CVE-2008-2360 - RENDER Extension heap buffer overflow

An integer overflow may occur in the computation of the size of the glyph to be allocated by the AllocateGlyph() function which will cause less memory to be allocated than expected, leading to later heap overflow.
author: Matthieu Herrb <matthieu.herrb@laas.fr> 2008-06-10 12:21:26 -0600
committer: Matthieu Herrb <matthieu@bluenote.herrb.net> 2008-06-11 08:06:09 -0600
commit: c5f69b297b1227cb802394fa90efdbe1de607f3c (patch)
tree: dfe07be862bb82a17195b9ca8813ae1a9c1fc1ef /render/render.c
parent: 063f18ef6d7bf834225ddfd3527e58c078628f5f (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/render/render.c b/render/render.c
index f03f54a2b..16b8eb3c3 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1117,9 +1117,16 @@ ProcRenderAddGlyphs (ClientPtr client)
     remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
     for (i = 0; i < nglyphs; i++)
     {
+	size_t padded_width;
 	glyph_new = &glyphs[i];
-	size = gi[i].height * PixmapBytePad (gi[i].width,
-					     glyphSet->format->depth);
+
+	padded_width = PixmapBytePad (gi[i].width,
+				      glyphSet->format->depth);
+
+	if (gi[i].height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi[i].height)
+	    break;
+	
+	size = gi[i].height * padded_width;
 	if (remain < size)
 	    break;
author	Matthieu Herrb <matthieu.herrb@laas.fr>	2008-06-10 12:21:26 -0600
committer	Matthieu Herrb <matthieu@bluenote.herrb.net>	2008-06-11 08:06:09 -0600
commit	c5f69b297b1227cb802394fa90efdbe1de607f3c (patch)
tree	dfe07be862bb82a17195b9ca8813ae1a9c1fc1ef /render/render.c
parent	063f18ef6d7bf834225ddfd3527e58c078628f5f (diff)