From c3d6799cee7ff8411b3a05a7ab7e2a9e80c95059 Mon Sep 17 00:00:00 2001
From: Daniel Stone <daniel@fooishbar.org>
Date: Tue, 13 Sep 2005 01:33:19 +0000
Subject: =?UTF-8?q?Bug=20#594:=20CAN-2005-2495:=20Fix=20exploitable=20inte?=
 =?UTF-8?q?ger=20overflow=20in=20pixmap=20=20=20=20=20creation,=20where=20?=
 =?UTF-8?q?we=20could=20create=20a=20far=20smaller=20pixmap=20than=20we=20?=
 =?UTF-8?q?thought,=20=20=20=20=20allowing=20changes=20to=20arbitrary=20ch?=
 =?UTF-8?q?unks=20of=20memory.=20(S=C3=B8ren=20Sandmann=20=20=20=20=20Pede?=
 =?UTF-8?q?rsen)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 afb/afbpixmap.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'afb/afbpixmap.c')

diff --git a/afb/afbpixmap.c b/afb/afbpixmap.c
index a155c101b..c6ae8481c 100644
--- a/afb/afbpixmap.c
+++ b/afb/afbpixmap.c
@@ -77,10 +77,14 @@ afbCreatePixmap(pScreen, width, height, depth)
 	int				depth;
 {
 	PixmapPtr pPixmap;
-	int datasize;
-	int paddedWidth;
+	size_t datasize;
+	size_t paddedWidth;
 
 	paddedWidth = BitmapBytePad(width);
+
+	if (paddedWidth > 32767 || height > 32767 || depth > 4)
+	    return NullPixmap;
+	
 	datasize = height * paddedWidth * depth;
 	pPixmap = AllocatePixmap(pScreen, datasize);
 	if (!pPixmap)
-- 
cgit v1.2.3