From 4f6c97b1d78e2ab5857560a5af9b47ed8790978a Mon Sep 17 00:00:00 2001
From: marha <marha@users.sourceforge.net>
Date: Fri, 20 Aug 2010 17:34:23 +0000
Subject: xserver git update 20/8/2010

---
 xorg-server/render/render.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'xorg-server/render')

diff --git a/xorg-server/render/render.c b/xorg-server/render/render.c
index cbd70cc7e..623d5db33 100644
--- a/xorg-server/render/render.c
+++ b/xorg-server/render/render.c
@@ -1077,6 +1077,14 @@ ProcRenderAddGlyphs (ClientPtr client)
     gi = (xGlyphInfo *) (gids + nglyphs);
     bits = (CARD8 *) (gi + nglyphs);
     remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
+
+    /* protect against bad nglyphs */
+    if (gi < stuff || gi > ((CARD32 *)stuff + client->req_len) ||
+        bits < stuff || bits > ((CARD32 *)stuff + client->req_len)) {
+        err = BadLength;
+        goto bail;
+    }
+
     for (i = 0; i < nglyphs; i++)
     {
 	size_t padded_width;
-- 
cgit v1.2.3