aboutsummaryrefslogtreecommitdiff
path: root/nx-X11
diff options
context:
space:
mode:
authorMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-05-31 16:50:39 +0200
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-05-31 16:50:39 +0200
commit11b26436b477b51a1b07e333d2223169f7987d49 (patch)
tree2cb2bdf1ab43845f0c6c3f8fbb8e916e4e76dbf5 /nx-X11
parent4ed85e8ef572130d7862b155d3ee9c1e52743230 (diff)
parent2db01a9a28c4d1aa5483fe7004e1cf2c50e5f1ee (diff)
downloadnx-libs-11b26436b477b51a1b07e333d2223169f7987d49.tar.gz
nx-libs-11b26436b477b51a1b07e333d2223169f7987d49.tar.bz2
nx-libs-11b26436b477b51a1b07e333d2223169f7987d49.zip
Merge pull request #45 from ArcticaProject/pr/dix-cve-fixes
DIX CVE fixes in nx-X11/programs/Xserver/hw/nxagent/ rather than nx-X11/programs/Xserver/dix/.
Diffstat (limited to 'nx-X11')
-rw-r--r--nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c4
-rw-r--r--nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c5
2 files changed, 8 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
index 3d9ee8c7f..0ed7277a1 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
@@ -2618,7 +2618,9 @@ ProcPutImage(register ClientPtr client)
tmpImage = (char *)&stuff[1];
lengthProto = length;
-
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
+
if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
(sizeof(xPutImageReq) >> 2)) != client->req_len)
return BadLength;
diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c
index 922443633..5622f8cee 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c
@@ -1694,6 +1694,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
GC *pGC;
unsigned char *data;
ITclosurePtr new_closure;
+ ITclosurePtr old_closure;
/* We're putting the client to sleep. We need to
save some state. Similar problem to that handled
@@ -1706,6 +1707,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
err = BadAlloc;
goto bail;
}
+ old_closure = c;
*new_closure = *c;
c = new_closure;
@@ -1713,6 +1715,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
if (!data)
{
xfree(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1724,6 +1727,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
{
xfree(c->data);
xfree(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1742,6 +1746,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
FreeScratchGC(pGC);
xfree(c->data);
xfree(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}