Attachment #49158 for bug #113227

View | Details | Raw Unified | Return to bug 113227
Collapse All | Expand All

Lines 77-86 afbCreatePixmap(pScreen, width, height, Link Here

(-)xc/programs/Xserver/afb/afbpixmap.c (-2 / +6 lines)
77	int depth;	77	int depth;
78	{	78	{
79	PixmapPtr pPixmap;	79	PixmapPtr pPixmap;
80	int datasize;	80	size_t datasize;
81	int paddedWidth;	81	size_t paddedWidth;
82	paddedWidth = BitmapBytePad(width);	82	paddedWidth = BitmapBytePad(width);
		83
		84	if (paddedWidth > 32767 \|\| height > 32767 \|\| depth > 4)
		85	return NullPixmap;
		86
83	datasize = height * paddedWidth * depth;	87	datasize = height * paddedWidth * depth;
84	pPixmap = AllocatePixmap(pScreen, datasize);	88	pPixmap = AllocatePixmap(pScreen, datasize);
85	if (!pPixmap)	89	if (!pPixmap)

Lines 72-81 cfbCreatePixmap (pScreen, width, height, Link Here

(-)xc/programs/Xserver/cfb/cfbpixmap.c (-2 / +5 lines)
72	int depth;	72	int depth;
73	{	73	{
74	PixmapPtr pPixmap;	74	PixmapPtr pPixmap;
75	int datasize;	75	size_t datasize;
76	int paddedWidth;	76	size_t paddedWidth;
77	paddedWidth = PixmapBytePad(width, depth);	77	paddedWidth = PixmapBytePad(width, depth);
		78
		79	if (paddedWidth / 4 > 32767 \|\| height > 32767)
		80	return NullPixmap;
78	datasize = height * paddedWidth;	81	datasize = height * paddedWidth;
79	pPixmap = AllocatePixmap(pScreen, datasize);	82	pPixmap = AllocatePixmap(pScreen, datasize);
80	if (!pPixmap)	83	if (!pPixmap)




	client->errorValue = 0;
        return BadValue;
    }
    if (stuff->width > 32767 || stuff->height > 32767)
    {
	/* It is allowed to try and allocate a pixmap which is larger than
	 * 32767 in either dimension. However, all of the framebuffer code
	 * is buggy and does not reliably draw to such big pixmaps, basically
	 * because the Region data structure operates with signed shorts
	 * for the rectangles in it.
	 *
	 * Furthermore, several places in the X server computes the
	 * size in bytes of the pixmap and tries to store it in an
	 * integer. This integer can overflow and cause the allocated size
	 * to be much smaller.
	 *
	 * So, such big pixmaps are rejected here with a BadAlloc
	 */
	return BadAlloc;
    }
    if (stuff->depth != 1)
    {
        pDepth = pDraw->pScreen->allowedDepths;

Lines 116-123 AllocatePixmap(ScreenPtr pScreen, int pi Link Here

(-)xc/programs/Xserver/dix/pixmap.c (+4 lines)
116	DevUnion *ppriv;	116	DevUnion *ppriv;
117	unsigned *sizes;	117	unsigned *sizes;
118	unsigned size;	118	unsigned size;
		119	size_t alloc;
119	int i;	120	int i;
		121	if (pScreen->totalPixmapSize > ((size_t)-1) - pixDataSize)
		122	return NullPixmap;
		123
120	pPixmap = (PixmapPtr)xalloc(pScreen->totalPixmapSize + pixDataSize);	124	pPixmap = (PixmapPtr)xalloc(pScreen->totalPixmapSize + pixDataSize);
121	if (!pPixmap)	125	if (!pPixmap)
122	return NullPixmap;	126	return NullPixmap;

Lines 36-47 PixmapPtr Link Here

(-)xc/programs/Xserver/fb/fbpixmap.c (-2 / +4 lines)
36	fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth,	36	fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth,
37	{	37	{
38	PixmapPtr pPixmap;	38	PixmapPtr pPixmap;
39	int datasize;	39	size_t datasize;
40	int paddedWidth;	40	size_t paddedWidth;
41	int adjust;	41	int adjust;
42	int base;	42	int base;
43	paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);	43	paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);
		44	if (paddedWidth / 4 > 32767 \|\| height > 32767)
		45	return NullPixmap;
44	datasize = height * paddedWidth;	46	datasize = height * paddedWidth;
45	#ifdef PIXPRIV	47	#ifdef PIXPRIV
46	base = pScreen->totalPixmapSize;	48	base = pScreen->totalPixmapSize;

Lines 502-507 XAACreatePixmap(ScreenPtr pScreen, int w Link Here

(-)xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c (+3 lines)
502	XAAPixmapPtr pPriv;	502	XAAPixmapPtr pPriv;
503	PixmapPtr pPix = NULL;	503	PixmapPtr pPix = NULL;
504	int size = w * h;	504	int size = w * h;
		505
		506	if (w > 32767 \|\| h > 32767)
		507	return NullPixmap;
505	if (!infoRec->offscreenDepthsInitialized)	508	if (!infoRec->offscreenDepthsInitialized)
506	XAAInitializeOffscreenDepths (pScreen);	509	XAAInitializeOffscreenDepths (pScreen);

