diff options
author | Adam Jackson <ajax@redhat.com> | 2010-06-28 18:08:50 -0400 |
---|---|---|
committer | Julien Cristau <jcristau@debian.org> | 2010-08-21 20:41:16 +0100 |
commit | d5248f036470150bd68148755b47abbbae3bfb33 (patch) | |
tree | 1cd3ff09004f85120ef443d941b1c9ab58fee63d | |
parent | 845f0bb1b941e770d88c40afe029e2fedd8655d9 (diff) |
render: Bounds check for nglyphs in ProcRenderAddGlyphs (#28801)
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 5725849a1b427cd4a72b84e57f211edb35838718)
-rw-r--r-- | render/render.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c index 3f7edf7e5..b78c75b70 100644 --- a/render/render.c +++ b/render/render.c @@ -1085,6 +1085,14 @@ ProcRenderAddGlyphs (ClientPtr client) gi = (xGlyphInfo *) (gids + nglyphs); bits = (CARD8 *) (gi + nglyphs); remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs; + + /* protect against bad nglyphs */ + if (gi < stuff || gi > ((CARD32 *)stuff + client->req_len) || + bits < stuff || bits > ((CARD32 *)stuff + client->req_len)) { + err = BadLength; + goto bail; + } + for (i = 0; i < nglyphs; i++) { size_t padded_width; |