Fix for CVE-2007-6428 - TOG-cup extension memory corruption.

author: Matthieu Herrb <matthieu@bluenote.herrb.com> 2008-01-17 15:28:03 +0100
committer: Matthieu Herrb <matthieu@bluenote.herrb.com> 2008-01-17 15:28:03 +0100
commit: 7dc1717ff0f96b99271a912b8948dfce5164d5ad (patch)
tree: 1416c78fc5c9f579dc51c8bae97087a1891a7e9e
parent: dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/Xext/cup.c b/Xext/cup.c
index d0e820c41..fd1409e33 100644
--- a/Xext/cup.c
+++ b/Xext/cup.c
@@ -176,6 +176,9 @@ int ProcGetReservedColormapEntries(
 
     REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
 
+    if (stuff->screen >= screenInfo.numScreens)
+	return BadValue;
+
 #ifndef HAVE_SPECIAL_DESKTOP_COLORS
     citems[CUP_BLACK_PIXEL].pixel = 
 	screenInfo.screens[stuff->screen]->blackPixel;
author	Matthieu Herrb <matthieu@bluenote.herrb.com>	2008-01-17 15:28:03 +0100
committer	Matthieu Herrb <matthieu@bluenote.herrb.com>	2008-01-17 15:28:03 +0100
commit	7dc1717ff0f96b99271a912b8948dfce5164d5ad (patch)
tree	1416c78fc5c9f579dc51c8bae97087a1891a7e9e
parent	dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 (diff)