[PATCH] libXrender: avoid possible overflow with multiple members
Dave Airlie
airlied at gmail.com
Sun May 26 15:56:34 PDT 2013
From: Dave Airlie <airlied at redhat.com>
If all of these limits are pushed to their mask, then / 4 won't stop
the malloc from being overflowed.
Signed-off-by: Dave Airlie <airlied at redhat.com>
---
src/Xrender.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/Xrender.c b/src/Xrender.c
index 3102eb2..1c859ea 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -459,11 +459,11 @@ XRenderQueryFormats (Display *dpy)
if (async_state.major_version == 0 && async_state.minor_version < 6)
rep.numSubpixel = 0;
- if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) &&
- (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) &&
- (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) &&
- (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) &&
- (rep.numSubpixel < ((INT_MAX / 4) / 4)) &&
+ if ((rep.numFormats < ((INT_MAX / 8) / sizeof (XRenderPictFormat))) &&
+ (rep.numScreens < ((INT_MAX / 8) / sizeof (XRenderScreen))) &&
+ (rep.numDepths < ((INT_MAX / 8) / sizeof (XRenderDepth))) &&
+ (rep.numVisuals < ((INT_MAX / 8) / sizeof (XRenderVisual))) &&
+ (rep.numSubpixel < ((INT_MAX / 8) / 4)) &&
(rep.length < (INT_MAX >> 2)) ) {
xri = Xmalloc (sizeof (XRenderInfo) +
(rep.numFormats * sizeof (XRenderPictFormat)) +
--
1.8.1.2
More information about the xorg-devel
mailing list