From c4e7705d299fcfc058baaa0867e1a1e29d626c6f Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Mon, 10 Oct 2011 17:58:55 +0200
Subject: Imported nxagent-3.2.0-7.tar.gz

Summary: Imported nxagent-3.2.0-7.tar.gz
Keywords:

Imported nxagent-3.2.0-7.tar.gz
into Git repository
---
 nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original')

diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original
index e2cf8cd24..f25bb9b5d 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original
@@ -863,8 +863,17 @@ ProcShmPutImage(client)
         return BadValue;
     }
 
-    VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
-		   client);
+    /* 
+     * There's a potential integer overflow in this check:
+     * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+     *                client);
+     * the version below ought to avoid it
+     */
+    if (stuff->totalHeight != 0 && 
+	length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+	client->errorValue = stuff->totalWidth;
+	return BadValue;
+    }
     if (stuff->srcX > stuff->totalWidth)
     {
 	client->errorValue = stuff->srcX;
-- 
cgit v1.2.3