render: Fix crash in RenderAddGlyphs (#23645)
This patch fixes two bugs: size is calculated as glyph height * padded_width. If the client submits garbage, this may get above INT_MAX, resulting in a negative size if size is unsigned. The sanity checks don't trigger for negative sizes and the server goes and writes into random memory locations. If the client submits glyphs with a width or height 0, the destination pixmap is NULL, causing a null-pointer dereference. Since there's nothing to composite if the width/height is 0, we might as well skip the whole thing anyway. Tested with Xvfb, Xephyr and Xorg. X.Org Bug 23645 <http://bugs.freedesktop.org/show_bug.cgi?id=23645> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Keith Packard <keithp@keithp.com>
This commit is contained in:
parent
758ab55d2d
commit
622fc98fd0
|
@ -1043,7 +1043,7 @@ ProcRenderAddGlyphs (ClientPtr client)
|
|||
CARD32 *gids;
|
||||
xGlyphInfo *gi;
|
||||
CARD8 *bits;
|
||||
int size;
|
||||
unsigned int size;
|
||||
int err;
|
||||
int i, screen;
|
||||
PicturePtr pSrc = NULL, pDst = NULL;
|
||||
|
@ -1131,6 +1131,10 @@ ProcRenderAddGlyphs (ClientPtr client)
|
|||
ScreenPtr pScreen;
|
||||
int error;
|
||||
|
||||
/* Skip work if it's invisibly small anyway */
|
||||
if (!width || !height)
|
||||
break;
|
||||
|
||||
pScreen = screenInfo.screens[screen];
|
||||
pSrcPix = GetScratchPixmapHeader (pScreen,
|
||||
width, height,
|
||||
|
|
Loading…
Reference in New Issue