CVE-2007-6429: Always test for size+offset wrapping.
(cherry picked from commit be6c17fcf9
)
This commit is contained in:
parent
514c622618
commit
5ef366e8eb
12
Xext/shm.c
12
Xext/shm.c
|
@ -761,10 +761,10 @@ CreatePmap:
|
|||
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
|
||||
if (size < width * height)
|
||||
return BadAlloc;
|
||||
/* thankfully, offset is unsigned */
|
||||
if (stuff->offset + size < size)
|
||||
return BadAlloc;
|
||||
}
|
||||
/* thankfully, offset is unsigned */
|
||||
if (stuff->offset + size < size)
|
||||
return BadAlloc;
|
||||
|
||||
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
|
||||
|
||||
|
@ -1101,10 +1101,10 @@ CreatePmap:
|
|||
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
|
||||
if (size < width * height)
|
||||
return BadAlloc;
|
||||
/* thankfully, offset is unsigned */
|
||||
if (stuff->offset + size < size)
|
||||
return BadAlloc;
|
||||
}
|
||||
/* thankfully, offset is unsigned */
|
||||
if (stuff->offset + size < size)
|
||||
return BadAlloc;
|
||||
|
||||
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
|
||||
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
|
||||
|
|
Loading…
Reference in New Issue
Block a user