Gentoo Attachment #68543 for bug #105859

View | Details | Raw Unified
Collapse All | Expand All

(-) xc.orig/programs/Xserver/afb/afbpixmap.c (-2 / +6 lines)

Lines 77-86 afbCreatePixmap(pScreen, width, height,	Link Here

	int				depth;

	int				depth;

	PixmapPtr pPixmap;

	PixmapPtr pPixmap;

	int datasize;

	size_t datasize;

	int paddedWidth;

	size_t paddedWidth;

	paddedWidth = BitmapBytePad(width);

	paddedWidth = BitmapBytePad(width);

	if (paddedWidth > 32767 || height > 32767 || depth > 4)

	    return NullPixmap;

	datasize = height * paddedWidth * depth;

	datasize = height * paddedWidth * depth;

	pPixmap = AllocatePixmap(pScreen, datasize);

	pPixmap = AllocatePixmap(pScreen, datasize);

	if (!pPixmap)

	if (!pPixmap)

(-) xc.orig/programs/Xserver/cfb/cfbpixmap.c (-2 / +5 lines)

Lines 72-81 cfbCreatePixmap (pScreen, width, height,	Link Here

    int		depth;

    int		depth;

    PixmapPtr pPixmap;

    PixmapPtr pPixmap;

    int datasize;

    size_t datasize;

    int paddedWidth;

    size_t paddedWidth;

    paddedWidth = PixmapBytePad(width, depth);

    paddedWidth = PixmapBytePad(width, depth);

    if (paddedWidth / 4 > 32767 || height > 32767)

	return NullPixmap;

    datasize = height * paddedWidth;

    datasize = height * paddedWidth;

    pPixmap = AllocatePixmap(pScreen, datasize);

    pPixmap = AllocatePixmap(pScreen, datasize);

    if (!pPixmap)

    if (!pPixmap)

(-) xc.orig/programs/Xserver/dix/pixmap.c (+20 lines)

Lines 1483-1488 ProcCreatePixmap(register ClientPtr clie	Link Here

	client->errorValue = 0;

	client->errorValue = 0;

        return BadValue;

        return BadValue;

    if (stuff->width > 32767 || stuff->height > 32767)

	/* It is allowed to try and allocate a pixmap which is larger than

	 * 32767 in either dimension. However, all of the framebuffer code

	 * is buggy and does not reliably draw to such big pixmaps, basically

	 * because the Region data structure operates with signed shorts

	 * for the rectangles in it.

	 * Furthermore, several places in the X server computes the

	 * size in bytes of the pixmap and tries to store it in an

	 * integer. This integer can overflow and cause the allocated size

	 * to be much smaller.

	 * So, such big pixmaps are rejected here with a BadAlloc

*/

	return BadAlloc;

    if (stuff->depth != 1)

    if (stuff->depth != 1)

        pDepth = pDraw->pScreen->allowedDepths;

        pDepth = pDraw->pScreen->allowedDepths;

Lines 118-123 AllocatePixmap(ScreenPtr pScreen, int pi	Link Here

    unsigned size;

    unsigned size;

    int i;

    int i;

    if (pScreen->totalPixmapSize > ((size_t)-1) - pixDataSize)

	return NullPixmap;

    pPixmap = (PixmapPtr)xalloc(pScreen->totalPixmapSize + pixDataSize);

    pPixmap = (PixmapPtr)xalloc(pScreen->totalPixmapSize + pixDataSize);

    if (!pPixmap)

    if (!pPixmap)

	return NullPixmap;

	return NullPixmap;

(-) xc.orig/programs/Xserver/fb/fbpixmap.c (-2 / +4 lines)

Lines 36-47 PixmapPtr	Link Here

fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp)

fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp)

    PixmapPtr	pPixmap;

    PixmapPtr	pPixmap;

    int		datasize;

    size_t	datasize;

    int		paddedWidth;

    size_t	paddedWidth;

    int		adjust;

    int		adjust;

    int		base;

    int		base;

    paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);

    paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);

    if (paddedWidth / 4 > 32767 || height > 32767)

	return NullPixmap;

    datasize = height * paddedWidth;

    datasize = height * paddedWidth;

#ifdef PIXPRIV

#ifdef PIXPRIV

    base = pScreen->totalPixmapSize;

    base = pScreen->totalPixmapSize;

(-) xc.orig/programs/Xserver/hw/xfree86/xaa/xaaInit.c (+3 lines)

Lines 502-507 XAACreatePixmap(ScreenPtr pScreen, int w	Link Here

    XAAPixmapPtr pPriv;

