render: Fix out of boundary heap access
ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must be protected against an integer overflow during length check. This is already included in ProcRenderCreateLinearGradient since the fix for CVE-2008-2362. This can only be successfully exploited on a 32 bit system for an out of boundary read later on. Validated by using ASAN. Reviewed-by: Adam Jackson <ajax@redhat.com>
This commit is contained in:
parent
0c1574d988
commit
ac15d4cecc
|
@ -1908,6 +1908,8 @@ ProcRenderCreateRadialGradient(ClientPtr client)
|
|||
LEGAL_NEW_RESOURCE(stuff->pid, client);
|
||||
|
||||
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
|
||||
if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
|
||||
return BadLength;
|
||||
if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
|
||||
return BadLength;
|
||||
|
||||
|
@ -1946,6 +1948,8 @@ ProcRenderCreateConicalGradient(ClientPtr client)
|
|||
LEGAL_NEW_RESOURCE(stuff->pid, client);
|
||||
|
||||
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
|
||||
if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
|
||||
return BadLength;
|
||||
if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
|
||||
return BadLength;
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user