Bug #594: CAN-2005-2495: Fix exploitable integer overflow in pixmap

creation, where we could create a far smaller pixmap than we thought, allowing changes to arbitrary chunks of memory. (Søren Sandmann Pedersen)
author: Daniel Stone <daniel@fooishbar.org> 2005-09-13 01:33:19 +0000
committer: Daniel Stone <daniel@fooishbar.org> 2005-09-13 01:33:19 +0000
commit: c3d6799cee7ff8411b3a05a7ab7e2a9e80c95059 (patch)
tree: 0afd730bf28bc833a2e7ba13070190448bf56bfa /cfb/cfbpixmap.c
parent: b290884719e18646326f0c2412c2494a07fe3cfd (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/cfb/cfbpixmap.c b/cfb/cfbpixmap.c
index f7e06bd13..704ab4eda 100644
--- a/cfb/cfbpixmap.c
+++ b/cfb/cfbpixmap.c
@@ -72,10 +72,13 @@ cfbCreatePixmap (pScreen, width, height, depth)
     int		depth;
 {
     PixmapPtr pPixmap;
-    int datasize;
-    int paddedWidth;
+    size_t datasize;
+    size_t paddedWidth;
 
     paddedWidth = PixmapBytePad(width, depth);
+
+    if (paddedWidth / 4 > 32767 || height > 32767)
+	return NullPixmap;
     datasize = height * paddedWidth;
     pPixmap = AllocatePixmap(pScreen, datasize);
     if (!pPixmap)
author	Daniel Stone <daniel@fooishbar.org>	2005-09-13 01:33:19 +0000
committer	Daniel Stone <daniel@fooishbar.org>	2005-09-13 01:33:19 +0000
commit	c3d6799cee7ff8411b3a05a7ab7e2a9e80c95059 (patch)
tree	0afd730bf28bc833a2e7ba13070190448bf56bfa /cfb/cfbpixmap.c
parent	b290884719e18646326f0c2412c2494a07fe3cfd (diff)