From c4e7705d299fcfc058baaa0867e1a1e29d626c6f Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Mon, 10 Oct 2011 17:58:55 +0200
Subject: Imported nxagent-3.2.0-7.tar.gz

Summary: Imported nxagent-3.2.0-7.tar.gz
Keywords:

Imported nxagent-3.2.0-7.tar.gz
into Git repository
---
 nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

(limited to 'nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c')

diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c
index 00c55cde7..de2df855f 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c
@@ -1893,6 +1893,8 @@ ProcRenderCreateCursor (ClientPtr client)
     pScreen = pSrc->pDrawable->pScreen;
     width = pSrc->pDrawable->width;
     height = pSrc->pDrawable->height;
+    if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+	return BadAlloc;
     if ( stuff->x > width 
       || stuff->y > height )
 	return (BadMatch);
@@ -2353,6 +2355,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client)
     LEGAL_NEW_RESOURCE(stuff->pid, client);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -2955,18 +2959,18 @@ SProcRenderCreateSolidFill(ClientPtr client)
     return (*ProcRenderVector[stuff->renderReqType]) (client);
 }
 
-static void swapStops(void *stuff, int n)
+static void swapStops(void *stuff, int num)
 {
-    int i;
+    int i, n;
     CARD32 *stops;
     CARD16 *colors;
     stops = (CARD32 *)(stuff);
-    for (i = 0; i < n; ++i) {
+    for (i = 0; i < num; ++i) {
         swapl(stops, n);
         ++stops;
     }
     colors = (CARD16 *)(stops);
-    for (i = 0; i < 4*n; ++i) {
+    for (i = 0; i < 4*num; ++i) {
         swaps(stops, n);
         ++stops;
     }
@@ -2989,6 +2993,8 @@ SProcRenderCreateLinearGradient (ClientPtr client)
     swapl(&stuff->nStops, n);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -3016,6 +3022,8 @@ SProcRenderCreateRadialGradient (ClientPtr client)
     swapl(&stuff->nStops, n);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -3040,6 +3048,8 @@ SProcRenderCreateConicalGradient (ClientPtr client)
     swapl(&stuff->nStops, n);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+    if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor)))
+	return BadLength;
     if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
-- 
cgit v1.2.3