diff options
Diffstat (limited to 'x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1379.diff')
-rw-r--r-- | x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1379.diff | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1379.diff b/x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1379.diff new file mode 100644 index 0000000..180d126 --- /dev/null +++ b/x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1379.diff @@ -0,0 +1,24 @@ +diff --git a/Xext/shm.c b/Xext/shm.c +index ac587be..e08df36 100644 +--- a/Xext/shm.c ++++ b/Xext/shm.c +@@ -831,8 +831,17 @@ ProcShmPutImage(client) + return BadValue; + } + +- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, +- client); ++ /* ++ * There's a potential integer overflow in this check: ++ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, ++ * client); ++ * the version below ought to avoid it ++ */ ++ if (stuff->totalHeight != 0 && ++ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { ++ client->errorValue = stuff->totalWidth; ++ return BadValue; ++ } + if (stuff->srcX > stuff->totalWidth) + { + client->errorValue = stuff->srcX; |