diff options
author | Keith Packard <keithp@keithp.com> | 2015-05-01 13:09:24 +0200 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-05-30 22:03:55 -0400 |
commit | 2db01a9a28c4d1aa5483fe7004e1cf2c50e5f1ee (patch) | |
tree | 2cb2bdf1ab43845f0c6c3f8fbb8e916e4e76dbf5 /nx-X11/programs/Xserver/hw | |
parent | 8623faa422c3659903bdb5d19eb8947579e6141f (diff) | |
download | nx-libs-2db01a9a28c4d1aa5483fe7004e1cf2c50e5f1ee.tar.gz nx-libs-2db01a9a28c4d1aa5483fe7004e1cf2c50e5f1ee.tar.bz2 nx-libs-2db01a9a28c4d1aa5483fe7004e1cf2c50e5f1ee.zip |
dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).pr/dix-cve-fixes
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
Fix for regression introduced by fix for CVE-2014-8092.
v2: backports to nx-libs 3.6.x (Mike Gabriel)
v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
Signed-off-by: Keith Packard <keithp@keithp.com>
Diffstat (limited to 'nx-X11/programs/Xserver/hw')
-rw-r--r-- | nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c index e5bec8aba..0ed7277a1 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c @@ -2618,7 +2618,7 @@ ProcPutImage(register ClientPtr client) tmpImage = (char *)&stuff[1]; lengthProto = length; - if (lengthProto >= (INT32_MAX / stuff->height)) + if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) return BadLength; if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + |