CVE-2008-2360 - RENDER Extension heap buffer overflow
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.
(cherry picked from commit c5f69b297b
)
This commit is contained in:
parent
b251fdd9d9
commit
69b173c699
|
@ -1117,9 +1117,16 @@ ProcRenderAddGlyphs (ClientPtr client)
|
|||
remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
|
||||
for (i = 0; i < nglyphs; i++)
|
||||
{
|
||||
size_t padded_width;
|
||||
glyph_new = &glyphs[i];
|
||||
size = gi[i].height * PixmapBytePad (gi[i].width,
|
||||
glyphSet->format->depth);
|
||||
|
||||
padded_width = PixmapBytePad (gi[i].width,
|
||||
glyphSet->format->depth);
|
||||
|
||||
if (gi[i].height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi[i].height)
|
||||
break;
|
||||
|
||||
size = gi[i].height * padded_width;
|
||||
if (remain < size)
|
||||
break;
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user