aboutsummaryrefslogtreecommitdiff
path: root/xorg-server/include/regionstr.h
diff options
context:
space:
mode:
authorMike DePaulo <mikedep333@gmail.com>2015-01-10 12:03:47 -0500
committerMike DePaulo <mikedep333@gmail.com>2015-01-10 12:06:49 -0500
commit7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3 (patch)
treef2a4bfed7809a8e0bf4d06ec56a80191badba48b /xorg-server/include/regionstr.h
parent212ca5c6023b6b7455ad64b2c29aeff82f301a03 (diff)
downloadvcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.gz
vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.bz2
vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.zip
Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1)
Diffstat (limited to 'xorg-server/include/regionstr.h')
-rw-r--r--xorg-server/include/regionstr.h12
1 files changed, 8 insertions, 4 deletions
diff --git a/xorg-server/include/regionstr.h b/xorg-server/include/regionstr.h
index 4a0725d62..079375d33 100644
--- a/xorg-server/include/regionstr.h
+++ b/xorg-server/include/regionstr.h
@@ -125,9 +125,12 @@ RegionEnd(RegionPtr reg)
}
static inline size_t
-RegionSizeof(int n)
+RegionSizeof(size_t n)
{
- return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+ if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
+ return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+ else
+ return 0;
}
static inline void
@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
(_pReg)->data = (RegDataPtr) NULL;
}
else {
+ size_t rgnSize;
(_pReg)->extents = RegionEmptyBox;
- if (((_size) > 1) && ((_pReg)->data =
- (RegDataPtr) malloc(RegionSizeof(_size)))) {
+ if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
+ (((_pReg)->data = malloc(rgnSize)) != NULL)) {
(_pReg)->data->size = (_size);
(_pReg)->data->numRects = 0;
}