This patch fixes two bugs: size is calculated as glyph height * padded_width. If the client submits garbage, this may get above INT_MAX, resulting in a negative size if size is unsigned. The sanity checks don't trigger for negative sizes and the server goes and writes into random memory locations.
If the client submits glyphs with a width or height 0, the destination pixmap is NULL, causing a null-pointer dereference. Since there's nothing to composite if the width/height is 0, we might as well skip the whole thing anyway. Tested with Xvfb, Xephyr and Xorg. X.Org Bug 23645 <http://bugs.freedesktop.org/show_bug.cgi?id=23645> Tested-by: Clemens Eisserer Signed-off-by: Peter Hutterer <[email protected]> --- render/render.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/render/render.c b/render/render.c index a306766..44e9910 100644 --- a/render/render.c +++ b/render/render.c @@ -1043,7 +1043,7 @@ ProcRenderAddGlyphs (ClientPtr client) CARD32 *gids; xGlyphInfo *gi; CARD8 *bits; - int size; + unsigned int size; int err; int i, screen; PicturePtr pSrc = NULL, pDst = NULL; @@ -1131,6 +1131,10 @@ ProcRenderAddGlyphs (ClientPtr client) ScreenPtr pScreen; int error; + /* Skip work if it's invisibly small anyway */ + if (!width || !height) + break; + pScreen = screenInfo.screens[screen]; pSrcPix = GetScratchPixmapHeader (pScreen, width, height, -- 1.6.3.rc1.2.g0164.dirty _______________________________________________ xorg-devel mailing list [email protected] http://lists.x.org/mailman/listinfo/xorg-devel
