summaryrefslogtreecommitdiff
path: root/afb
diff options
context:
space:
mode:
authorDaniel Stone <daniel@fooishbar.org>2005-09-13 01:33:19 +0000
committerDaniel Stone <daniel@fooishbar.org>2005-09-13 01:33:19 +0000
commitc3d6799cee7ff8411b3a05a7ab7e2a9e80c95059 (patch)
tree0afd730bf28bc833a2e7ba13070190448bf56bfa /afb
parentb290884719e18646326f0c2412c2494a07fe3cfd (diff)
Bug #594: CAN-2005-2495: Fix exploitable integer overflow in pixmap
creation, where we could create a far smaller pixmap than we thought, allowing changes to arbitrary chunks of memory. (Søren Sandmann Pedersen)
Diffstat (limited to 'afb')
-rw-r--r--afb/afbpixmap.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/afb/afbpixmap.c b/afb/afbpixmap.c
index a155c101b..c6ae8481c 100644
--- a/afb/afbpixmap.c
+++ b/afb/afbpixmap.c
@@ -77,10 +77,14 @@ afbCreatePixmap(pScreen, width, height, depth)
int depth;
{
PixmapPtr pPixmap;
- int datasize;
- int paddedWidth;
+ size_t datasize;
+ size_t paddedWidth;
paddedWidth = BitmapBytePad(width);
+
+ if (paddedWidth > 32767 || height > 32767 || depth > 4)
+ return NullPixmap;
+
datasize = height * paddedWidth * depth;
pPixmap = AllocatePixmap(pScreen, datasize);
if (!pPixmap)