blob: e0bb006945389c30118e27d062d2a73f7772c1d0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
commit dba779d9f99ab2fc6bf05c78515dbdd82840cadd
Author: Keith Packard <keithp@keithp.com>
Date: Fri May 1 13:09:24 2015 +0200
dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
Fix for regression introduced by fix for CVE-2014-8092.
v2: backports to nx-libs 3.6.x (Mike Gabriel)
v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)
Signed-off-by: Keith Packard <keithp@keithp.com>
--- a/nx-X11/programs/Xserver/dix/dispatch.c
+++ b/nx-X11/programs/Xserver/dix/dispatch.c
@@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client)
tmpImage = (char *)&stuff[1];
lengthProto = length;
- if (lengthProto >= (INT32_MAX / stuff->height))
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
return BadLength;
if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
@@ -2630,7 +2630,7 @@ ProcPutImage(client)
tmpImage = (char *)&stuff[1];
lengthProto = length;
- if (lengthProto >= (INT32_MAX / stuff->height))
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
return BadLength;
if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
|