We happen not to sanitize the width/height we pass to CreatePixmap here, oops. It's not exploitable, but it's certainly a crash, so let's just throw BadAlloc instead.
Signed-off-by: Adam Jackson <[email protected]> --- glx/glxcmds.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 41313f2..ddbf44d 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -1428,6 +1428,8 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, width, height, config->rgbBits, 0); __glXleaveServer(GL_FALSE); + if (!pPixmap) + return BadAlloc; /* Assign the pixmap the same id as the pbuffer and add it as a * resource so it and the DRI2 drawable will be reclaimed when the -- 1.8.1.4 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
