render: Fix crash in RenderAddGlyphs (#23645)

This patch fixes two bugs:
size is calculated as glyph height * padded_width. If the client submits
garbage, this may get above INT_MAX, resulting in a negative size if size is
unsigned. The sanity checks don't trigger for negative sizes and the server
goes and writes into random memory locations.

If the client submits glyphs with a width or height 0, the destination
pixmap is NULL, causing a null-pointer dereference. Since there's nothing to
composite if the width/height is 0, we might as well skip the whole thing
anyway.

Tested with Xvfb, Xephyr and Xorg.

X.Org Bug 23645 <http://bugs.freedesktop.org/show_bug.cgi?id=23645>

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 622fc98fd08aba98369e6933c3ab8c9ff85385d5)

1 files changed, 5 insertions, 1 deletions

diff --git a/render/render.c b/render/render.c
index a3067665e..a32d797a7 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1043,7 +1043,7 @@ ProcRenderAddGlyphs (ClientPtr client)
     CARD32	    *gids;
     xGlyphInfo	    *gi;
     CARD8	    *bits;
-    int		    size;
+    unsigned int    size;
     int		    err;
     int		    i, screen;
     PicturePtr	    pSrc = NULL, pDst = NULL;
@@ -1131,6 +1131,10 @@ ProcRenderAddGlyphs (ClientPtr client)
 		ScreenPtr   pScreen;
 		int	    error;
 
+		/* Skip work if it's invisibly small anyway */
+		if (!width || !height)
+		    break;
+
 		pScreen = screenInfo.screens[screen];
 		pSrcPix = GetScratchPixmapHeader (pScreen,
 						  width, height,