This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch release/1.15.2.x in repository vcxsrv. commit 48f4bf187e958a13d57eea3f41eeab7c26c66806 Author: Keith Packard <keithp@keithp.com> Date: Sat Jan 3 08:46:45 2015 -0800 dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418) The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check. v2: backports to VcXsrv 1.15.2.x (Mike DePaulo) Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- xorg-server/dix/dispatch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xorg-server/dix/dispatch.c b/xorg-server/dix/dispatch.c index 67dbce6..304bee7 100644 --- a/xorg-server/dix/dispatch.c +++ b/xorg-server/dix/dispatch.c @@ -2002,7 +2002,7 @@ ProcPutImage(ClientPtr client) tmpImage = (char *) &stuff[1]; lengthProto = length; - if (lengthProto >= (INT32_MAX / stuff->height)) + if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) return BadLength; if ((bytes_to_int32(lengthProto * stuff->height) + -- Alioth's /srv/git/code.x2go.org/vcxsrv.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/vcxsrv.git