Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1379.diff
diff options
context:
space:
mode:
Diffstat (limited to 'x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1379.diff')
-rw-r--r--x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1379.diff24
1 files changed, 24 insertions, 0 deletions
diff --git a/x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1379.diff b/x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1379.diff
new file mode 100644
index 0000000..180d126
--- /dev/null
+++ b/x11-base/xorg-server/files/xorg-xserver-1.4-cve-2008-1379.diff
@@ -0,0 +1,24 @@
+diff --git a/Xext/shm.c b/Xext/shm.c
+index ac587be..e08df36 100644
+--- a/Xext/shm.c
++++ b/Xext/shm.c
+@@ -831,8 +831,17 @@ ProcShmPutImage(client)
+ return BadValue;
+ }
+
+- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+- client);
++ /*
++ * There's a potential integer overflow in this check:
++ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
++ * client);
++ * the version below ought to avoid it
++ */
++ if (stuff->totalHeight != 0 &&
++ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
++ client->errorValue = stuff->totalWidth;
++ return BadValue;
++ }
+ if (stuff->srcX > stuff->totalWidth)
+ {
+ client->errorValue = stuff->srcX;