CVE-2007-6429: Always test for size+offset wrapping.
This commit is contained in:
parent
bcbfd619f8
commit
44f46bfb98
12
Xext/shm.c
12
Xext/shm.c
|
@ -753,10 +753,10 @@ CreatePmap:
|
|||
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
|
||||
if (size < width * height)
|
||||
return BadAlloc;
|
||||
/* thankfully, offset is unsigned */
|
||||
if (stuff->offset + size < size)
|
||||
return BadAlloc;
|
||||
}
|
||||
/* thankfully, offset is unsigned */
|
||||
if (stuff->offset + size < size)
|
||||
return BadAlloc;
|
||||
|
||||
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
|
||||
|
||||
|
@ -1098,10 +1098,10 @@ CreatePmap:
|
|||
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
|
||||
if (size < width * height)
|
||||
return BadAlloc;
|
||||
/* thankfully, offset is unsigned */
|
||||
if (stuff->offset + size < size)
|
||||
return BadAlloc;
|
||||
}
|
||||
/* thankfully, offset is unsigned */
|
||||
if (stuff->offset + size < size)
|
||||
return BadAlloc;
|
||||
|
||||
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
|
||||
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
|
||||
|
|
Loading…
Reference in New Issue
Block a user