From c5f69b297b1227cb802394fa90efdbe1de607f3c Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Tue, 10 Jun 2008 12:21:26 -0600
Subject: [PATCH] CVE-2008-2360 - RENDER Extension heap buffer overflow

An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.
---
 render/render.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/render/render.c b/render/render.c
index f03f54a2b..16b8eb3c3 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1117,9 +1117,16 @@ ProcRenderAddGlyphs (ClientPtr client)
     remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
     for (i = 0; i < nglyphs; i++)
     {
+	size_t padded_width;
 	glyph_new = &glyphs[i];
-	size = gi[i].height * PixmapBytePad (gi[i].width,
-					     glyphSet->format->depth);
+
+	padded_width = PixmapBytePad (gi[i].width,
+				      glyphSet->format->depth);
+
+	if (gi[i].height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi[i].height)
+	    break;
+	
+	size = gi[i].height * padded_width;
 	if (remain < size)
 	    break;