SwallowOS/xserver_xsdl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bug #594: CAN-2005-2495: Fix exploitable integer overflow in pixmap

Browse Source 
creation, where we could create a far smaller pixmap than we thought,
    allowing changes to arbitrary chunks of memory. (Søren Sandmann
    Pedersen)
This commit is contained in:
Daniel Stone
2005-09-13 01:33:19 +00:00
parent b290884719
commit c3d6799cee
16 changed files with 73 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
fb/fbpixmap.c
View File

@@ -36,12 +36,14 @@ PixmapPtr
fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp)
{
PixmapPtr pPixmap;
int datasize;
int paddedWidth;
size_t datasize;
size_t paddedWidth;
int adjust;
int base;
paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);
if (paddedWidth / 4 > 32767 || height > 32767)
return NullPixmap;
datasize = height * paddedWidth;
#ifdef PIXPRIV
base = pScreen->totalPixmapSize;