From 81806c01112bc504d96d79f969f229e27625344f Mon Sep 17 00:00:00 2001 From: Uli Schlachter Date: Wed, 13 Jan 2021 16:36:33 +0100 Subject: [PATCH] cairo-xlib: Check for maximum surface size X11 use uint16_t for the width/height of things. Anything too large will be truncated when sending the request to the X11 server. This commit adds a size check to a function that did not check things and then later caused a segmentation fault. Not adding a test case because the test case from the below bug report allocates 3,5 GiB of memory, which I find too much for a test. Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/414 Signed-off-by: Uli Schlachter --- src/cairo-xlib-private.h | 2 ++ src/cairo-xlib-surface-shm.c | 3 +++ src/cairo-xlib-surface.c | 2 -- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/cairo-xlib-private.h b/src/cairo-xlib-private.h index 71dccc3a7..8e338aea6 100644 --- a/src/cairo-xlib-private.h +++ b/src/cairo-xlib-private.h @@ -65,6 +65,8 @@ typedef struct _cairo_xlib_surface cairo_xlib_surface_t; #define RAMP_SIZE 16 /* maximum number of cached GC's */ #define GC_CACHE_SIZE 4 +/* maximum width/height of an X11 drawable */ +#define XLIB_COORD_MAX 32767 struct _cairo_xlib_display { cairo_device_t base; diff --git a/src/cairo-xlib-surface-shm.c b/src/cairo-xlib-surface-shm.c index 1ee1e3d70..ccdaf4cbc 100644 --- a/src/cairo-xlib-surface-shm.c +++ b/src/cairo-xlib-surface-shm.c @@ -809,6 +809,9 @@ _cairo_xlib_shm_surface_create (cairo_xlib_surface_t *other, pixman_image_t *image; int stride, size; + if (width > XLIB_COORD_MAX || height > XLIB_COORD_MAX) + return NULL; + stride = CAIRO_STRIDE_FOR_WIDTH_BPP (width, PIXMAN_FORMAT_BPP(format)); size = stride * height; if (size < MIN_SIZE) diff --git a/src/cairo-xlib-surface.c b/src/cairo-xlib-surface.c index 2a6d896d3..7d368a8ba 100644 --- a/src/cairo-xlib-surface.c +++ b/src/cairo-xlib-surface.c @@ -72,8 +72,6 @@ #include #include -#define XLIB_COORD_MAX 32767 - #define DEBUG 0 #if DEBUG