aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKeith Packard <keithp@keithp.com>2015-01-03 08:46:45 -0800
committerMike DePaulo <mikedep333@gmail.com>2015-05-03 18:39:31 -0400
commit48f4bf187e958a13d57eea3f41eeab7c26c66806 (patch)
tree9da3e2f330d945ba30f49fe1466d46616b57013d
parent071466277c32e4fbc45d6248c3c71378a97f0b34 (diff)
downloadvcxsrv-48f4bf187e958a13d57eea3f41eeab7c26c66806.tar.gz
vcxsrv-48f4bf187e958a13d57eea3f41eeab7c26c66806.tar.bz2
vcxsrv-48f4bf187e958a13d57eea3f41eeab7c26c66806.zip
dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418)
The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check. v2: backports to VcXsrv 1.15.2.x (Mike DePaulo) Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--xorg-server/dix/dispatch.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/xorg-server/dix/dispatch.c b/xorg-server/dix/dispatch.c
index 67dbce6e1..304bee768 100644
--- a/xorg-server/dix/dispatch.c
+++ b/xorg-server/dix/dispatch.c
@@ -2002,7 +2002,7 @@ ProcPutImage(ClientPtr client)
tmpImage = (char *) &stuff[1];
lengthProto = length;
- if (lengthProto >= (INT32_MAX / stuff->height))
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
return BadLength;
if ((bytes_to_int32(lengthProto * stuff->height) +