Bug #594: CAN-2005-2495: Fix exploitable integer overflow in pixmap

    creation, where we could create a far smaller pixmap than we thought,
    allowing changes to arbitrary chunks of memory. (Søren Sandmann
    Pedersen)

3 files changed, 9 insertions, 0 deletions

diff --git a/exa/exa.c b/exa/exa.c
index 92ff394e2..22f5edd37 100644
--- a/exa/exa.c
+++ b/exa/exa.c
@@ -376,6 +376,9 @@ exaCreatePixmap(ScreenPtr pScreen, int w, int h, int depth)
     ScrnInfoPtr pScrn = XF86SCRNINFO(pScreen);
     ExaScreenPriv(pScreen);
 
+    if (w > 32767 || h > 32767)
+	return NullPixmap;
+    
     if (!pScrn->vtSema || pExaScr->swappedOut) {
         pPixmap = pExaScr->SavedCreatePixmap(pScreen, w, h, depth);
     } else {
diff --git a/exa/exa_accel.c b/exa/exa_accel.c
index 92ff394e2..22f5edd37 100644
--- a/exa/exa_accel.c
+++ b/exa/exa_accel.c
@@ -376,6 +376,9 @@ exaCreatePixmap(ScreenPtr pScreen, int w, int h, int depth)
     ScrnInfoPtr pScrn = XF86SCRNINFO(pScreen);
     ExaScreenPriv(pScreen);
 
+    if (w > 32767 || h > 32767)
+	return NullPixmap;
+    
     if (!pScrn->vtSema || pExaScr->swappedOut) {
         pPixmap = pExaScr->SavedCreatePixmap(pScreen, w, h, depth);
     } else {
diff --git a/exa/exa_migration.c b/exa/exa_migration.c
index 92ff394e2..22f5edd37 100644
--- a/exa/exa_migration.c
+++ b/exa/exa_migration.c
@@ -376,6 +376,9 @@ exaCreatePixmap(ScreenPtr pScreen, int w, int h, int depth)
     ScrnInfoPtr pScrn = XF86SCRNINFO(pScreen);
     ExaScreenPriv(pScreen);
 
+    if (w > 32767 || h > 32767)
+	return NullPixmap;
+    
     if (!pScrn->vtSema || pExaScr->swappedOut) {
         pPixmap = pExaScr->SavedCreatePixmap(pScreen, w, h, depth);
     } else {