diff options
author | Daniel Stone <daniel@fooishbar.org> | 2005-09-13 01:33:19 +0000 |
---|---|---|
committer | Daniel Stone <daniel@fooishbar.org> | 2005-09-13 01:33:19 +0000 |
commit | c3d6799cee7ff8411b3a05a7ab7e2a9e80c95059 (patch) | |
tree | 0afd730bf28bc833a2e7ba13070190448bf56bfa /fb | |
parent | b290884719e18646326f0c2412c2494a07fe3cfd (diff) |
Bug #594: CAN-2005-2495: Fix exploitable integer overflow in pixmap
creation, where we could create a far smaller pixmap than we thought,
allowing changes to arbitrary chunks of memory. (Søren Sandmann
Pedersen)
Diffstat (limited to 'fb')
-rw-r--r-- | fb/fbpixmap.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/fb/fbpixmap.c b/fb/fbpixmap.c index 1cb34e4d9..decc07ba6 100644 --- a/fb/fbpixmap.c +++ b/fb/fbpixmap.c @@ -36,12 +36,14 @@ PixmapPtr fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp) { PixmapPtr pPixmap; - int datasize; - int paddedWidth; + size_t datasize; + size_t paddedWidth; int adjust; int base; paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits); + if (paddedWidth / 4 > 32767 || height > 32767) + return NullPixmap; datasize = height * paddedWidth; #ifdef PIXPRIV base = pScreen->totalPixmapSize; |