--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/open-src/xserver/xorg/CVE-2015-3418.patch Tue Apr 28 18:11:34 2015 -0700
@@ -0,0 +1,32 @@
+From dc777c346d5d452a53b13b917c45f6a1bad2f20b Mon Sep 17 00:00:00 2001
+From: Keith Packard <[email protected]>
+Date: Sat, 3 Jan 2015 08:46:45 -0800
+Subject: [PATCH] dix: Allow zero-height PutImage requests
+
+The length checking code validates PutImage height and byte width by
+making sure that byte-width >= INT32_MAX / height. If height is zero,
+this generates a divide by zero exception. Allow zero height requests
+explicitly, bypassing the INT32_MAX check.
+
+Signed-off-by: Keith Packard <[email protected]>
+Reviewed-by: Alan Coopersmith <[email protected]>
+---
+ dix/dispatch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 55b978d..9044ac7 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client)
+ tmpImage = (char *) &stuff[1];
+ lengthProto = length;
+
+- if (lengthProto >= (INT32_MAX / stuff->height))
++ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
+
+ if ((bytes_to_int32(lengthProto * stuff->height) +
+--
+1.7.9.2
+
--- a/open-src/xserver/xorg/patch-list Tue Apr 28 14:40:52 2015 -0700
+++ b/open-src/xserver/xorg/patch-list Tue Apr 28 18:11:34 2015 -0700
@@ -36,3 +36,4 @@
multi-session-with-isolateDevice.patch,-p1
security-2014-12-09.patch,-p1
CVE-2015-0255.patch,-p1
+CVE-2015-3418.patch,-p1