1 diff --git a/Xext/shm.c b/Xext/shm.c |
|
2 index be79862..ed7dc28 100644 |
|
3 --- a/Xext/shm.c |
|
4 +++ b/Xext/shm.c |
|
5 @@ -723,6 +723,8 @@ ProcPanoramiXShmCreatePixmap( |
|
6 int i, j, result; |
|
7 ShmDescPtr shmdesc; |
|
8 REQUEST(xShmCreatePixmapReq); |
|
9 + unsigned int width, height, depth; |
|
10 + unsigned long size; |
|
11 PanoramiXRes *newPix; |
|
12 |
|
13 REQUEST_SIZE_MATCH(xShmCreatePixmapReq); |
|
14 @@ -732,11 +734,18 @@ ProcPanoramiXShmCreatePixmap( |
|
15 LEGAL_NEW_RESOURCE(stuff->pid, client); |
|
16 VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); |
|
17 VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); |
|
18 - if (!stuff->width || !stuff->height) |
|
19 + |
|
20 + width = stuff->width; |
|
21 + height = stuff->height; |
|
22 + depth = stuff->depth; |
|
23 + if (!width || !height || !depth) |
|
24 { |
|
25 client->errorValue = 0; |
|
26 return BadValue; |
|
27 } |
|
28 + if (width > 32767 || height > 32767) |
|
29 + return BadAlloc; |
|
30 + |
|
31 if (stuff->depth != 1) |
|
32 { |
|
33 pDepth = pDraw->pScreen->allowedDepths; |
|
34 @@ -746,10 +755,18 @@ ProcPanoramiXShmCreatePixmap( |
|
35 client->errorValue = stuff->depth; |
|
36 return BadValue; |
|
37 } |
|
38 + |
|
39 CreatePmap: |
|
40 - VERIFY_SHMSIZE(shmdesc, stuff->offset, |
|
41 - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, |
|
42 - client); |
|
43 + size = PixmapBytePad(width, depth) * height; |
|
44 + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { |
|
45 + if (size < width * height) |
|
46 + return BadAlloc; |
|
47 + /* thankfully, offset is unsigned */ |
|
48 + if (stuff->offset + size < size) |
|
49 + return BadAlloc; |
|
50 + } |
|
51 + |
|
52 + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); |
|
53 |
|
54 if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes)))) |
|
55 return BadAlloc; |
|
56 @@ -1047,6 +1064,8 @@ ProcShmCreatePixmap(client) |
|
57 register int i; |
|
58 ShmDescPtr shmdesc; |
|
59 REQUEST(xShmCreatePixmapReq); |
|
60 + unsigned int width, height, depth; |
|
61 + unsigned long size; |
|
62 |
|
63 REQUEST_SIZE_MATCH(xShmCreatePixmapReq); |
|
64 client->errorValue = stuff->pid; |
|
65 @@ -1055,11 +1074,18 @@ ProcShmCreatePixmap(client) |
|
66 LEGAL_NEW_RESOURCE(stuff->pid, client); |
|
67 VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); |
|
68 VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); |
|
69 - if (!stuff->width || !stuff->height) |
|
70 + |
|
71 + width = stuff->width; |
|
72 + height = stuff->height; |
|
73 + depth = stuff->depth; |
|
74 + if (!width || !height || !depth) |
|
75 { |
|
76 client->errorValue = 0; |
|
77 return BadValue; |
|
78 } |
|
79 + if (width > 32767 || height > 32767) |
|
80 + return BadAlloc; |
|
81 + |
|
82 if (stuff->depth != 1) |
|
83 { |
|
84 pDepth = pDraw->pScreen->allowedDepths; |
|
85 @@ -1069,10 +1095,18 @@ ProcShmCreatePixmap(client) |
|
86 client->errorValue = stuff->depth; |
|
87 return BadValue; |
|
88 } |
|
89 + |
|
90 CreatePmap: |
|
91 - VERIFY_SHMSIZE(shmdesc, stuff->offset, |
|
92 - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, |
|
93 - client); |
|
94 + size = PixmapBytePad(width, depth) * height; |
|
95 + if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { |
|
96 + if (size < width * height) |
|
97 + return BadAlloc; |
|
98 + /* thankfully, offset is unsigned */ |
|
99 + if (stuff->offset + size < size) |
|
100 + return BadAlloc; |
|
101 + } |
|
102 + |
|
103 + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); |
|
104 pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( |
|
105 pDraw->pScreen, stuff->width, |
|
106 stuff->height, stuff->depth, |
|