summaryrefslogtreecommitdiff
path: root/render/render.c
authorAdam Jackson <ajax@redhat.com>2010-06-28 22:08:50 (GMT)
committer Keith Packard <keithp@keithp.com>2010-08-20 01:00:18 (GMT)
commit5725849a1b427cd4a72b84e57f211edb35838718 (patch) (side-by-side diff)
treea9c8066fbb53bfcd200d1159282fdedfd4d04db7 /render/render.c
parentfc091936e2bddbbab9c9a501edc5a5f08388617e (diff)
downloadxserver-5725849a1b427cd4a72b84e57f211edb35838718.zip
xserver-5725849a1b427cd4a72b84e57f211edb35838718.tar.gz
render: Bounds check for nglyphs in ProcRenderAddGlyphs (#28801)
Signed-off-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Keith Packard <keithp@keithp.com>
Diffstat (limited to 'render/render.c') (more/less context) (ignore whitespace changes)
-rw-r--r--render/render.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c
index ef233e4..00241f9 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1077,6 +1077,14 @@ ProcRenderAddGlyphs (ClientPtr client)
gi = (xGlyphInfo *) (gids + nglyphs);
bits = (CARD8 *) (gi + nglyphs);
remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
+
+ /* protect against bad nglyphs */
+ if (gi < stuff || gi > ((CARD32 *)stuff + client->req_len) ||
+ bits < stuff || bits > ((CARD32 *)stuff + client->req_len)) {
+ err = BadLength;
+ goto bail;
+ }
+
for (i = 0; i < nglyphs; i++)
{
size_t padded_width;