From 01e30d2043f5df104947908f14a377dc77896a98 Mon Sep 17 00:00:00 2001
From: Eric Anholt <eric@anholt.net>
Date: Mon, 6 Jan 2014 06:55:15 +0800
Subject: [PATCH] glamor: Fix some integer overflow errors.

Imagine a nbox that was (UINT_MAX + small number) / (4 * 2 *
sizeof(float)).  We'd malloc a few bytes after the integer overflow,
but glamor_set_normalize_vcoords would write over gigabytes of heap.

Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Markus Wick <markus@selfnet.de>
---
 glamor/glamor_fill.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/glamor/glamor_fill.c b/glamor/glamor_fill.c
index aaa778300..d5843b7f5 100644
--- a/glamor/glamor_fill.c
+++ b/glamor/glamor_fill.c
@@ -200,10 +200,10 @@ _glamor_solid_boxes(PixmapPtr pixmap, BoxPtr box, int nbox, float *color)
 
     pixmap_priv_get_dest_scale(pixmap_priv, &xscale, &yscale);
 
-    if (nbox * 4 * 2 > ARRAY_SIZE(vertices)) {
+    if (nbox > valid_nbox) {
         int allocated_box;
 
-        if (nbox * 6 > GLAMOR_COMPOSITE_VBO_VERT_CNT) {
+        if (nbox > GLAMOR_COMPOSITE_VBO_VERT_CNT / 6) {
             allocated_box = GLAMOR_COMPOSITE_VBO_VERT_CNT / 6;
         }
         else