CVE-2008-2362 - RENDER Extension memory corruption
Integer overflows can occur in the code validating the parameters for the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient and SProcRenderCreateConicalGradient functions, leading to memory corruption by swapping bytes outside of the intended request parameters.
This commit is contained in:
parent
c4937bbb69
commit
702e709973
|
@ -1920,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
|
||||||
LEGAL_NEW_RESOURCE(stuff->pid, client);
|
LEGAL_NEW_RESOURCE(stuff->pid, client);
|
||||||
|
|
||||||
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
|
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
|
||||||
|
if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
|
||||||
|
return BadLength;
|
||||||
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
|
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
|
||||||
return BadLength;
|
return BadLength;
|
||||||
|
|
||||||
|
@ -2493,18 +2495,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
|
||||||
return (*ProcRenderVector[stuff->renderReqType]) (client);
|
return (*ProcRenderVector[stuff->renderReqType]) (client);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void swapStops(void *stuff, int n)
|
static void swapStops(void *stuff, int num)
|
||||||
{
|
{
|
||||||
int i;
|
int i, n;
|
||||||
CARD32 *stops;
|
CARD32 *stops;
|
||||||
CARD16 *colors;
|
CARD16 *colors;
|
||||||
stops = (CARD32 *)(stuff);
|
stops = (CARD32 *)(stuff);
|
||||||
for (i = 0; i < n; ++i) {
|
for (i = 0; i < num; ++i) {
|
||||||
swapl(stops, n);
|
swapl(stops, n);
|
||||||
++stops;
|
++stops;
|
||||||
}
|
}
|
||||||
colors = (CARD16 *)(stops);
|
colors = (CARD16 *)(stops);
|
||||||
for (i = 0; i < 4*n; ++i) {
|
for (i = 0; i < 4*num; ++i) {
|
||||||
swaps(stops, n);
|
swaps(stops, n);
|
||||||
++stops;
|
++stops;
|
||||||
}
|
}
|
||||||
|
@ -2527,6 +2529,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
|
||||||
swapl(&stuff->nStops, n);
|
swapl(&stuff->nStops, n);
|
||||||
|
|
||||||
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
|
len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
|
||||||
|
if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
|
||||||
|
return BadLength;
|
||||||
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
|
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
|
||||||
return BadLength;
|
return BadLength;
|
||||||
|
|
||||||
|
@ -2554,6 +2558,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
|
||||||
swapl(&stuff->nStops, n);
|
swapl(&stuff->nStops, n);
|
||||||
|
|
||||||
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
|
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
|
||||||
|
if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
|
||||||
|
return BadLength;
|
||||||
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
|
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
|
||||||
return BadLength;
|
return BadLength;
|
||||||
|
|
||||||
|
@ -2578,6 +2584,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
|
||||||
swapl(&stuff->nStops, n);
|
swapl(&stuff->nStops, n);
|
||||||
|
|
||||||
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
|
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
|
||||||
|
if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
|
||||||
|
return BadLength;
|
||||||
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
|
if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
|
||||||
return BadLength;
|
return BadLength;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user