summaryrefslogtreecommitdiff
path: root/render
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2017-03-13 19:13:14 +0100
committerAdam Jackson <ajax@redhat.com>2017-03-15 13:27:11 -0400
commit7c4fab2f1f411b6f7d7adc76271fca7c29365ac4 (patch)
tree6a1813b86435b008b3fbaa5b4b236e8eab2dfd33 /render
parentfbb46e0be897ffe78b731a2456673b4cbb73b2be (diff)
render: Fix out of boundary heap access
ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must be protected against an integer overflow during length check. This is already included in ProcRenderCreateLinearGradient since the fix for CVE-2008-2362. This can only be successfully exploited on a 32 bit system for an out of boundary read later on. Validated by using ASAN. Reviewed-by: Adam Jackson <ajax@redhat.com> (cherry picked from commit ac15d4cecca377c5c31ab852c39bbd554ca48fe2)
Diffstat (limited to 'render')
-rw-r--r--render/render.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c
index b9a932ee3..bfacaa0d0 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1908,6 +1908,8 @@ ProcRenderCreateRadialGradient(ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+ if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -1946,6 +1948,8 @@ ProcRenderCreateConicalGradient(ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+ if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 14:23:32 +0000