622fc98fd0
This patch fixes two bugs: size is calculated as glyph height * padded_width. If the client submits garbage, this may get above INT_MAX, resulting in a negative size if size is unsigned. The sanity checks don't trigger for negative sizes and the server goes and writes into random memory locations. If the client submits glyphs with a width or height 0, the destination pixmap is NULL, causing a null-pointer dereference. Since there's nothing to composite if the width/height is 0, we might as well skip the whole thing anyway. Tested with Xvfb, Xephyr and Xorg. X.Org Bug 23645 <http://bugs.freedesktop.org/show_bug.cgi?id=23645> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Keith Packard <keithp@keithp.com> |
||
---|---|---|
.. | ||
animcur.c | ||
filter.c | ||
glyph.c | ||
glyphstr.h | ||
Makefile.am | ||
matrix.c | ||
miindex.c | ||
mipict.c | ||
mipict.h | ||
mirect.c | ||
mitrap.c | ||
mitri.c | ||
picture.c | ||
picture.h | ||
picturestr.h | ||
render.c | ||
renderedge.c | ||
renderedge.h |