93929a
From bbde5b62a137ba726a747b838d81e92d72c1b42b Mon Sep 17 00:00:00 2001
93929a
From: Matthieu Herrb <matthieu@bluenote.herrb.com>
93929a
Date: Thu, 17 Jan 2008 15:26:41 +0100
93929a
Subject: [PATCH] Fix for CVE-2008-0006 - server side part of fix
93929a
72757b
diff -up xorg-x11-6.8.2/xc/programs/Xserver/dix/dixfonts.c.jx xorg-x11-6.8.2/xc/programs/Xserver/dix/dixfonts.c
72757b
--- xorg-x11-6.8.2/xc/programs/Xserver/dix/dixfonts.c.jx	2004-04-23 15:04:44.000000000 -0400
72757b
+++ xorg-x11-server/dix/dixfonts.c	2008-01-14 11:15:00.000000000 -0500
72757b
@@ -339,6 +339,13 @@ doOpenFont(ClientPtr client, OFclosurePt
72757b
 	err = BadFontName;
72757b
 	goto bail;
72757b
     }
72757b
+    /* check values for firstCol, lastCol, firstRow, and lastRow */
72757b
+    if (pfont->info.firstCol > pfont->info.lastCol ||
72757b
+	pfont->info.firstRow > pfont->info.lastRow ||
72757b
+	pfont->info.lastCol - pfont->info.firstCol > 255) {
72757b
+	err = AllocError;
72757b
+	goto bail;
72757b
+    }
72757b
     if (!pfont->fpe)
72757b
 	pfont->fpe = fpe;
72757b
     pfont->refcnt++;