Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 155993 Details for
Bug 225419
x11-base/xorg-server Multiple vulnerabilities in X server extensions (CVE-2008-1377, CVE-2008-1379, CVE-2008-2360, CVE-2008-2361, CVE-2008-2362)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
cve-2008-2362
xorg-xserver-1.4-cve-2008-2362.diff (text/plain), 2.21 KB, created by
Matthias Geerdsen (RETIRED)
on 2008-06-08 18:45:21 UTC
(
hide
)
Description:
cve-2008-2362
Filename:
MIME Type:
Creator:
Matthias Geerdsen (RETIRED)
Created:
2008-06-08 18:45:21 UTC
Size:
2.21 KB
patch
obsolete
>diff --git a/render/render.c b/render/render.c >index 74c5f63..b53e878 100644 >--- a/render/render.c >+++ b/render/render.c >@@ -1920,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client) > LEGAL_NEW_RESOURCE(stuff->pid, client); > > len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); >+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) >+ return BadLength; > if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) > return BadLength; > >@@ -2493,18 +2495,18 @@ SProcRenderCreateSolidFill(ClientPtr client) > return (*ProcRenderVector[stuff->renderReqType]) (client); > } > >-static void swapStops(void *stuff, int n) >+static void swapStops(void *stuff, int num) > { >- int i; >+ int i, n; > CARD32 *stops; > CARD16 *colors; > stops = (CARD32 *)(stuff); >- for (i = 0; i < n; ++i) { >+ for (i = 0; i < num; ++i) { > swapl(stops, n); > ++stops; > } > colors = (CARD16 *)(stops); >- for (i = 0; i < 4*n; ++i) { >+ for (i = 0; i < 4*num; ++i) { > swaps(stops, n); > ++stops; > } >@@ -2527,6 +2529,8 @@ SProcRenderCreateLinearGradient (ClientPtr client) > swapl(&stuff->nStops, n); > > len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); >+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) >+ return BadLength; > if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) > return BadLength; > >@@ -2554,6 +2558,8 @@ SProcRenderCreateRadialGradient (ClientPtr client) > swapl(&stuff->nStops, n); > > len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq); >+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) >+ return BadLength; > if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) > return BadLength; > >@@ -2578,6 +2584,8 @@ SProcRenderCreateConicalGradient (ClientPtr client) > swapl(&stuff->nStops, n); > > len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq); >+ if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) >+ return BadLength; > if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) > return BadLength; >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 225419
:
155985
|
155987
|
155989
|
155991
| 155993 |
156325