CVE-2008-2360 - RENDER Extension heap buffer overflow

An integer overflow may occur in the computation of the size of the glyph to be allocated by the AllocateGlyph() function which will cause less memory to be allocated than expected, leading to later heap overflow.
2008-06-10 12:21:26 -06:00 · 2008-06-10 12:21:26 -06:00 · c5f69b297b
parent 063f18ef6d
commit c5f69b297b
1 changed files with 9 additions and 2 deletions
--- a/render/render.c
+++ b/render/render.c
@ -1117,9 +1117,16 @@ ProcRenderAddGlyphs (ClientPtr client)
    remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
    for (i = 0; i < nglyphs; i++)
    {
+	size_t padded_width;
 	glyph_new = &glyphs[i];
-	size = gi[i].height * PixmapBytePad (gi[i].width,
-					     glyphSet->format->depth);
+
+	padded_width = PixmapBytePad (gi[i].width,
+				      glyphSet->format->depth);
+
+	if (gi[i].height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi[i].height)
+	    break;
+	
+	size = gi[i].height * padded_width;
 	if (remain < size)
 	    break;