1 --- a/unix/x0vncserver/Image.cxx	Wed Oct 22 10:30:27 2014

     2 +++ b/unix/x0vncserver/Image.cxx	Wed Oct 22 10:46:12 2014

     3 @@ -79,6 +79,13 @@

     4  

     5    xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),

     6                       ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);

     7 +  if (xim->bytes_per_line <= 0 ||

     8 +      xim->height <= 0 ||

     9 +      xim->height >= INT_MAX / xim->bytes_per_line) {

    10 +    vlog.error("Invalid display size");

    11 +    XDestroyImage(xim);

    12 +    exit(1);

    13 +  }

    14  

    15    xim->data = (char *)malloc(xim->bytes_per_line * xim->height);

    16    if (xim->data == NULL) {

    17 @@ -256,6 +263,17 @@

    18      return;

    19    }

    20  

    21 +  if (xim->bytes_per_line <= 0 ||

    22 +      xim->height <= 0 ||

    23 +      xim->height >= INT_MAX / xim->bytes_per_line) {

    24 +    vlog.error("Invalid display size");

    25 +    XDestroyImage(xim);

    26 +    xim = NULL;

    27 +    delete shminfo;

    28 +    shminfo = NULL;

    29 +    return; 

    30 +  }

    31 +

    32    shminfo->shmid = shmget(IPC_PRIVATE,

    33                            xim->bytes_per_line * xim->height,

    34                            IPC_CREAT|0777);