summaryrefslogtreecommitdiff
path: root/render/render.c
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu.herrb@laas.fr>2008-06-10 12:22:30 -0600
committerMatthieu Herrb <matthieu@bluenote.herrb.net>2008-06-11 08:06:10 -0600
commit5257a0f83d5f3d80d0cd44dd76d047bac3869592 (patch)
tree0044c130005220efac320bf2aa90c6dfb83a72da /render/render.c
parentc5f69b297b1227cb802394fa90efdbe1de607f3c (diff)
CVE-2008-2361 - RENDER Extension crash
An integer overflow may occur in the computation of the size of the glyph to be allocated by the ProcRenderCreateCursor() function which will cause less memory to be allocated than expected, leading later to dereferencing un-mapped memory, causing a crash of the X server.
Diffstat (limited to 'render/render.c')
-rw-r--r--render/render.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c
index 16b8eb3c3..7787e18ae 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1569,6 +1569,8 @@ ProcRenderCreateCursor (ClientPtr client)
pScreen = pSrc->pDrawable->pScreen;
width = pSrc->pDrawable->width;
height = pSrc->pDrawable->height;
+ if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+ return BadAlloc;
if ( stuff->x > width
|| stuff->y > height )
return (BadMatch);