.7.7
Patches
Vulnerability mechanics
Root cause
"Missing bounds check on the nglyphs parameter in ProcRenderAddGlyphs allows out-of-bounds pointer arithmetic."
Attack vector
A local attacker sends a crafted Render extension request to the X server with a large or otherwise malicious `nglyphs` value. Because the `ProcRenderAddGlyphs` function did not validate that the computed `gi` and `bits` pointers stayed within the request buffer, the subsequent loop could read arbitrary server memory or cause a crash. This is an improper input validation flaw [CWE-20].
Affected code
The vulnerability is in the `ProcRenderAddGlyphs` function in `render/render.c` of the X.Org xserver. The function lacked bounds checking on the `nglyphs` parameter, allowing pointer arithmetic to produce out-of-bounds pointers (`gi` and `bits`) that could then be dereferenced in the glyph-processing loop.
What the fix does
The patch adds a bounds check after computing the `gi` and `bits` pointers from `nglyphs`. It verifies that both pointers lie within the valid request buffer range (`stuff` to `stuff + client->req_len`). If either pointer is out of bounds, the function returns `BadLength` and bails out, preventing any out-of-bounds memory access in the glyph-processing loop.
Preconditions
- authThe attacker must be able to send arbitrary Render extension requests to the X server (local access).
- inputThe attacker must craft a request with a malicious nglyphs value that causes pointer arithmetic to overflow or point outside the request buffer.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- aix.software.ibm.com/aix/efixes/security/X_advisory2.ascnvd
- cgit.freedesktop.org/xorg/xserver/commit/render/render.cnvd
- rhn.redhat.com/errata/RHSA-2011-1359.htmlnvd
- rhn.redhat.com/errata/RHSA-2011-1360.htmlnvd
- securitytracker.com/idnvd
- www.openwall.com/lists/oss-security/2011/09/22/8nvd
- www.openwall.com/lists/oss-security/2011/09/23/5nvd
- bugs.freedesktop.org/show_bug.cginvd
News mentions
0No linked articles in our index yet.