frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps. 

Move size validation after depth validation, and only validate size if
the bpp of the pixmap format is > 8.  If bpp < 8 then we're already
protected from overflow by the width and height checks.
This commit is contained in:
Adam Jackson 2008-01-18 14:41:20 -05:00
parent 23f3f0e27d
commit e9fa7c1c88
1 changed files with 20 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Xext/shm.c
View File

@ -783,14 +783,6 @@ ProcPanoramiXShmCreatePixmap(
} }
if (width > 32767 || height > 32767) if (width > 32767 || height > 32767)
return BadAlloc; return BadAlloc;
size = PixmapBytePad(width, depth) * height;
if (sizeof(size) == 4) {
if (size < width * height)
return BadAlloc;
/* thankfully, offset is unsigned */
if (stuff->offset + size < size)
return BadAlloc;
}
if (stuff->depth != 1) if (stuff->depth != 1)
{ {
@ -801,7 +793,17 @@ ProcPanoramiXShmCreatePixmap(
client->errorValue = stuff->depth; client->errorValue = stuff->depth;
return BadValue; return BadValue;
} }
CreatePmap: CreatePmap:
size = PixmapBytePad(width, depth) * height;
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
if (size < width * height)
return BadAlloc;
/* thankfully, offset is unsigned */
if (stuff->offset + size < size)
return BadAlloc;
}
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
@ -1126,14 +1128,6 @@ ProcShmCreatePixmap(client)
} }
if (width > 32767 || height > 32767) if (width > 32767 || height > 32767)
return BadAlloc; return BadAlloc;
size = PixmapBytePad(width, depth) * height;
if (sizeof(size) == 4) {
if (size < width * height)
return BadAlloc;
/* thankfully, offset is unsigned */
if (stuff->offset + size < size)
return BadAlloc;
}
if (stuff->depth != 1) if (stuff->depth != 1)
{ {
@ -1144,7 +1138,17 @@ ProcShmCreatePixmap(client)
client->errorValue = stuff->depth; client->errorValue = stuff->depth;
return BadValue; return BadValue;
} }
CreatePmap: CreatePmap:
size = PixmapBytePad(width, depth) * height;
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
if (size < width * height)
return BadAlloc;
/* thankfully, offset is unsigned */
if (stuff->offset + size < size)
return BadAlloc;
}
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width, pDraw->pScreen, stuff->width,