CVE-2008-2361 - RENDER Extension crash

An integer overflow may occur in the computation of the size of the glyph to be allocated by the ProcRenderCreateCursor() function which will cause less memory to be allocated than expected, leading later to dereferencing un-mapped memory, causing a crash of the X server.
author: Matthieu Herrb <matthieu.herrb@laas.fr> 2008-06-10 12:22:30 -0600
committer: Matthieu Herrb <matthieu@bluenote.herrb.net> 2008-06-10 12:30:31 -0600
commit: 5677751a0480426beaefc990303c7ade963eb137 (patch)
tree: 98a17e50326d4d6e8f18246b3c173d0b2d44058b
parent: f7c40a003d85b8a83d55a33d362f2a364f4ab702 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c
index 16b8eb3c3..7787e18ae 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1569,6 +1569,8 @@ ProcRenderCreateCursor (ClientPtr client)
     pScreen = pSrc->pDrawable->pScreen;
     width = pSrc->pDrawable->width;
     height = pSrc->pDrawable->height;
+    if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+	return BadAlloc;
     if ( stuff->x > width 
       || stuff->y > height )
 	return (BadMatch);
author	Matthieu Herrb <matthieu.herrb@laas.fr>	2008-06-10 12:22:30 -0600
committer	Matthieu Herrb <matthieu@bluenote.herrb.net>	2008-06-10 12:30:31 -0600
commit	5677751a0480426beaefc990303c7ade963eb137 (patch)
tree	98a17e50326d4d6e8f18246b3c173d0b2d44058b
parent	f7c40a003d85b8a83d55a33d362f2a364f4ab702 (diff)