glamor: Avoid overflow between box32 and box16 box

glamor_compute_transform_clipped_regions() uses a temporary box32
internally which is copied back to a box16 to init the regions16,
thus causing a potential overflow.

If an overflow occurs, the given region is invalid and the pixmap
init region will fail.

Simply check that the coordinates won't overflow when copying back to
the box16, avoiding a crash later down the line in glamor.

Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Tested-by: Fabrice Bellet <fabrice@bellet.info>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 9869dcb349b49f6d4cc2fab5d927cd8b1d1f463c)

1 files changed, 6 insertions, 5 deletions

diff --git a/glamor/glamor_largepixmap.c b/glamor/glamor_largepixmap.c
index ebfdc9537..f9adb93bc 100644
--- a/glamor/glamor_largepixmap.c
+++ b/glamor/glamor_largepixmap.c
@@ -1,4 +1,5 @@
 #include <stdlib.h>
+#include <stdint.h> /* For INT16_MAX */
 
 #include "glamor_priv.h"
 
@@ -722,11 +723,11 @@ glamor_compute_transform_clipped_regions(PixmapPtr pixmap,
         temp_box.x2 = MIN(temp_box.x2, pixmap->drawable.width);
         temp_box.y2 = MIN(temp_box.y2, pixmap->drawable.height);
     }
-    /* Now copy back the box32 to a box16 box. */
-    short_box.x1 = temp_box.x1;
-    short_box.y1 = temp_box.y1;
-    short_box.x2 = temp_box.x2;
-    short_box.y2 = temp_box.y2;
+    /* Now copy back the box32 to a box16 box, avoiding overflow. */
+    short_box.x1 = MIN(temp_box.x1, INT16_MAX);
+    short_box.y1 = MIN(temp_box.y1, INT16_MAX);
+    short_box.x2 = MIN(temp_box.x2, INT16_MAX);
+    short_box.y2 = MIN(temp_box.y2, INT16_MAX);
     RegionInitBoxes(temp_region, &short_box, 1);
     DEBUGF("copy to temp source region \n");
     DEBUGRegionPrint(temp_region);