From c3d6799cee7ff8411b3a05a7ab7e2a9e80c95059 Mon Sep 17 00:00:00 2001
From: Daniel Stone <daniel@fooishbar.org>
Date: Tue, 13 Sep 2005 01:33:19 +0000
Subject: Bug #594: CAN-2005-2495: Fix exploitable integer overflow in pixmap  
   creation, where we could create a far smaller pixmap than we thought,    
 allowing changes to arbitrary chunks of memory. (Søren Sandmann     Pedersen)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 mfb/mfbpixmap.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'mfb')

diff --git a/mfb/mfbpixmap.c b/mfb/mfbpixmap.c
index c3d5d5ea6..ad0dfe79f 100644
--- a/mfb/mfbpixmap.c
+++ b/mfb/mfbpixmap.c
@@ -75,12 +75,14 @@ mfbCreatePixmap (pScreen, width, height, depth)
     int		depth;
 {
     PixmapPtr pPixmap;
-    int datasize;
-    int paddedWidth;
+    size_t datasize;
+    size_t paddedWidth;
 
     if (depth != 1)
 	return NullPixmap;
     paddedWidth = BitmapBytePad(width);
+    if (paddedWidth / 4 > 32767 || height > 32767)
+	return NullPixmap;
     datasize = height * paddedWidth;
     pPixmap = AllocatePixmap(pScreen, datasize);
     if (!pPixmap)
-- 
cgit v1.2.3