[X2Go-Commits] [vcxsrv] 01/05: dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418)
git-admin at x2go.org
git-admin at x2go.org
Mon May 4 04:57:17 CEST 2015
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch release/1.15.2.x
in repository vcxsrv.
commit 48f4bf187e958a13d57eea3f41eeab7c26c66806
Author: Keith Packard <keithp at keithp.com>
Date: Sat Jan 3 08:46:45 2015 -0800
dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418)
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
v2: backports to VcXsrv 1.15.2.x (Mike DePaulo)
Signed-off-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
xorg-server/dix/dispatch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xorg-server/dix/dispatch.c b/xorg-server/dix/dispatch.c
index 67dbce6..304bee7 100644
--- a/xorg-server/dix/dispatch.c
+++ b/xorg-server/dix/dispatch.c
@@ -2002,7 +2002,7 @@ ProcPutImage(ClientPtr client)
tmpImage = (char *) &stuff[1];
lengthProto = length;
- if (lengthProto >= (INT32_MAX / stuff->height))
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
return BadLength;
if ((bytes_to_int32(lengthProto * stuff->height) +
--
Alioth's /srv/git/code.x2go.org/vcxsrv.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/vcxsrv.git
More information about the x2go-commits
mailing list