aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKeith Packard <keithp@keithp.com>2015-05-01 13:09:24 +0200
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-05-01 13:17:03 +0200
commitdba779d9f99ab2fc6bf05c78515dbdd82840cadd (patch)
treef962041d8bb5b2bc956ecb673dd434c60aebbb95
parent7ccbb073f83b7aa8d0f154b34693b1075e455bd8 (diff)
downloadnx-libs-dba779d9f99ab2fc6bf05c78515dbdd82840cadd.tar.gz
nx-libs-dba779d9f99ab2fc6bf05c78515dbdd82840cadd.tar.bz2
nx-libs-dba779d9f99ab2fc6bf05c78515dbdd82840cadd.zip
dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).
The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check. Fix for regression introduced by fix for CVE-2014-8092. v2: backports to nx-libs 3.6.x (Mike Gabriel) Signed-off-by: Keith Packard <keithp@keithp.com>
-rw-r--r--nx-X11/programs/Xserver/dix/dispatch.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c
index 5ad2f5af2..ab1064051 100644
--- a/nx-X11/programs/Xserver/dix/dispatch.c
+++ b/nx-X11/programs/Xserver/dix/dispatch.c
@@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client)
tmpImage = (char *)&stuff[1];
lengthProto = length;
- if (lengthProto >= (INT32_MAX / stuff->height))
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
return BadLength;
if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +