diff options
Diffstat (limited to 'nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c')
-rw-r--r-- | nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c index 00c55cde7..de2df855f 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c @@ -1893,6 +1893,8 @@ ProcRenderCreateCursor (ClientPtr client) pScreen = pSrc->pDrawable->pScreen; width = pSrc->pDrawable->width; height = pSrc->pDrawable->height; + if (height && width > UINT32_MAX/(height*sizeof(CARD32))) + return BadAlloc; if ( stuff->x > width || stuff->y > height ) return (BadMatch); @@ -2353,6 +2355,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client) LEGAL_NEW_RESOURCE(stuff->pid, client); len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -2955,18 +2959,18 @@ SProcRenderCreateSolidFill(ClientPtr client) return (*ProcRenderVector[stuff->renderReqType]) (client); } -static void swapStops(void *stuff, int n) +static void swapStops(void *stuff, int num) { - int i; + int i, n; CARD32 *stops; CARD16 *colors; stops = (CARD32 *)(stuff); - for (i = 0; i < n; ++i) { + for (i = 0; i < num; ++i) { swapl(stops, n); ++stops; } colors = (CARD16 *)(stops); - for (i = 0; i < 4*n; ++i) { + for (i = 0; i < 4*num; ++i) { swaps(stops, n); ++stops; } @@ -2989,6 +2993,8 @@ SProcRenderCreateLinearGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -3016,6 +3022,8 @@ SProcRenderCreateRadialGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -3040,6 +3048,8 @@ SProcRenderCreateConicalGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; |