diff options
| author | Matthieu Herrb <matthieu.herrb@laas.fr> | 2008-06-10 12:22:30 -0600 |
|---|---|---|
| committer | Jeremy Huddleston <jeremyhu@freedesktop.org> | 2008-06-11 11:33:50 -0700 |
| commit | 87e94198432603d1ede6d4dabb34f8617e84c18b (patch) | |
| tree | 6e56291801bbba068c53dba5c2e53d95244a20be | |
| parent | b0a9b429613faacb71c0aad3f774a13bd7d985df (diff) | |
CVE-2008-2361 - RENDER Extension crash
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the ProcRenderCreateCursor() function which
will cause less memory to be allocated than expected, leading later to
dereferencing un-mapped memory, causing a crash of the X server.
(cherry picked from commit 5257a0f83d5f3d80d0cd44dd76d047bac3869592)
| -rw-r--r-- | render/render.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c index 55f360a44..d7dd80c13 100644 --- a/render/render.c +++ b/render/render.c @@ -1502,6 +1502,8 @@ ProcRenderCreateCursor (ClientPtr client) pScreen = pSrc->pDrawable->pScreen; width = pSrc->pDrawable->width; height = pSrc->pDrawable->height; + if (height && width > UINT32_MAX/(height*sizeof(CARD32))) + return BadAlloc; if ( stuff->x > width || stuff->y > height ) return (BadMatch); |