summaryrefslogtreecommitdiff
path: root/render
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu.herrb@laas.fr>2008-06-10 12:23:03 -0600
committerMatthieu Herrb <matthieu@bluenote.herrb.net>2008-06-11 08:06:10 -0600
commit9171206db349a0c6fda719746be0b15049d57aaa (patch)
tree87ddd40f5025541ff23f9e9add3248befc0f8499 /render
parent5257a0f83d5f3d80d0cd44dd76d047bac3869592 (diff)
CVE-2008-2362 - RENDER Extension memory corruption
Integer overflows can occur in the code validating the parameters for the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient and SProcRenderCreateConicalGradient functions, leading to memory corruption by swapping bytes outside of the intended request parameters.
Diffstat (limited to 'render')
-rw-r--r--render/render.c16
1 files changed, 12 insertions, 4 deletions
diff --git a/render/render.c b/render/render.c
index 7787e18ae..638aa46a3 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1996,6 +1996,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2584,18 +2586,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
-static void swapStops(void *stuff, int n)
+static void swapStops(void *stuff, int num)
{
- int i;
+ int i, n;
CARD32 *stops;
CARD16 *colors;
stops = (CARD32 *)(stuff);
- for (i = 0; i < n; ++i) {
+ for (i = 0; i < num; ++i) {
swapl(stops, n);
++stops;
}
colors = (CARD16 *)(stops);
- for (i = 0; i < 4*n; ++i) {
+ for (i = 0; i < 4*num; ++i) {
swaps(stops, n);
++stops;
}
@@ -2618,6 +2620,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2645,6 +2649,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -2669,6 +2675,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
swapl(&stuff->nStops, n);
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;