On 01/ 3/15 08:50 AM, Keith Packard wrote:
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
Signed-off-by: Keith Packard <[email protected]>
---
dix/dispatch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 55b978d..9044ac7 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client)
tmpImage = (char *) &stuff[1];
lengthProto = length;
- if (lengthProto >= (INT32_MAX / stuff->height))
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
return BadLength;
if ((bytes_to_int32(lengthProto * stuff->height) +
Reviewed-by: Alan Coopersmith <[email protected]>
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel
