From: Dave Airlie <[email protected]> If all of these limits are pushed to their mask, then / 4 won't stop the malloc from being overflowed.
Signed-off-by: Dave Airlie <[email protected]> --- src/Xrender.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/Xrender.c b/src/Xrender.c index 3102eb2..1c859ea 100644 --- a/src/Xrender.c +++ b/src/Xrender.c @@ -459,11 +459,11 @@ XRenderQueryFormats (Display *dpy) if (async_state.major_version == 0 && async_state.minor_version < 6) rep.numSubpixel = 0; - if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) && - (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) && - (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) && - (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) && - (rep.numSubpixel < ((INT_MAX / 4) / 4)) && + if ((rep.numFormats < ((INT_MAX / 8) / sizeof (XRenderPictFormat))) && + (rep.numScreens < ((INT_MAX / 8) / sizeof (XRenderScreen))) && + (rep.numDepths < ((INT_MAX / 8) / sizeof (XRenderDepth))) && + (rep.numVisuals < ((INT_MAX / 8) / sizeof (XRenderVisual))) && + (rep.numSubpixel < ((INT_MAX / 8) / 4)) && (rep.length < (INT_MAX >> 2)) ) { xri = Xmalloc (sizeof (XRenderInfo) + (rep.numFormats * sizeof (XRenderPictFormat)) + -- 1.8.1.2 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
