CVE-2008-2361 - RENDER Extension crash

An integer overflow may occur in the computation of the size of the glyph to be allocated by the ProcRenderCreateCursor() function which will cause less memory to be allocated than expected, leading later to dereferencing un-mapped memory, causing a crash of the X server.
author: Matthieu Herrb <matthieu.herrb@laas.fr> 2008-06-08 11:14:31 -0600
committer: Matthieu Herrb <matthieu@bluenote.herrb.net> 2008-06-10 11:42:35 -0600
commit: c4937bbb697579ceff0e30b17aca409f56e78566 (patch)
tree: 4791acd27924a26595f2ef3aeb13522475db8ff1
parent: b1a4a96885bf191d5f4afcfb2b41a88631b8412b (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c
index caaa2781c..74c5f6387 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1504,6 +1504,8 @@ ProcRenderCreateCursor (ClientPtr client)
     pScreen = pSrc->pDrawable->pScreen;
     width = pSrc->pDrawable->width;
     height = pSrc->pDrawable->height;
+    if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+	return BadAlloc;
     if ( stuff->x > width 
       || stuff->y > height )
 	return (BadMatch);
author	Matthieu Herrb <matthieu.herrb@laas.fr>	2008-06-08 11:14:31 -0600
committer	Matthieu Herrb <matthieu@bluenote.herrb.net>	2008-06-10 11:42:35 -0600
commit	c4937bbb697579ceff0e30b17aca409f56e78566 (patch)
tree	4791acd27924a26595f2ef3aeb13522475db8ff1
parent	b1a4a96885bf191d5f4afcfb2b41a88631b8412b (diff)