The _nv000053X function iterates over the glyph list and copies glyph data into the buffer using each glyph's accumulated width, xOff, height, and yOff values to calculate the destination position in the buffer. The NVIDIA binary blob driver does not check this calculation against the size of the allocated buffer. As a result, a short sequence of user-supplied glyphs can be used to trick the function into writing to an arbitrary location in memory. ... It is important to note that glyph data is supplied to the X server by the X client. Any remote X client can gain root privileges on the X server using the proof of concept program attached. It is also trivial to exploit this vulnerability as a DoS by causing an existing X client program (such as Firefox) to render a long text string. It may be possible to use Flash movies, Java applets, or embedded web fonts to supply the custom glyph data necessary for reliable remote code execution. A simple HTML page containing an INPUT field with a long value is sufficient to demonstrate the DoS.