    XAAPixmapPtr pPriv;

    PixmapPtr pPix = NULL;

    PixmapPtr pPix = NULL;

    int size = w * h;

    int size = w * h;

    if (w > 32767 || h > 32767)

	return NullPixmap;

    if (!infoRec->offscreenDepthsInitialized)

    if (!infoRec->offscreenDepthsInitialized)

	XAAInitializeOffscreenDepths (pScreen);

	XAAInitializeOffscreenDepths (pScreen);

(-) xc.orig/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c (-1 / +5 lines)

Lines 89-95 xf4bppCreatePixmap( pScreen, width, heig	Link Here

    int		depth ;

    int		depth ;

    register PixmapPtr pPixmap  = (PixmapPtr)NULL;

    register PixmapPtr pPixmap  = (PixmapPtr)NULL;

    int size ;

    size_t size ;

    TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ;

    TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ;

Lines 97-102 xf4bppCreatePixmap( pScreen, width, heig	Link Here

	return (PixmapPtr) NULL ;

	return (PixmapPtr) NULL ;

    size = PixmapBytePad(width, depth);

    size = PixmapBytePad(width, depth);

    if (size / 4 > 32767 || height > 32767)

	return (PixmapPtr) NULL ;

    pPixmap = AllocatePixmap (pScreen, (height * size));

    pPixmap = AllocatePixmap (pScreen, (height * size));

    if ( !pPixmap )

    if ( !pPixmap )

(-) xc.orig/programs/Xserver/ilbm/ilbmpixmap.c (-2 / +4 lines)

Lines 79-88 ilbmCreatePixmap(pScreen, width, height,	Link Here

	int				depth;

	int				depth;

	PixmapPtr pPixmap;

	PixmapPtr pPixmap;

	int datasize;

	size_t datasize;

	int paddedWidth;

	size_t paddedWidth;

	paddedWidth = BitmapBytePad(width);

	paddedWidth = BitmapBytePad(width);

	if (paddedWidth > 32767 || height > 32767 || depth > 4)

		return NullPixmap;

	datasize = height * paddedWidth * depth;

	datasize = height * paddedWidth * depth;

	pPixmap = AllocatePixmap(pScreen, datasize);

	pPixmap = AllocatePixmap(pScreen, datasize);

	if (!pPixmap)

	if (!pPixmap)

(-) xc.orig/programs/Xserver/iplan2p4/iplpixmap.c (-2 / +4 lines)

Lines 78-89 iplCreatePixmap (pScreen, width, height,	Link Here

    int		depth;

    int		depth;

    PixmapPtr pPixmap;

    PixmapPtr pPixmap;

    int datasize;

    size_t datasize;

    int paddedWidth;

    size_t paddedWidth;

    int ipad=INTER_PLANES*2 - 1;

    int ipad=INTER_PLANES*2 - 1;

    paddedWidth = PixmapBytePad(width, depth);

    paddedWidth = PixmapBytePad(width, depth);

    paddedWidth = (paddedWidth + ipad) & ~ipad;

    paddedWidth = (paddedWidth + ipad) & ~ipad;

    if (paddedWidth / 4 > 32767 || height > 32767)

	return NullPixmap;

    datasize = height * paddedWidth;

    datasize = height * paddedWidth;

    pPixmap = AllocatePixmap(pScreen, datasize);

    pPixmap = AllocatePixmap(pScreen, datasize);

    if (!pPixmap)

    if (!pPixmap)

(-) xc.orig/programs/Xserver/mfb/mfbpixmap.c (-2 / +4 lines)

Lines 75-86 mfbCreatePixmap (pScreen, width, height,	Link Here

    int		depth;

    int		depth;

    PixmapPtr pPixmap;

    PixmapPtr pPixmap;

    int datasize;

    size_t datasize;

    int paddedWidth;

    size_t paddedWidth;

    if (depth != 1)

    if (depth != 1)

	return NullPixmap;

	return NullPixmap;

    paddedWidth = BitmapBytePad(width);

    paddedWidth = BitmapBytePad(width);

    if (paddedWidth / 4 > 32767 || height > 32767)

	return NullPixmap;

    datasize = height * paddedWidth;

    datasize = height * paddedWidth;

    pPixmap = AllocatePixmap(pScreen, datasize);

    pPixmap = AllocatePixmap(pScreen, datasize);

    if (!pPixmap)

    if (!pPixmap)

Attachment #68543: Fixed (hopefully) patch for CAN-2005-2495 for bug #105859