summaryrefslogtreecommitdiff
authorPeter Hutterer <peter.hutterer@who-t.net>2009-10-01 00:03:42 (GMT)
committer Peter Hutterer <peter.hutterer@who-t.net>2009-10-01 06:00:41 (GMT)
commit622fc98fd08aba98369e6933c3ab8c9ff85385d5 (patch) (side-by-side diff)
tree196e12a99f6b4c8c711a289535b865d9e7a22fd8
parent758ab55d2defc78d0169fd61a7036eb9f889e9e7 (diff)
downloadxserver-622fc98fd08aba98369e6933c3ab8c9ff85385d5.zip
xserver-622fc98fd08aba98369e6933c3ab8c9ff85385d5.tar.gz
render: Fix crash in RenderAddGlyphs (#23645)
This patch fixes two bugs: size is calculated as glyph height * padded_width. If the client submits garbage, this may get above INT_MAX, resulting in a negative size if size is unsigned. The sanity checks don't trigger for negative sizes and the server goes and writes into random memory locations. If the client submits glyphs with a width or height 0, the destination pixmap is NULL, causing a null-pointer dereference. Since there's nothing to composite if the width/height is 0, we might as well skip the whole thing anyway. Tested with Xvfb, Xephyr and Xorg. X.Org Bug 23645 <http://bugs.freedesktop.org/show_bug.cgi?id=23645> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Keith Packard <keithp@keithp.com>
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--render/render.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/render/render.c b/render/render.c
index a306766..a32d797 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1043,7 +1043,7 @@ ProcRenderAddGlyphs (ClientPtr client)
CARD32 *gids;
xGlyphInfo *gi;
CARD8 *bits;
- int size;
+ unsigned int size;
int err;
int i, screen;
PicturePtr pSrc = NULL, pDst = NULL;
@@ -1131,6 +1131,10 @@ ProcRenderAddGlyphs (ClientPtr client)
ScreenPtr pScreen;
int error;
+ /* Skip work if it's invisibly small anyway */
+ if (!width || !height)
+ break;
+
pScreen = screenInfo.screens[screen];
pSrcPix = GetScratchPixmapHeader (pScreen,
width, height,