Bug#774308: Explicitly allow zero-height PutImage

To: 774308@bugs.debian.org
Subject: Bug#774308: Explicitly allow zero-height PutImage
From: "Keith Packard" <keithp@keithp.com>
Date: Sat, 03 Jan 2015 08:52:54 -0800
Message-id: <[🔎] 868uhjx0ux.fsf@hiro.keithp.com>
Reply-to: "Keith Packard" <keithp@keithp.com>, 774308@bugs.debian.org

Here's a patch that bypasses the INT32_MAX check, allowing zero-height
PutImage requests.

From 6dc2634aee9023ac9d20dc06a76d9fa1f03ff2cd Mon Sep 17 00:00:00 2001
From: Keith Packard <keithp@keithp.com>
Date: Sat, 3 Jan 2015 08:46:45 -0800
Subject: [PATCH] dix: Allow zero-height PutImage requests

The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.

Signed-off-by: Keith Packard <keithp@keithp.com>
---
 dix/dispatch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dix/dispatch.c b/dix/dispatch.c
index 55b978d..9044ac7 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client)
     tmpImage = (char *) &stuff[1];
     lengthProto = length;
 
-    if (lengthProto >= (INT32_MAX / stuff->height))
+    if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
         return BadLength;
 
     if ((bytes_to_int32(lengthProto * stuff->height) +
-- 
2.1.4


-- 
-keith

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Bug#774308: Additional Information
Next by Date: Bug#774207: Hit issue again
Previous by thread: Bug#774308: Additional Information
Next by thread: Bug#774207: Hit issue again
Index(es):
- Date
- Thread