render: Fix out of boundary heap access

ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must be protected against an integer overflow during length check. This is already included in ProcRenderCreateLinearGradient since the fix for CVE-2008-2362. This can only be successfully exploited on a 32 bit system for an out of boundary read later on. Validated by using ASAN. Reviewed-by: Adam Jackson <ajax@redhat.com>
author: Tobias Stoeckmann <tobias@stoeckmann.org> 2017-03-13 19:13:14 +0100
committer: Adam Jackson <ajax@redhat.com> 2017-03-13 16:54:20 -0400
commit: ac15d4cecca377c5c31ab852c39bbd554ca48fe2 (patch)
tree: 344bfa3cb89405d62718e5f191c0b3219a5695c0 /render
parent: 0c1574d9882a91b2c1a046bf4ac5a9b138a37965 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c
index 8dc1f3425..ccae49a41 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1908,6 +1908,8 @@ ProcRenderCreateRadialGradient(ClientPtr client)
     LEGAL_NEW_RESOURCE(stuff->pid, client);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+    if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+        return BadLength;
     if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -1946,6 +1948,8 @@ ProcRenderCreateConicalGradient(ClientPtr client)
     LEGAL_NEW_RESOURCE(stuff->pid, client);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+    if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+        return BadLength;
     if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
author	Tobias Stoeckmann <tobias@stoeckmann.org>	2017-03-13 19:13:14 +0100
committer	Adam Jackson <ajax@redhat.com>	2017-03-13 16:54:20 -0400
commit	ac15d4cecca377c5c31ab852c39bbd554ca48fe2 (patch)
tree	344bfa3cb89405d62718e5f191c0b3219a5695c0 /render
parent	0c1574d9882a91b2c1a046bf4ac5a9b138a37965 (diff)