SwallowOS/xserver_xsdl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

CVE-2008-2360 - RENDER Extension heap buffer overflow

Browse Source 
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.
This commit is contained in:
Matthieu Herrb
2008-06-10 12:21:26 -06:00
committed by Matthieu Herrb
parent 063f18ef6d
commit c5f69b297b
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
render/render.c
View File

@@ -1117,9 +1117,16 @@ ProcRenderAddGlyphs (ClientPtr client)
remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs; remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
for (i = 0; i < nglyphs; i++) for (i = 0; i < nglyphs; i++)
{ {
size_t padded_width;
glyph_new = &glyphs[i]; glyph_new = &glyphs[i];
size = gi[i].height * PixmapBytePad (gi[i].width,
glyphSet->format->depth); padded_width = PixmapBytePad (gi[i].width,
glyphSet->format->depth);
if (gi[i].height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi[i].height)
break;
size = gi[i].height * padded_width;
if (remain < size) if (remain < size)
break; break;