frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CVE-2007-6429: Always test for size+offset wrapping.

This commit is contained in:
Matthias Hopf 2008-01-21 16:13:21 +01:00
parent 94a21d757c
commit be6c17fcf9
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Xext/shm.c
View File

@ -799,10 +799,10 @@ CreatePmap:
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
if (size < width * height) if (size < width * height)
return BadAlloc; return BadAlloc;
/* thankfully, offset is unsigned */
if (stuff->offset + size < size)
return BadAlloc;
} }
/* thankfully, offset is unsigned */
if (stuff->offset + size < size)
return BadAlloc;
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
@ -1144,10 +1144,10 @@ CreatePmap:
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
if (size < width * height) if (size < width * height)
return BadAlloc; return BadAlloc;
/* thankfully, offset is unsigned */
if (stuff->offset + size < size)
return BadAlloc;
} }
/* thankfully, offset is unsigned */
if (stuff->offset + size < size)
return BadAlloc;
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(