From 48f4bf187e958a13d57eea3f41eeab7c26c66806 Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@keithp.com>
Date: Sat, 3 Jan 2015 08:46:45 -0800
Subject: dix: Allow zero-height PutImage requests (fix for X.Org's
 CVE-2015-3418)

The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.

v2: backports to VcXsrv 1.15.2.x (Mike DePaulo)
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 xorg-server/dix/dispatch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'xorg-server/dix/dispatch.c')

diff --git a/xorg-server/dix/dispatch.c b/xorg-server/dix/dispatch.c
index 67dbce6e1..304bee768 100644
--- a/xorg-server/dix/dispatch.c
+++ b/xorg-server/dix/dispatch.c
@@ -2002,7 +2002,7 @@ ProcPutImage(ClientPtr client)
     tmpImage = (char *) &stuff[1];
     lengthProto = length;
 
-    if (lengthProto >= (INT32_MAX / stuff->height))
+    if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
         return BadLength;
 
     if ((bytes_to_int32(lengthProto * stuff->height) +
-- 
cgit v1.2.3