fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-25 00:10:05 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps.

Browse source 
Move size validation after depth validation, and only validate size if
the bpp of the pixmap format is > 8.  If bpp < 8 then we're already
protected from overflow by the width and height checks.
(cherry picked from commit e9fa7c1c88)
This commit is contained in:
Adam Jackson 2008-01-18 14:41:20 -05:00 committed by Julien Cristau
parent 19b95cdd1d
commit b6d4cdf64f
1 changed files with 20 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
Xext/shm.c
View file

@ -737,14 +737,6 @@ ProcPanoramiXShmCreatePixmap(
}
if (width > 32767 || height > 32767)
return BadAlloc;
size = PixmapBytePad(width, depth) * height;
if (sizeof(size) == 4) {
if (size < width * height)
return BadAlloc;
/* thankfully, offset is unsigned */
if (stuff->offset + size < size)
return BadAlloc;
}
if (stuff->depth != 1)
{
@ -755,7 +747,17 @@ ProcPanoramiXShmCreatePixmap(
client->errorValue = stuff->depth;
return BadValue;
}
CreatePmap:
size = PixmapBytePad(width, depth) * height;
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
if (size < width * height)
return BadAlloc;
/* thankfully, offset is unsigned */
if (stuff->offset + size < size)
return BadAlloc;
}
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
@ -1080,14 +1082,6 @@ ProcShmCreatePixmap(client)
}
if (width > 32767 || height > 32767)
return BadAlloc;
size = PixmapBytePad(width, depth) * height;
if (sizeof(size) == 4) {
if (size < width * height)
return BadAlloc;
/* thankfully, offset is unsigned */
if (stuff->offset + size < size)
return BadAlloc;
}
if (stuff->depth != 1)
{
@ -1098,7 +1092,17 @@ ProcShmCreatePixmap(client)
client->errorValue = stuff->depth;
return BadValue;
}
CreatePmap:
size = PixmapBytePad(width, depth) * height;
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
if (size < width * height)
return BadAlloc;
/* thankfully, offset is unsigned */
if (stuff->offset + size < size)
return BadAlloc;
}
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,