From 1c25e92b9ea5811d8ab9c2bfdc0dcb2e4d21bd0a Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Mon, 10 Oct 2011 17:58:31 +0200
Subject: Imported nxagent-3.2.0-10.tar.gz

Summary: Imported nxagent-3.2.0-10.tar.gz
Keywords:

Imported nxagent-3.2.0-10.tar.gz
into Git repository
---
 nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c')

diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c
index e3e4f4b83..a6d638ea7 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c
@@ -967,8 +967,17 @@ ProcShmPutImage(client)
         return BadValue;
     }
 
-    VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
-		   client);
+    /* 
+     * There's a potential integer overflow in this check:
+     * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+     *                client);
+     * the version below ought to avoid it
+     */
+    if (stuff->totalHeight != 0 && 
+	length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+	client->errorValue = stuff->totalWidth;
+	return BadValue;
+    }
     if (stuff->srcX > stuff->totalWidth)
     {
 	client->errorValue = stuff->srcX;
-- 
cgit v1.2.3