diff options
author | Keith Packard <keithp@keithp.com> | 2015-01-03 08:46:45 -0800 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-05-03 18:39:31 -0400 |
commit | 48f4bf187e958a13d57eea3f41eeab7c26c66806 (patch) | |
tree | 9da3e2f330d945ba30f49fe1466d46616b57013d | |
parent | 071466277c32e4fbc45d6248c3c71378a97f0b34 (diff) | |
download | vcxsrv-48f4bf187e958a13d57eea3f41eeab7c26c66806.tar.gz vcxsrv-48f4bf187e958a13d57eea3f41eeab7c26c66806.tar.bz2 vcxsrv-48f4bf187e958a13d57eea3f41eeab7c26c66806.zip |
dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418)
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
v2: backports to VcXsrv 1.15.2.x (Mike DePaulo)
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | xorg-server/dix/dispatch.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/xorg-server/dix/dispatch.c b/xorg-server/dix/dispatch.c index 67dbce6e1..304bee768 100644 --- a/xorg-server/dix/dispatch.c +++ b/xorg-server/dix/dispatch.c @@ -2002,7 +2002,7 @@ ProcPutImage(ClientPtr client) tmpImage = (char *) &stuff[1];
lengthProto = length;
- if (lengthProto >= (INT32_MAX / stuff->height))
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
return BadLength;
if ((bytes_to_int32(lengthProto * stuff->height) +
|