diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2017-03-13 19:13:14 +0100 |
---|---|---|
committer | Adam Jackson <ajax@redhat.com> | 2017-03-13 16:54:20 -0400 |
commit | ac15d4cecca377c5c31ab852c39bbd554ca48fe2 (patch) | |
tree | 344bfa3cb89405d62718e5f191c0b3219a5695c0 | |
parent | 0c1574d9882a91b2c1a046bf4ac5a9b138a37965 (diff) |
render: Fix out of boundary heap access
ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must
be protected against an integer overflow during length check. This is
already included in ProcRenderCreateLinearGradient since the fix for
CVE-2008-2362.
This can only be successfully exploited on a 32 bit system for an
out of boundary read later on. Validated by using ASAN.
Reviewed-by: Adam Jackson <ajax@redhat.com>
-rw-r--r-- | render/render.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c index 8dc1f3425..ccae49a41 100644 --- a/render/render.c +++ b/render/render.c @@ -1908,6 +1908,8 @@ ProcRenderCreateRadialGradient(ClientPtr client) LEGAL_NEW_RESOURCE(stuff->pid, client); len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq); + if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -1946,6 +1948,8 @@ ProcRenderCreateConicalGradient(ClientPtr client) LEGAL_NEW_RESOURCE(stuff->pid, client); len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq); + if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; |