aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/programs/Xserver/hw/nxagent
diff options
context:
space:
mode:
Diffstat (limited to 'nx-X11/programs/Xserver/hw/nxagent')
-rw-r--r--nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c4
-rw-r--r--nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c5
2 files changed, 8 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
index 3d9ee8c7f..0ed7277a1 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
@@ -2618,7 +2618,9 @@ ProcPutImage(register ClientPtr client)
tmpImage = (char *)&stuff[1];
lengthProto = length;
-
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
+
if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
(sizeof(xPutImageReq) >> 2)) != client->req_len)
return BadLength;
diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c
index 922443633..5622f8cee 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c
@@ -1694,6 +1694,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
GC *pGC;
unsigned char *data;
ITclosurePtr new_closure;
+ ITclosurePtr old_closure;
/* We're putting the client to sleep. We need to
save some state. Similar problem to that handled
@@ -1706,6 +1707,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
err = BadAlloc;
goto bail;
}
+ old_closure = c;
*new_closure = *c;
c = new_closure;
@@ -1713,6 +1715,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
if (!data)
{
xfree(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1724,6 +1727,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
{
xfree(c->data);
xfree(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}
@@ -1742,6 +1746,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
FreeScratchGC(pGC);
xfree(c->data);
xfree(c);
+ c = old_closure;
err = BadAlloc;
goto bail;
}