dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).

The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check. Fix for regression introduced by fix for CVE-2014-8092. v2: backports to nx-libs 3.6.x (Mike Gabriel) Signed-off-by: Keith Packard <keithp@keithp.com>

dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).
dba779d9 · Keith Packard · Mike Gabriel · 7ccbb073 · dba779d9
Commit dba779d9 authored May 01, 2015 by Keith Packard Committed by Mike Gabriel May 01, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

dispatch.c nx-X11/programs/Xserver/dix/dispatch.c +1 -1

No files found.
--- a/nx-X11/programs/Xserver/dix/dispatch.c
+++ b/nx-X11/programs/Xserver/dix/dispatch.c
@@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client)
    tmpImage = (char *)&stuff[1];
    lengthProto = length;
-    if (lengthProto >= (INT32_MAX / stuff->height))
+    if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
        return BadLength;
    if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +