diff -up xorg-server-1.1.1/Xext/shm.c.jx xorg-server-1.1.1/Xext/shm.c --- xorg-server-1.1.1/Xext/shm.c.jx 2006-07-05 14:31:36.000000000 -0400 +++ xorg-server-1.1.1/Xext/shm.c 2007-12-11 14:21:25.000000000 -0500 @@ -149,9 +149,9 @@ static ShmFuncs fbFuncs = {fbShmCreatePi return BadAccess; \ } -#define VERIFY_SHMSIZE(shmdesc,offset,len,client) \ +#define VERIFY_SHMSIZE(shmdesc,offset,size,client) \ { \ - if ((offset + len) > shmdesc->size) \ + if ((offset + size) > shmdesc->size) \ { \ return BadAccess; \ } \ @@ -1049,6 +1049,8 @@ ProcShmCreatePixmap(client) register int i; ShmDescPtr shmdesc; REQUEST(xShmCreatePixmapReq); + unsigned int width, height, depth; + unsigned long size; REQUEST_SIZE_MATCH(xShmCreatePixmapReq); client->errorValue = stuff->pid; @@ -1057,11 +1059,26 @@ ProcShmCreatePixmap(client) LEGAL_NEW_RESOURCE(stuff->pid, client); VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client); - if (!stuff->width || !stuff->height) + + width = stuff->width; + height = stuff->height; + depth = stuff->depth; + if (!width || !height || !depth) { client->errorValue = 0; return BadValue; } + if (width > 32767 || height > 32767) + return BadAlloc; + size = PixmapBytePad(width, depth) * height; + if (sizeof(size) == 4) { + if (size < width * height) + return BadAlloc; + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; + } + if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; @@ -1072,9 +1089,7 @@ ProcShmCreatePixmap(client) return BadValue; } CreatePmap: - VERIFY_SHMSIZE(shmdesc, stuff->offset, - PixmapBytePad(stuff->width, stuff->depth) * stuff->height, - client); + VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( pDraw->pScreen, stuff->width, stuff->height, stuff->depth,