We happen not to sanitize the width/height we pass to CreatePixmap here, oops. It's not exploitable, but it's certainly a crash, so let's just throw BadAlloc instead.
Signed-off-by: Adam Jackson <[email protected]> --- glx/glxcmds.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 27a68aa..9426fc1 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -1416,6 +1416,8 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, width, height, config->rgbBits, 0); __glXleaveServer(GL_FALSE); + if (!pPixmap) + return BadAlloc; /* Assign the pixmap the same id as the pbuffer and add it as a * resource so it and the DRI2 drawable will be reclaimed when the -- 1.8.3.1 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
