[PATCH] dix: Allow zero-height PutImage requests

Alan Coopersmith alan.coopersmith at oracle.com
Sat Jan 3 10:49:30 PST 2015


On 01/ 3/15 08:50 AM, Keith Packard wrote:
> The length checking code validates PutImage height and byte width by
> making sure that byte-width >= INT32_MAX / height. If height is zero,
> this generates a divide by zero exception. Allow zero height requests
> explicitly, bypassing the INT32_MAX check.
>
> Signed-off-by: Keith Packard <keithp at keithp.com>
> ---
>   dix/dispatch.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/dix/dispatch.c b/dix/dispatch.c
> index 55b978d..9044ac7 100644
> --- a/dix/dispatch.c
> +++ b/dix/dispatch.c
> @@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client)
>       tmpImage = (char *) &stuff[1];
>       lengthProto = length;
>
> -    if (lengthProto >= (INT32_MAX / stuff->height))
> +    if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
>           return BadLength;
>
>       if ((bytes_to_int32(lengthProto * stuff->height) +
>

Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>

-- 
	-Alan Coopersmith-              alan.coopersmith at oracle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc


More information about the xorg-devel mailing list