diff options
author | Matthieu Herrb <matthieu.herrb@laas.fr> | 2008-06-08 11:14:31 -0600 |
---|---|---|
committer | Matthieu Herrb <matthieu@bluenote.herrb.net> | 2008-06-10 11:42:35 -0600 |
commit | c4937bbb697579ceff0e30b17aca409f56e78566 (patch) | |
tree | 4791acd27924a26595f2ef3aeb13522475db8ff1 | |
parent | b1a4a96885bf191d5f4afcfb2b41a88631b8412b (diff) |
CVE-2008-2361 - RENDER Extension crash
An integer overflow may occur in the computation of the
size of the glyph to be allocated by the ProcRenderCreateCursor()
function which will cause less memory to be allocated than expected,
leading later to dereferencing un-mapped memory, causing a crash of
the X server.
-rw-r--r-- | render/render.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c index caaa2781c..74c5f6387 100644 --- a/render/render.c +++ b/render/render.c @@ -1504,6 +1504,8 @@ ProcRenderCreateCursor (ClientPtr client) pScreen = pSrc->pDrawable->pScreen; width = pSrc->pDrawable->width; height = pSrc->pDrawable->height; + if (height && width > UINT32_MAX/(height*sizeof(CARD32))) + return BadAlloc; if ( stuff->x > width || stuff->y > height ) return (BadMatch); |