From f912b5ccd3bfb8f0fc0d142feb88871858c07fb0 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun, 8 Jun 2008 11:13:47 -0600
Subject: CVE-2008-2360 - RENDER Extension heap buffer overflow

An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.

On systems where the X  SIGSEGV handler includes a stack trace, more
malloc()-type functions are called, which may lead to other
exploitable issues.
(cherry picked from commit b1a4a96885bf191d5f4afcfb2b41a88631b8412b)
---
 render/glyph.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/render/glyph.c b/render/glyph.c
index 6d09a0e52..2ca02f042 100644
--- a/render/glyph.c
+++ b/render/glyph.c
@@ -42,6 +42,12 @@
 #include "picturestr.h"
 #include "glyphstr.h"
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 /*
  * From Knuth -- a good choice for hash/rehash values is p, p-2 where
  * p and p-2 are both prime.  These tables are sized to have an extra 10%
@@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
     int		     size;
     GlyphPtr	     glyph;
     int		     i;
-
-    size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+    size_t	     padded_width;
+    
+    padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
+    if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
+	return 0;
+    size = gi->height * padded_width;
     glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
     if (!glyph)
 	return 0;
-- 
cgit v1.2.3