scorpionit / rpms / xorg-x11-server

Forked from rpms/xorg-x11-server 4 years ago
Clone
Source Code
GIT

Files

ajax/upstream f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f7 f8 f9 master olpc2 olpc3 private-1_2-branch private-unbreak-domain-branch
  1.   f8
  2.   cve-2008-2360.patch
Blob Blame History Raw 
diff -up ./render/glyph.c.cve-2008-2360 ./render/glyph.c
--- ./render/glyph.c.cve-2008-2360	2006-07-06 04:31:44.000000000 +1000
+++ ./render/glyph.c	2008-05-29 16:22:06.000000000 +1000
@@ -43,6 +43,12 @@
 #include "picturestr.h"
 #include "glyphstr.h"
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#else 
+#define UINT32_MAX 0xffffffffU
+#endif
+
 /*
  * From Knuth -- a good choice for hash/rehash values is p, p-2 where
  * p and p-2 are both prime.  These tables are sized to have an extra 10%
@@ -627,8 +633,14 @@ AllocateGlyph (xGlyphInfo *gi, int fdept
     int		     size;
     GlyphPtr	     glyph;
     int		     i;
+    size_t padded_width;
+
+    padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
+
+    if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
+        return 0;
 
-    size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+    size = gi->height * padded_width;
     glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
     if (!glyph)
 	return 0;
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.