diff options
| author | Adam Jackson <ajax@redhat.com> | 2008-01-18 14:41:20 -0500 |
|---|---|---|
| committer | Julien Cristau <jcristau@debian.org> | 2008-01-18 21:01:32 +0100 |
| commit | b6d4cdf64f43ae805beada6122c8be2ed138742c (patch) | |
| tree | 8ebe078b0ca5584324bdd1d4e5e5a9109baa74c4 /Xext | |
| parent | 19b95cdd1d14a1e7d1abba1880ab023c96f19bf5 (diff) | |
CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps.
Move size validation after depth validation, and only validate size if
the bpp of the pixmap format is > 8. If bpp < 8 then we're already
protected from overflow by the width and height checks.
(cherry picked from commit e9fa7c1c88a8130a48f772c92b186b8b777986b5)
Diffstat (limited to 'Xext')
| -rw-r--r-- | Xext/shm.c | 36 |
1 files changed, 20 insertions, 16 deletions
diff --git a/Xext/shm.c b/Xext/shm.c index 5633be904..6f99e9064 100644 --- a/Xext/shm.c +++ b/Xext/shm.c @@ -737,14 +737,6 @@ ProcPanoramiXShmCreatePixmap( } if (width > 32767 || height > 32767) return BadAlloc; - size = PixmapBytePad(width, depth) * height; - if (sizeof(size) == 4) { - if (size < width * height) - return BadAlloc; - /* thankfully, offset is unsigned */ - if (stuff->offset + size < size) - return BadAlloc; - } if (stuff->depth != 1) { @@ -755,7 +747,17 @@ ProcPanoramiXShmCreatePixmap( client->errorValue = stuff->depth; return BadValue; } + CreatePmap: + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) @@ -1080,14 +1082,6 @@ ProcShmCreatePixmap(client) } if (width > 32767 || height > 32767) return BadAlloc; - size = PixmapBytePad(width, depth) * height; - if (sizeof(size) == 4) { - if (size < width * height) - return BadAlloc; - /* thankfully, offset is unsigned */ - if (stuff->offset + size < size) - return BadAlloc; - } if (stuff->depth != 1) { @@ -1098,7 +1092,17 @@ ProcShmCreatePixmap(client) client->errorValue = stuff->depth; return BadValue; } + CreatePmap: + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pDraw->pScreen, stuff->width, |