Attachment #47712 for bug #113227

View | Details | Raw Unified | Return to bug 113227
Collapse All | Expand All

Lines 77-86 afbCreatePixmap(pScreen, width, height, Link Here

(-)programs/Xserver/afb/afbpixmap.c (-2 / +6 lines)
77	int depth;	77	int depth;
78	{	78	{
79	PixmapPtr pPixmap;	79	PixmapPtr pPixmap;
80	int datasize;	80	size_t datasize;
81	int paddedWidth;	81	size_t paddedWidth;
82		82
83	paddedWidth = BitmapBytePad(width);	83	paddedWidth = BitmapBytePad(width);
		84
		85	if (paddedWidth > 32767 \|\| height > 32767)
		86	return NullPixmap;
		87
84	datasize = height * paddedWidth * depth;	88	datasize = height * paddedWidth * depth;
85	pPixmap = AllocatePixmap(pScreen, datasize);	89	pPixmap = AllocatePixmap(pScreen, datasize);
86	if (!pPixmap)	90	if (!pPixmap)

Lines 72-81 cfbCreatePixmap (pScreen, width, height, Link Here

(-)programs/Xserver/cfb/cfbpixmap.c (-2 / +5 lines)
72	int depth;	72	int depth;
73	{	73	{
74	PixmapPtr pPixmap;	74	PixmapPtr pPixmap;
75	int datasize;	75	size_t datasize;
76	int paddedWidth;	76	size_t paddedWidth;
77		77
78	paddedWidth = PixmapBytePad(width, depth);	78	paddedWidth = PixmapBytePad(width, depth);
		79
		80	if (paddedWidth > 32767 \|\| height > 32767)
		81	return NullPixmap;
79	datasize = height * paddedWidth;	82	datasize = height * paddedWidth;
80	pPixmap = AllocatePixmap(pScreen, datasize);	83	pPixmap = AllocatePixmap(pScreen, datasize);
81	if (!pPixmap)	84	if (!pPixmap)




	client->errorValue = 0;
        return BadValue;
    }
    if (stuff->width > 32767 || stuff->height > 32767)
    {
	/* It is allowed to try and allocate a pixmap which is larger than
	 * 32767 in either dimension. However, all of the framebuffer code
	 * is buggy and does not reliably draw to such big pixmaps, basically
	 * because the Region data structure operates with signed shorts
	 * for the rectangles in it.
	 *
	 * Furthermore, several places in the X server computes the
	 * size in bytes of the pixmap and tries to store it in an
	 * integer. This integer can overflow and cause the allocated size
	 * to be much smaller.
	 *
	 * So, such big pixmaps are rejected here with a BadAlloc
	 */
	return BadAlloc;
    }
    if (stuff->depth != 1)
    {
        pDepth = pDraw->pScreen->allowedDepths;

Lines 36-47 PixmapPtr Link Here

(-)programs/Xserver/fb/fbpixmap.c (-2 / +4 lines)
36	fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp)	36	fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp)
37	{	37	{
38	PixmapPtr pPixmap;	38	PixmapPtr pPixmap;
39	int datasize;	39	size_t datasize;
40	int paddedWidth;	40	size_t paddedWidth;
41	int adjust;	41	int adjust;
42	int base;	42	int base;
43		43
44	paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);	44	paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);
		45	if (paddedWidth > 32767 \|\| height > 32767)
		46	return NullPixmap;
45	datasize = height * paddedWidth;	47	datasize = height * paddedWidth;
46	#ifdef PIXPRIV	48	#ifdef PIXPRIV
47	base = pScreen->totalPixmapSize;	49	base = pScreen->totalPixmapSize;

Lines 333-338 exaCreatePixmap(ScreenPtr pScreen, int w Link Here

(-)programs/Xserver/hw/xfree86/exa/exa.c (+3 lines)
333	ScrnInfoPtr pScrn = XF86SCRNINFO(pScreen);	333	ScrnInfoPtr pScrn = XF86SCRNINFO(pScreen);
334	ExaScreenPriv(pScreen);	334	ExaScreenPriv(pScreen);
335		335
		336	if (w > 32767 \|\| h > 32767)
		337	return NullPixmap;
		338
336	if (!pScrn->vtSema \|\| pExaScr->swappedOut) {	339	if (!pScrn->vtSema \|\| pExaScr->swappedOut) {
337	pPixmap = pExaScr->SavedCreatePixmap(pScreen, w, h, depth);	340	pPixmap = pExaScr->SavedCreatePixmap(pScreen, w, h, depth);
338	} else {	341	} else {

Lines 502-507 XAACreatePixmap(ScreenPtr pScreen, int w Link Here

(-)programs/Xserver/hw/xfree86/xaa/xaaInit.c (+3 lines)
502	XAAPixmapPtr pPriv;	502	XAAPixmapPtr pPriv;
503	PixmapPtr pPix = NULL;	503	PixmapPtr pPix = NULL;
504	int size = w * h;	504	int size = w * h;
		505
		506	if (w > 32767 \|\| h > 32767)
		507	return NullPixmap;
505		508
506	if (!infoRec->offscreenDepthsInitialized)	509	if (!infoRec->offscreenDepthsInitialized)
507	XAAInitializeOffscreenDepths (pScreen);	510	XAAInitializeOffscreenDepths (pScreen);




    int		depth ;
{
    register PixmapPtr pPixmap  = (PixmapPtr)NULL;
    size_t size ;
    
    TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ;

    if ( depth > 8 )
	return (PixmapPtr) NULL ;

    if (width > 32767 || height > 32767)
	return (PixmapPtr) NULL ;
    
    size = PixmapBytePad(width, depth);

    pPixmap = AllocatePixmap (pScreen, (height * size));
    
    if ( !pPixmap )

Lines 79-88 ilbmCreatePixmap(pScreen, width, height, Link Here

(-)programs/Xserver/ilbm/ilbmpixmap.c (-2 / +4 lines)
79	int depth;	79	int depth;
80	{	80	{
81	PixmapPtr pPixmap;	81	PixmapPtr pPixmap;
82	int datasize;	82	size_t datasize;
83	int paddedWidth;	83	size_t paddedWidth;
84		84
85	paddedWidth = BitmapBytePad(width);	85	paddedWidth = BitmapBytePad(width);
		86	if (paddedWidth > 32767 \|\| height > 32767)
		87	return NullPixmap;
86	datasize = height * paddedWidth * depth;	88	datasize = height * paddedWidth * depth;
87	pPixmap = AllocatePixmap(pScreen, datasize);	89	pPixmap = AllocatePixmap(pScreen, datasize);
88	if (!pPixmap)	90	if (!pPixmap)

Lines 78-89 iplCreatePixmap (pScreen, width, height, Link Here

(-)programs/Xserver/iplan2p4/iplpixmap.c (-2 / +4 lines)
78	int depth;	78	int depth;
79	{	79	{
80	PixmapPtr pPixmap;	80	PixmapPtr pPixmap;
81	int datasize;	81	size_t datasize;
82	int paddedWidth;	82	size_t paddedWidth;
83	int ipad=INTER_PLANES*2 - 1;	83	int ipad=INTER_PLANES*2 - 1;
84		84
85	paddedWidth = PixmapBytePad(width, depth);	85	paddedWidth = PixmapBytePad(width, depth);
86	paddedWidth = (paddedWidth + ipad) & ~ipad;	86	paddedWidth = (paddedWidth + ipad) & ~ipad;
		87	if (paddedWidth > 32767 \|\| height > 32767)
		88	return NullPixmap;
87	datasize = height * paddedWidth;	89	datasize = height * paddedWidth;
88	pPixmap = AllocatePixmap(pScreen, datasize);	90	pPixmap = AllocatePixmap(pScreen, datasize);
89	if (!pPixmap)	91	if (!pPixmap)

Lines 75-85 mfbCreatePixmap (pScreen, width, height, Link Here

(-)programs/Xserver/mfb/mfbpixmap.c (-2 / +4 lines)
75	int depth;	75	int depth;
76	{	76	{
77	PixmapPtr pPixmap;	77	PixmapPtr pPixmap;
78	int datasize;	78	size_t datasize;
79	int paddedWidth;	79	size_t paddedWidth;
80		80
81	if (depth != 1)	81	if (depth != 1)
82	return NullPixmap;	82	return NullPixmap;
		83	if (width > 32767 \|\| height > 32767)
		84	return NullPixmap;
83	paddedWidth = BitmapBytePad(width);	85	paddedWidth = BitmapBytePad(width);
84	datasize = height * paddedWidth;	86	datasize = height * paddedWidth;
85	pPixmap = AllocatePixmap(pScreen, datasize);	87	pPixmap = AllocatePixmap(pScreen, datasize);

Return to bug 113227

Lines 1483-1488 ProcCreatePixmap(register ClientPtr clie Link Here

(-)programs/Xserver/dix/dispatch.c (+17 lines)
1483	client->errorValue = 0;	1483	client->errorValue = 0;
1484	return BadValue;	1484	return BadValue;
1485	}	1485	}
		1486	if (stuff->width > 32767 \|\| stuff->height > 32767)
		1487	{
		1488	/* It is allowed to try and allocate a pixmap which is larger than
		1489	* 32767 in either dimension. However, all of the framebuffer code
		1490	* is buggy and does not reliably draw to such big pixmaps, basically
		1491	* because the Region data structure operates with signed shorts
		1492	* for the rectangles in it.
		1493	*
		1494	* Furthermore, several places in the X server computes the
		1495	* size in bytes of the pixmap and tries to store it in an
		1496	* integer. This integer can overflow and cause the allocated size
		1497	* to be much smaller.
		1498	*
		1499	* So, such big pixmaps are rejected here with a BadAlloc
		1500	*/
		1501	return BadAlloc;
		1502	}
1486	if (stuff->depth != 1)	1503	if (stuff->depth != 1)
1487	{	1504	{
1488	pDepth = pDraw->pScreen->allowedDepths;	1505	pDepth = pDraw->pScreen->allowedDepths;

Lines 89-102 xf4bppCreatePixmap( pScreen, width, heig Link Here

(-)programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c (-1 / +5 lines)
89	int depth ;	89	int depth ;
90	{	90	{
91	register PixmapPtr pPixmap = (PixmapPtr)NULL;	91	register PixmapPtr pPixmap = (PixmapPtr)NULL;
92	int size ;	92	size_t size ;
93		93
94	TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ;	94	TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ;
95		95
96	if ( depth > 8 )	96	if ( depth > 8 )
97	return (PixmapPtr) NULL ;	97	return (PixmapPtr) NULL ;
98		98
		99	if (width > 32767 \|\| height > 32767)
		100	return (PixmapPtr) NULL ;
		101
99	size = PixmapBytePad(width, depth);	102	size = PixmapBytePad(width, depth);
		103
100	pPixmap = AllocatePixmap (pScreen, (height * size));	104	pPixmap = AllocatePixmap (pScreen, (height * size));
101		105
102	if ( !pPixmap )	106	if ( !pPixmap )