From 2db01a9a28c4d1aa5483fe7004e1cf2c50e5f1ee Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@keithp.com>
Date: Fri, 1 May 2015 13:09:24 +0200
Subject: dix: Allow zero-height PutImage requests (fix for X.Org's
 CVE-2015-3418).

 The length checking code validates PutImage height and byte width by
 making sure that byte-width >= INT32_MAX / height. If height is zero,
 this generates a divide by zero exception. Allow zero height requests
 explicitly, bypassing the INT32_MAX check.

 Fix for regression introduced by fix for CVE-2014-8092.

 v2: backports to nx-libs 3.6.x (Mike Gabriel)
 v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)

 Signed-off-by: Keith Packard <keithp@keithp.com>
---
 nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
index e5bec8aba..0ed7277a1 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
@@ -2618,7 +2618,7 @@ ProcPutImage(register ClientPtr client)
 
     tmpImage = (char *)&stuff[1];
     lengthProto = length;
-    if (lengthProto >= (INT32_MAX / stuff->height))
+    if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
         return BadLength;
 
     if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + 
-- 
cgit v1.2.3