diff options
Diffstat (limited to 'render')
-rw-r--r-- | render/render.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c index ef233e498..00241f9af 100644 --- a/render/render.c +++ b/render/render.c @@ -1077,6 +1077,14 @@ ProcRenderAddGlyphs (ClientPtr client) gi = (xGlyphInfo *) (gids + nglyphs); bits = (CARD8 *) (gi + nglyphs); remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs; + + /* protect against bad nglyphs */ + if (gi < stuff || gi > ((CARD32 *)stuff + client->req_len) || + bits < stuff || bits > ((CARD32 *)stuff + client->req_len)) { + err = BadLength; + goto bail; + } + for (i = 0; i < nglyphs; i++) { size_t padded_width; |