dix: Allow zero-height PutImage requests
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit dc777c346d
)
Signed-off-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
parent
16f157cbf6
commit
f39ac527ba
|
@ -1956,7 +1956,7 @@ ProcPutImage(ClientPtr client)
|
|||
tmpImage = (char *) &stuff[1];
|
||||
lengthProto = length;
|
||||
|
||||
if (lengthProto >= (INT32_MAX / stuff->height))
|
||||
if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
|
||||
return BadLength;
|
||||
|
||||
if ((bytes_to_int32(lengthProto * stuff->height) +
|
||||
|
|
Loading…
Reference in New Issue