From c3d6799cee7ff8411b3a05a7ab7e2a9e80c95059 Mon Sep 17 00:00:00 2001
From: Daniel Stone <daniel@fooishbar.org>
Date: Tue, 13 Sep 2005 01:33:19 +0000
Subject: Bug #594: CAN-2005-2495: Fix exploitable integer overflow in pixmap  
   creation, where we could create a far smaller pixmap than we thought,    
 allowing changes to arbitrary chunks of memory. (Søren Sandmann     Pedersen)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 afb/afbpixmap.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'afb')

diff --git a/afb/afbpixmap.c b/afb/afbpixmap.c
index a155c101b..c6ae8481c 100644
--- a/afb/afbpixmap.c
+++ b/afb/afbpixmap.c
@@ -77,10 +77,14 @@ afbCreatePixmap(pScreen, width, height, depth)
 	int				depth;
 {
 	PixmapPtr pPixmap;
-	int datasize;
-	int paddedWidth;
+	size_t datasize;
+	size_t paddedWidth;
 
 	paddedWidth = BitmapBytePad(width);
+
+	if (paddedWidth > 32767 || height > 32767 || depth > 4)
+	    return NullPixmap;
+	
 	datasize = height * paddedWidth * depth;
 	pPixmap = AllocatePixmap(pScreen, datasize);
 	if (!pPixmap)
-- 
cgit v1.2.3