The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check.
Signed-off-by: Keith Packard <[email protected]> --- dix/dispatch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dix/dispatch.c b/dix/dispatch.c index 55b978d..9044ac7 100644 --- a/dix/dispatch.c +++ b/dix/dispatch.c @@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client) tmpImage = (char *) &stuff[1]; lengthProto = length; - if (lengthProto >= (INT32_MAX / stuff->height)) + if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) return BadLength; if ((bytes_to_int32(lengthProto * stuff->height) + -- 2.1.4 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
