diff options
author | Matthieu Herrb <matthieu.herrb@laas.fr> | 2008-06-10 12:22:30 -0600 |
---|---|---|
committer | Matthieu Herrb <matthieu@bluenote.herrb.net> | 2008-06-11 08:06:10 -0600 |
commit | 5257a0f83d5f3d80d0cd44dd76d047bac3869592 (patch) | |
tree | 0044c130005220efac320bf2aa90c6dfb83a72da | |
parent | c5f69b297b1227cb802394fa90efdbe1de607f3c (diff) |
CVE-2008-2361 - RENDER Extension crash
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the ProcRenderCreateCursor() function which
will cause less memory to be allocated than expected, leading later to
dereferencing un-mapped memory, causing a crash of the X server.
-rw-r--r-- | render/render.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c index 16b8eb3c3..7787e18ae 100644 --- a/render/render.c +++ b/render/render.c @@ -1569,6 +1569,8 @@ ProcRenderCreateCursor (ClientPtr client) pScreen = pSrc->pDrawable->pScreen; width = pSrc->pDrawable->width; height = pSrc->pDrawable->height; + if (height && width > UINT32_MAX/(height*sizeof(CARD32))) + return BadAlloc; if ( stuff->x > width || stuff->y > height ) return (BadMatch); |