From 934569a0f87d7ecab3cf05c415cba0b4d9861487 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Tue, 25 Jul 2017 09:30:09 +0200 Subject: [PATCH xserver] glamor: Avoid overflow between box32 and box16 box glamor_compute_transform_clipped_regions() uses a temporary box32 internally which is copied back to a box16 to init the regions16, thus causing a potential overflow. If an overflow occurs, the given region is invalid and the pixmap init region will fail. Simply check that the coordinates won't overflow when copying back to the box16, avoiding a crash later down the line in glamor. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894 Signed-off-by: Olivier Fourdan --- glamor/glamor_largepixmap.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/glamor/glamor_largepixmap.c b/glamor/glamor_largepixmap.c index ebfdc9537..f9adb93bc 100644 --- a/glamor/glamor_largepixmap.c +++ b/glamor/glamor_largepixmap.c @@ -1,4 +1,5 @@ #include +#include /* For INT16_MAX */ #include "glamor_priv.h" @@ -722,11 +723,11 @@ glamor_compute_transform_clipped_regions(PixmapPtr pixmap, temp_box.x2 = MIN(temp_box.x2, pixmap->drawable.width); temp_box.y2 = MIN(temp_box.y2, pixmap->drawable.height); } - /* Now copy back the box32 to a box16 box. */ - short_box.x1 = temp_box.x1; - short_box.y1 = temp_box.y1; - short_box.x2 = temp_box.x2; - short_box.y2 = temp_box.y2; + /* Now copy back the box32 to a box16 box, avoiding overflow. */ + short_box.x1 = MIN(temp_box.x1, INT16_MAX); + short_box.y1 = MIN(temp_box.y1, INT16_MAX); + short_box.x2 = MIN(temp_box.x2, INT16_MAX); + short_box.y2 = MIN(temp_box.y2, INT16_MAX); RegionInitBoxes(temp_region, &short_box, 1); DEBUGF("copy to temp source region \n"); DEBUGRegionPrint(temp_region); -- 2.13.3