1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From be6c17fcf9efebc0bbcc3d9a25f8c5a2450c2161 Mon Sep 17 00:00:00 2001
From: Matthias Hopf <mhopf@suse.de>
Date: Mon, 21 Jan 2008 16:13:21 +0100
Subject: [PATCH] CVE-2007-6429: Always test for size+offset wrapping.
---
Xext/shm.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/Xext/shm.c b/Xext/shm.c
index e46f6fc..a7a1ecf 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -799,10 +799,10 @@ CreatePmap:
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
if (size < width * height)
return BadAlloc;
- /* thankfully, offset is unsigned */
- if (stuff->offset + size < size)
- return BadAlloc;
}
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
@@ -1144,10 +1144,10 @@ CreatePmap:
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
if (size < width * height)
return BadAlloc;
- /* thankfully, offset is unsigned */
- if (stuff->offset + size < size)
- return BadAlloc;
}
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
--
1.5.3.8
|
GitWeb
