diff options
| author | Daniel Stone <daniel@fooishbar.org> | 2005-09-13 01:33:19 +0000 |
|---|---|---|
| committer | Daniel Stone <daniel@fooishbar.org> | 2005-09-13 01:33:19 +0000 |
| commit | c3d6799cee7ff8411b3a05a7ab7e2a9e80c95059 (patch) | |
| tree | 0afd730bf28bc833a2e7ba13070190448bf56bfa /dix/pixmap.c | |
| parent | b290884719e18646326f0c2412c2494a07fe3cfd (diff) | |
Bug #594: CAN-2005-2495: Fix exploitable integer overflow in pixmap
creation, where we could create a far smaller pixmap than we thought,
allowing changes to arbitrary chunks of memory. (Søren Sandmann
Pedersen)
Diffstat (limited to 'dix/pixmap.c')
| -rw-r--r-- | dix/pixmap.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/dix/pixmap.c b/dix/pixmap.c index f76c557f4..78ce2a8c6 100644 --- a/dix/pixmap.c +++ b/dix/pixmap.c @@ -118,6 +118,9 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) unsigned size; int i; + if (pScreen->totalPixmapSize > ((size_t)-1) - pixDataSize) + return NullPixmap; + pPixmap = (PixmapPtr)xalloc(pScreen->totalPixmapSize + pixDataSize); if (!pPixmap) return NullPixmap; |