diff options
| author | Matthieu Herrb <matthieu@blues.laas.fr> | 2007-01-09 14:14:19 +0100 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@blues.laas.fr> | 2007-01-09 14:14:19 +0100 |
| commit | e3aa6ad201eb20862c11c000e76206e317a96dc9 (patch) | |
| tree | 9f1f4226c44f90e299ab6201cec1874c09c4d8ad /render | |
| parent | 359d20532bdcef6a540a551578d000afbb609c2d (diff) | |
Multiple integer overflows in dbe and render extensions
CVE IDs: CVE-2006-6101 CVE-2006-6102 CVE-2006-6103
Diffstat (limited to 'render')
| -rw-r--r-- | render/render.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/render/render.c b/render/render.c index 126d08daf..348d4c611 100644 --- a/render/render.c +++ b/render/render.c @@ -47,6 +47,12 @@ #include <X11/Xfuncproto.h> #include "cursorstr.h" +#if HAVE_STDINT_H +#include <stdint.h> +#elif !defined(UINT32_MAX) +#define UINT32_MAX 0xffffffffU +#endif + static int ProcRenderQueryVersion (ClientPtr pClient); static int ProcRenderQueryPictFormats (ClientPtr pClient); static int ProcRenderQueryPictIndexValues (ClientPtr pClient); @@ -1105,11 +1111,14 @@ ProcRenderAddGlyphs (ClientPtr client) } nglyphs = stuff->nglyphs; + if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec)) + return BadAlloc; + if (nglyphs <= NLOCALGLYPH) glyphsBase = glyphsLocal; else { - glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec)); + glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec)); if (!glyphsBase) return BadAlloc; } @@ -1166,7 +1175,7 @@ ProcRenderAddGlyphs (ClientPtr client) } if (glyphsBase != glyphsLocal) - DEALLOCATE_LOCAL (glyphsBase); + Xfree (glyphsBase); return client->noClientException; bail: while (glyphs != glyphsBase) @@ -1175,7 +1184,7 @@ bail: xfree (glyphs->glyph); } if (glyphsBase != glyphsLocal) - DEALLOCATE_LOCAL (glyphsBase); + Xfree (glyphsBase); return err; } |