3rd try... CVE-2007-6429: Always test for size+offset wrapping. From X.Org.

author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-01-21 21:38:23 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-01-21 21:38:23 +0000
commit: 7be36bc3f55be74ea63d86c16456ba5618d40bc4 (patch)
tree: ecb08810da54ef3900033d5998b071b333ac617c
parent: 7faf80fc6f9c5e6a05f76dd064924ec9931d3ad8 (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/xserver/Xext/shm.c b/xserver/Xext/shm.c
index 6f99e9064..376f12348 100644
--- a/xserver/Xext/shm.c
+++ b/xserver/Xext/shm.c
@@ -753,10 +753,10 @@ CreatePmap:
     if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
         if (size < width * height)
             return BadAlloc;
-        /* thankfully, offset is unsigned */
-        if (stuff->offset + size < size)
-            return BadAlloc;
     }
+    /* thankfully, offset is unsigned */
+    if (stuff->offset + size < size)
+	return BadAlloc;
 
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
 
@@ -1098,10 +1098,10 @@ CreatePmap:
     if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
 	if (size < width * height)
 	    return BadAlloc;
-	/* thankfully, offset is unsigned */
-	if (stuff->offset + size < size)
-	    return BadAlloc;
     }
+    /* thankfully, offset is unsigned */
+    if (stuff->offset + size < size)
+	return BadAlloc;
 
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-01-21 21:38:23 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-01-21 21:38:23 +0000
commit	7be36bc3f55be74ea63d86c16456ba5618d40bc4 (patch)
tree	ecb08810da54ef3900033d5998b071b333ac617c
parent	7faf80fc6f9c5e6a05f76dd064924ec9931d3ad8 (diff)