From c4937bbb697579ceff0e30b17aca409f56e78566 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu.herrb@laas.fr>
Date: Sun, 8 Jun 2008 11:14:31 -0600
Subject: [PATCH] CVE-2008-2361 - RENDER Extension crash

An integer overflow may occur in the computation of the
size of the  glyph to be allocated by the ProcRenderCreateCursor()
function  which will cause less memory to be allocated than expected,
leading later to dereferencing  un-mapped memory, causing a crash of
the X server.
---
 render/render.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/render/render.c b/render/render.c
index caaa2781c..74c5f6387 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1504,6 +1504,8 @@ ProcRenderCreateCursor (ClientPtr client)
     pScreen = pSrc->pDrawable->pScreen;
     width = pSrc->pDrawable->width;
     height = pSrc->pDrawable->height;
+    if (height && width > UINT32_MAX/(height*sizeof(CARD32)))
+	return BadAlloc;
     if ( stuff->x > width 
       || stuff->y > height )
 	return (BadMatch);