render: Fix crash in RenderAddGlyphs (#23645)
This patch fixes two bugs: size is calculated as glyph height * padded_width. If the client submits garbage, this may get above INT_MAX, resulting in a negative size if size is unsigned. The sanity checks don't trigger for negative sizes and the server goes and writes into random memory locations. If the client submits glyphs with a width or height 0, the destination pixmap is NULL, causing a null-pointer dereference. Since there's nothing to composite if the width/height is 0, we might as well skip the whole thing anyway. Tested with Xvfb, Xephyr and Xorg. X.Org Bug 23645 <http://bugs.freedesktop.org/show_bug.cgi?id=23645> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Keith Packard <keithp@keithp.com>
This commit is contained in:
Peter Hutterer
parent
758ab55d2d
commit
622fc98fd0
|
|
@ -1043,7 +1043,7 @@ ProcRenderAddGlyphs (ClientPtr client)
|
||||||
CARD32 *gids;
|
CARD32 *gids;
|
||||||
xGlyphInfo *gi;
|
xGlyphInfo *gi;
|
||||||
CARD8 *bits;
|
CARD8 *bits;
|
||||||
int size;
|
unsigned int size;
|
||||||
int err;
|
int err;
|
||||||
int i, screen;
|
int i, screen;
|
||||||
PicturePtr pSrc = NULL, pDst = NULL;
|
PicturePtr pSrc = NULL, pDst = NULL;
|
||||||
|
|
@ -1131,6 +1131,10 @@ ProcRenderAddGlyphs (ClientPtr client)
|
||||||
ScreenPtr pScreen;
|
ScreenPtr pScreen;
|
||||||
int error;
|
int error;
|
||||||
|
|
||||||
|
/* Skip work if it's invisibly small anyway */
|
||||||
|
if (!width || !height)
|
||||||
|
break;
|
||||||
|
|
||||||
pScreen = screenInfo.screens[screen];
|
pScreen = screenInfo.screens[screen];
|
||||||
pSrcPix = GetScratchPixmapHeader (pScreen,
|
pSrcPix = GetScratchPixmapHeader (pScreen,
|
||||||
width, height,
|
width, height,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue