[X2Go-Commits] [nx-libs] 26/40: dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).
git-admin at x2go.org
git-admin at x2go.org
Sat Jun 20 00:03:28 CEST 2015
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch 3.6.x
in repository nx-libs.
commit 2db01a9a28c4d1aa5483fe7004e1cf2c50e5f1ee
Author: Keith Packard <keithp at keithp.com>
Date: Fri May 1 13:09:24 2015 +0200
dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
Fix for regression introduced by fix for CVE-2014-8092.
v2: backports to nx-libs 3.6.x (Mike Gabriel)
v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
Signed-off-by: Keith Packard <keithp at keithp.com>
---
nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
index e5bec8a..0ed7277 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
@@ -2618,7 +2618,7 @@ ProcPutImage(register ClientPtr client)
tmpImage = (char *)&stuff[1];
lengthProto = length;
- if (lengthProto >= (INT32_MAX / stuff->height))
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
return BadLength;
if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
--
Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
More information about the x2go-commits
mailing list