render: Bounds check for nglyphs in ProcRenderAddGlyphs (#28801)

Signed-off-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Keith Packard <keithp@keithp.com> (cherry picked from commit 5725849a1b427cd4a72b84e57f211edb35838718)
author: Adam Jackson <ajax@redhat.com> 2010-06-28 18:08:50 -0400
committer: Jeremy Huddleston <jeremyhu@apple.com> 2010-09-04 11:39:03 -0700
commit: f9a9500b2f037a34b2312324505c7810ed03e38b (patch)
tree: 780cfcc7ea7e49cfd6c3e47f3d66b8f29cadee8c
parent: 64f81b80c7c8636044577225685a387cc8a6b564 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c
index afe4c92e7..277981892 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1085,6 +1085,14 @@ ProcRenderAddGlyphs (ClientPtr client)
     gi = (xGlyphInfo *) (gids + nglyphs);
     bits = (CARD8 *) (gi + nglyphs);
     remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
+
+    /* protect against bad nglyphs */
+    if (gi < stuff || gi > ((CARD32 *)stuff + client->req_len) ||
+        bits < stuff || bits > ((CARD32 *)stuff + client->req_len)) {
+        err = BadLength;
+        goto bail;
+    }
+
     for (i = 0; i < nglyphs; i++)
     {
 	size_t padded_width;
author	Adam Jackson <ajax@redhat.com>	2010-06-28 18:08:50 -0400
committer	Jeremy Huddleston <jeremyhu@apple.com>	2010-09-04 11:39:03 -0700
commit	f9a9500b2f037a34b2312324505c7810ed03e38b (patch)
tree	780cfcc7ea7e49cfd6c3e47f3d66b8f29cadee8c
parent	64f81b80c7c8636044577225685a387cc8a6b564 (diff)