Lines 89-95 xf4bppCreatePixmap( pScreen, width, heig Link Here

(-)xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c (-1 / +5 lines)
89	int depth ;	89	int depth ;
90	{	90	{
91	register PixmapPtr pPixmap = (PixmapPtr)NULL;	91	register PixmapPtr pPixmap = (PixmapPtr)NULL;
92	int size ;	92	size_t size ;
93	TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d,	93	TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d,
Lines 97-102 xf4bppCreatePixmap( pScreen, width, heig Link Here
97	return (PixmapPtr) NULL ;	97	return (PixmapPtr) NULL ;
98	size = PixmapBytePad(width, depth);	98	size = PixmapBytePad(width, depth);
		99
		100	if (size / 4 > 32767 \|\| height > 32767)
		101	return (PixmapPtr) NULL ;
		102
99	pPixmap = AllocatePixmap (pScreen, (height * size));	103	pPixmap = AllocatePixmap (pScreen, (height * size));
100	if ( !pPixmap )	104	if ( !pPixmap )

Lines 79-88 ilbmCreatePixmap(pScreen, width, height, Link Here

(-)xc/programs/Xserver/ilbm/ilbmpixmap.c (-2 / +4 lines)
79	int depth;	79	int depth;
80	{	80	{
81	PixmapPtr pPixmap;	81	PixmapPtr pPixmap;
82	int datasize;	82	size_t datasize;
83	int paddedWidth;	83	size_t paddedWidth;
84	paddedWidth = BitmapBytePad(width);	84	paddedWidth = BitmapBytePad(width);
		85	if (paddedWidth > 32767 \|\| height > 32767 \|\| depth > 4)
		86	return NullPixmap;
85	datasize = height * paddedWidth * depth;	87	datasize = height * paddedWidth * depth;
86	pPixmap = AllocatePixmap(pScreen, datasize);	88	pPixmap = AllocatePixmap(pScreen, datasize);
87	if (!pPixmap)	89	if (!pPixmap)

Lines 78-89 iplCreatePixmap (pScreen, width, height, Link Here

(-)xc/programs/Xserver/iplan2p4/iplpixmap.c (-2 / +4 lines)
78	int depth;	78	int depth;
79	{	79	{
80	PixmapPtr pPixmap;	80	PixmapPtr pPixmap;
81	int datasize;	81	size_t datasize;
82	int paddedWidth;	82	size_t paddedWidth;
83	int ipad=INTER_PLANES*2 - 1;	83	int ipad=INTER_PLANES*2 - 1;
84	paddedWidth = PixmapBytePad(width, depth);	84	paddedWidth = PixmapBytePad(width, depth);
85	paddedWidth = (paddedWidth + ipad) & ~ipad;	85	paddedWidth = (paddedWidth + ipad) & ~ipad;
		86	if (paddedWidth / 4 > 32767 \|\| height > 32767)
		87	return NullPixmap;
86	datasize = height * paddedWidth;	88	datasize = height * paddedWidth;
87	pPixmap = AllocatePixmap(pScreen, datasize);	89	pPixmap = AllocatePixmap(pScreen, datasize);
88	if (!pPixmap)	90	if (!pPixmap)

Lines 75-86 mfbCreatePixmap (pScreen, width, height, Link Here

(-)xc/programs/Xserver/mfb/mfbpixmap.c (-2 / +4 lines)
75	int depth;	75	int depth;
76	{	76	{
77	PixmapPtr pPixmap;	77	PixmapPtr pPixmap;
78	int datasize;	78	size_t datasize;
79	int paddedWidth;	79	size_t paddedWidth;
80	if (depth != 1)	80	if (depth != 1)
81	return NullPixmap;	81	return NullPixmap;
82	paddedWidth = BitmapBytePad(width);	82	paddedWidth = BitmapBytePad(width);
		83	if (paddedWidth / 4 > 32767 \|\| height > 32767)
		84	return NullPixmap;
83	datasize = height * paddedWidth;	85	datasize = height * paddedWidth;
84	pPixmap = AllocatePixmap(pScreen, datasize);	86	pPixmap = AllocatePixmap(pScreen, datasize);
85	if (!pPixmap)	87	if (!pPixmap)

Return to bug 113227

Lines 1483-1488 ProcCreatePixmap(register ClientPtr clie Link Here

(-)xc/programs/Xserver/dix/dispatch.c (+17 lines)
1483	client->errorValue = 0;	1483	client->errorValue = 0;
1484	return BadValue;	1484	return BadValue;
1485	}	1485	}
		1486	if (stuff->width > 32767 \|\| stuff->height > 32767)
		1487	{
		1488	/* It is allowed to try and allocate a pixmap which is larger than
		1489	* 32767 in either dimension. However, all of the framebuffer code
		1490	* is buggy and does not reliably draw to such big pixmaps, basically
		1491	* because the Region data structure operates with signed shorts
		1492	* for the rectangles in it.
		1493	*
		1494	* Furthermore, several places in the X server computes the
		1495	* size in bytes of the pixmap and tries to store it in an
		1496	* integer. This integer can overflow and cause the allocated size
		1497	* to be much smaller.
		1498	*
		1499	* So, such big pixmaps are rejected here with a BadAlloc
		1500	*/
		1501	return BadAlloc;
		1502	}
1486	if (stuff->depth != 1)	1503	if (stuff->depth != 1)
1487	{	1504	{
1488	pDepth = pDraw->pScreen->allowedDepths;	1505	pDepth = pDraw->pScreen->allowedDepths;