diff options
| author | Matthieu Herrb <matthieu.herrb@laas.fr> | 2008-06-10 12:21:26 -0600 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@bluenote.herrb.net> | 2008-06-11 08:06:09 -0600 |
| commit | c5f69b297b1227cb802394fa90efdbe1de607f3c (patch) | |
| tree | dfe07be862bb82a17195b9ca8813ae1a9c1fc1ef | |
| parent | 063f18ef6d7bf834225ddfd3527e58c078628f5f (diff) | |
CVE-2008-2360 - RENDER Extension heap buffer overflow
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.
| -rw-r--r-- | render/render.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/render/render.c b/render/render.c index f03f54a2b..16b8eb3c3 100644 --- a/render/render.c +++ b/render/render.c @@ -1117,9 +1117,16 @@ ProcRenderAddGlyphs (ClientPtr client) remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs; for (i = 0; i < nglyphs; i++) { + size_t padded_width; glyph_new = &glyphs[i]; - size = gi[i].height * PixmapBytePad (gi[i].width, - glyphSet->format->depth); + + padded_width = PixmapBytePad (gi[i].width, + glyphSet->format->depth); + + if (gi[i].height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi[i].height) + break; + + size = gi[i].height * padded_width; if (remain < size) break; |