Merge pull request #45 from ArcticaProject/pr/dix-cve-fixes

nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c

@@ -2618,7 +2618,9 @@ ProcPutImage(register ClientPtr client)
 
     tmpImage = (char *)&stuff[1];
     lengthProto = length;
-	
+    if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
+        return BadLength;
+
     if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + 
 	(sizeof(xPutImageReq) >> 2)) != client->req_len)
 	return BadLength;

nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c

@@ -1694,6 +1694,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
 	    GC *pGC;
 	    unsigned char *data;
 	    ITclosurePtr new_closure;
+	    ITclosurePtr old_closure;
 
 	    /* We're putting the client to sleep.  We need to
 	       save some state.  Similar problem to that handled
@@ -1706,6 +1707,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
 		err = BadAlloc;
 		goto bail;
 	    }
+	    old_closure = c;
 	    *new_closure = *c;
 	    c = new_closure;
 
@@ -1713,6 +1715,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
 	    if (!data)
 	    {
 		xfree(c);
+		c = old_closure;
 		err = BadAlloc;
 		goto bail;
 	    }
@@ -1724,6 +1727,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
 	    {
 		xfree(c->data);
 		xfree(c);
+		c = old_closure;
 		err = BadAlloc;
 		goto bail;
 	    }
@@ -1742,6 +1746,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
 		FreeScratchGC(pGC);
 		xfree(c->data);
 		xfree(c);
+		c = old_closure;
 		err = BadAlloc;
 		goto bail;
 	    }