From 5ef366e8eb9f4c309105d23da1b96890bb8aa92d Mon Sep 17 00:00:00 2001
From: Matthias Hopf <mhopf@suse.de>
Date: Mon, 21 Jan 2008 16:13:21 +0100
Subject: [PATCH] CVE-2007-6429: Always test for size+offset wrapping. (cherry
 picked from commit be6c17fcf9efebc0bbcc3d9a25f8c5a2450c2161)

---
 Xext/shm.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Xext/shm.c b/Xext/shm.c
index ed7dc28f4..4a16fb6e4 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -761,10 +761,10 @@ CreatePmap:
     if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
         if (size < width * height)
             return BadAlloc;
-        /* thankfully, offset is unsigned */
-        if (stuff->offset + size < size)
-            return BadAlloc;
     }
+    /* thankfully, offset is unsigned */
+    if (stuff->offset + size < size)
+	return BadAlloc;
 
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
 
@@ -1101,10 +1101,10 @@ CreatePmap:
     if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
 	if (size < width * height)
 	    return BadAlloc;
-	/* thankfully, offset is unsigned */
-	if (stuff->offset + size < size)
-	    return BadAlloc;
     }
+    /* thankfully, offset is unsigned */
+    if (stuff->offset + size < size)
+	return BadAlloc;
 
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(