render: Fix crash in RenderAddGlyphs (#23645)

This patch fixes two bugs: size is calculated as glyph height * padded_width. If the client submits garbage, this may get above INT_MAX, resulting in a negative size if size is unsigned. The sanity checks don't trigger for negative sizes and the server goes and writes into random memory locations. If the client submits glyphs with a width or height 0, the destination pixmap is NULL, causing a null-pointer dereference. Since there's nothing to composite if the width/height is 0, we might as well skip the whole thing anyway. Tested with Xvfb, Xephyr and Xorg. X.Org Bug 23645 <http://bugs.freedesktop.org/show_bug.cgi?id=23645> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Keith Packard <keithp@keithp.com> (cherry picked from commit 622fc98fd0)
2026-05-03 13:38:06 +02:00 · 2009-10-01 10:03:42 +10:00 · 2009-10-01 10:03:42 +10:00 · 47c0b80915
commit 47c0b80915
parent 30ebee3bfc
1 changed files with 5 additions and 1 deletions
--- a/render/render.c
+++ b/render/render.c
@ -1043,7 +1043,7 @@ ProcRenderAddGlyphs (ClientPtr client)
    CARD32	    *gids;
    xGlyphInfo	    *gi;
    CARD8	    *bits;
-    int		    size;
+    unsigned int    size;
    int		    err;
    int		    i, screen;
    PicturePtr	    pSrc = NULL, pDst = NULL;
@ -1131,6 +1131,10 @@ ProcRenderAddGlyphs (ClientPtr client)
 		ScreenPtr   pScreen;
 		int	    error;

+		/* Skip work if it's invisibly small anyway */
+		if (!width || !height)
+		    break;
+
 		pScreen = screenInfo.screens[screen];
 		pSrcPix = GetScratchPixmapHeader (pScreen,
 						  width, height,