Bug #6642: Fix buffer overflow in Render. (CVE 2006-1526, patch from Eric

Anholt)
author: Adam Jackson <ajax@nwnk.net> 2006-05-02 14:37:49 +0000
committer: Adam Jackson <ajax@nwnk.net> 2006-05-02 14:37:49 +0000
commit: ba9d2461f97c25248e7ef0b8a0e00b244f613444 (patch)
tree: 8562abade78da6036361a93644c0013cc7057e04
parent: 1246fc2eba3e4fd1eab1d1f9172847bea5b9f077 (diff)
2 files changed, 8 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 87a3558c8..48eef698b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2006-05-02  Adam Jackson  <ajax@freedesktop.org>
+
+	* render/mitri.c:
+	Bug #6642: Fix buffer overflow in Render.  (CVE 2006-1526, patch
+	from Eric Anholt)
+
 2006-04-28  Adam Jackson  <ajax@freedesktop.org>
 
 	* configure.ac:
diff --git a/render/mitri.c b/render/mitri.c
index 974225350..bc2641895 100644
--- a/render/mitri.c
+++ b/render/mitri.c
@@ -145,7 +145,7 @@ miTriStrip (CARD8	    op,
     if (npoint < 3)
 	return;
     ntri = npoint - 2;
-    tris = ALLOCATE_LOCAL (ntri & sizeof (xTriangle));
+    tris = ALLOCATE_LOCAL (ntri * sizeof (xTriangle));
     if (!tris)
 	return;
     for (tri = tris; npoint >= 3; npoint--, points++, tri++)
@@ -177,7 +177,7 @@ miTriFan (CARD8		op,
     if (npoint < 3)
 	return;
     ntri = npoint - 2;
-    tris = ALLOCATE_LOCAL (ntri & sizeof (xTriangle));
+    tris = ALLOCATE_LOCAL (ntri * sizeof (xTriangle));
     if (!tris)
 	return;
     first = points++;
author	Adam Jackson <ajax@nwnk.net>	2006-05-02 14:37:49 +0000
committer	Adam Jackson <ajax@nwnk.net>	2006-05-02 14:37:49 +0000
commit	ba9d2461f97c25248e7ef0b8a0e00b244f613444 (patch)
tree	8562abade78da6036361a93644c0013cc7057e04
parent	1246fc2eba3e4fd1eab1d1f9172847bea5b9f077 (diff)