From be6c17fcf9efebc0bbcc3d9a25f8c5a2450c2161 Mon Sep 17 00:00:00 2001 From: Matthias Hopf Date: Mon, 21 Jan 2008 16:13:21 +0100 Subject: [PATCH] CVE-2007-6429: Always test for size+offset wrapping. --- Xext/shm.c | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Xext/shm.c b/Xext/shm.c index e46f6fc..a7a1ecf 100644 --- a/Xext/shm.c +++ b/Xext/shm.c @@ -799,10 +799,10 @@ CreatePmap: if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { if (size < width * height) return BadAlloc; - /* thankfully, offset is unsigned */ - if (stuff->offset + size < size) - return BadAlloc; } + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); @@ -1144,10 +1144,10 @@ CreatePmap: if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) { if (size < width * height) return BadAlloc; - /* thankfully, offset is unsigned */ - if (stuff->offset + size < size) - return BadAlloc; } + /* thankfully, offset is unsigned */ + if (stuff->offset + size < size) + return BadAlloc; VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client); pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)( -- 1.5.3.8