fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-20 07:00:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

CVE-2008-2360 - RENDER Extension heap buffer overflow

Browse source 
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.

On systems where the X  SIGSEGV handler includes a stack trace, more
malloc()-type functions are called, which may lead to other
exploitable issues.
(cherry picked from commit b1a4a96885)
This commit is contained in:
Matthieu Herrb 2008-06-08 11:13:47 -06:00 committed by Jeremy Huddleston
parent 6d0a0a637f
commit f912b5ccd3
1 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
render/glyph.c
View file

@ -42,6 +42,12 @@
#include "picturestr.h" #include "picturestr.h"
#include "glyphstr.h" #include "glyphstr.h"
#if HAVE_STDINT_H
#include <stdint.h>
#elif !defined(UINT32_MAX)
#define UINT32_MAX 0xffffffffU
#endif
/* /*
* From Knuth -- a good choice for hash/rehash values is p, p-2 where * From Knuth -- a good choice for hash/rehash values is p, p-2 where
* p and p-2 are both prime. These tables are sized to have an extra 10% * p and p-2 are both prime. These tables are sized to have an extra 10%
@ -626,8 +632,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
int size; int size;
GlyphPtr glyph; GlyphPtr glyph;
int i; int i;
size_t padded_width;
size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
return 0;
size = gi->height * padded_width;
glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec)); glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
if (!glyph) if (!glyph)
return 0; return 0;