Attachment #49778 for bug #113227

View | Details | Raw Unified | Return to bug 113227
Collapse All | Expand All

Lines 77-86 Link Here

(-)programs/Xserver/afb/afbpixmap.c (-2 / +6 lines)
77	int depth;	77	int depth;
78	{	78	{
79	PixmapPtr pPixmap;	79	PixmapPtr pPixmap;
80	int datasize;	80	size_t datasize;
81	int paddedWidth;	81	size_t paddedWidth;
82		82
83	paddedWidth = BitmapBytePad(width);	83	paddedWidth = BitmapBytePad(width);
		84
		85	if (paddedWidth > 32767 \|\| height > 32767 \|\| depth > 4)
		86	return NullPixmap;
		87
84	datasize = height * paddedWidth * depth;	88	datasize = height * paddedWidth * depth;
85	pPixmap = AllocatePixmap(pScreen, datasize);	89	pPixmap = AllocatePixmap(pScreen, datasize);
86	if (!pPixmap)	90	if (!pPixmap)

Lines 72-81 Link Here

(-)programs/Xserver/cfb/cfbpixmap.c (-2 / +5 lines)
72	int depth;	72	int depth;
73	{	73	{
74	PixmapPtr pPixmap;	74	PixmapPtr pPixmap;
75	int datasize;	75	size_t datasize;
76	int paddedWidth;	76	size_t paddedWidth;
77		77
78	paddedWidth = PixmapBytePad(width, depth);	78	paddedWidth = PixmapBytePad(width, depth);
		79
		80	if (paddedWidth / 4 > 32767 \|\| height > 32767)
		81	return NullPixmap;
79	datasize = height * paddedWidth;	82	datasize = height * paddedWidth;
80	pPixmap = AllocatePixmap(pScreen, datasize);	83	pPixmap = AllocatePixmap(pScreen, datasize);
81	if (!pPixmap)	84	if (!pPixmap)




	client->errorValue = 0;
        return BadValue;
    }
    if (stuff->width > 32767 || stuff->height > 32767)
    {
	/* It is allowed to try and allocate a pixmap which is larger than
	 * 32767 in either dimension. However, all of the framebuffer code
	 * is buggy and does not reliably draw to such big pixmaps, basically
	 * because the Region data structure operates with signed shorts
	 * for the rectangles in it.
	 *
	 * Furthermore, several places in the X server computes the
	 * size in bytes of the pixmap and tries to store it in an
	 * integer. This integer can overflow and cause the allocated size
	 * to be much smaller.
	 *
	 * So, such big pixmaps are rejected here with a BadAlloc
	 */
	return BadAlloc;
    }
    if (stuff->depth != 1)
    {
        pDepth = pDraw->pScreen->allowedDepths;

Lines 118-123 Link Here

(-)programs/Xserver/dix/pixmap.c (+3 lines)
118	unsigned size;	118	unsigned size;
119	int i;	119	int i;
120		120
		121	if (pScreen->totalPixmapSize > ((size_t)-1) - pixDataSize)
		122	return NullPixmap;
		123
121	pPixmap = (PixmapPtr)xalloc(pScreen->totalPixmapSize + pixDataSize);	124	pPixmap = (PixmapPtr)xalloc(pScreen->totalPixmapSize + pixDataSize);
122	if (!pPixmap)	125	if (!pPixmap)
123	return NullPixmap;	126	return NullPixmap;

Lines 36-47 Link Here

(-)programs/Xserver/fb/fbpixmap.c (-2 / +4 lines)
36	fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp)	36	fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp)
37	{	37	{
38	PixmapPtr pPixmap;	38	PixmapPtr pPixmap;
39	int datasize;	39	size_t datasize;
40	int paddedWidth;	40	size_t paddedWidth;
41	int adjust;	41	int adjust;
42	int base;	42	int base;
43		43
44	paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);	44	paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);
		45	if (paddedWidth / 4 > 32767 \|\| height > 32767)
		46	return NullPixmap;
45	datasize = height * paddedWidth;	47	datasize = height * paddedWidth;
46	#ifdef PIXPRIV	48	#ifdef PIXPRIV
47	base = pScreen->totalPixmapSize;	49	base = pScreen->totalPixmapSize;

Lines 376-381 Link Here

(-)programs/Xserver/hw/xfree86/exa/exa.c (+3 lines)
376	ScrnInfoPtr pScrn = XF86SCRNINFO(pScreen);	376	ScrnInfoPtr pScrn = XF86SCRNINFO(pScreen);
377	ExaScreenPriv(pScreen);	377	ExaScreenPriv(pScreen);
378		378
		379	if (w > 32767 \|\| h > 32767)
		380	return NullPixmap;
		381
379	if (!pScrn->vtSema \|\| pExaScr->swappedOut) {	382	if (!pScrn->vtSema \|\| pExaScr->swappedOut) {
380	pPixmap = pExaScr->SavedCreatePixmap(pScreen, w, h, depth);	383	pPixmap = pExaScr->SavedCreatePixmap(pScreen, w, h, depth);
381	} else {	384	} else {

Lines 502-507 Link Here

(-)programs/Xserver/hw/xfree86/xaa/xaaInit.c (+3 lines)
502	XAAPixmapPtr pPriv;	502	XAAPixmapPtr pPriv;
503	PixmapPtr pPix = NULL;	503	PixmapPtr pPix = NULL;
504	int size = w * h;	504	int size = w * h;
		505
		506	if (w > 32767 \|\| h > 32767)
		507	return NullPixmap;
505		508
506	if (!infoRec->offscreenDepthsInitialized)	509	if (!infoRec->offscreenDepthsInitialized)
507	XAAInitializeOffscreenDepths (pScreen);	510	XAAInitializeOffscreenDepths (pScreen);

Lines 89-95 Link Here

(-)programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c (-1 / +5 lines)
89	int depth ;	89	int depth ;
90	{	90	{
91	register PixmapPtr pPixmap = (PixmapPtr)NULL;	91	register PixmapPtr pPixmap = (PixmapPtr)NULL;
92	int size ;	92	size_t size ;
93		93
94	TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ;	94	TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ;
95		95
Lines 97-102 Link Here
97	return (PixmapPtr) NULL ;	97	return (PixmapPtr) NULL ;
98		98
99	size = PixmapBytePad(width, depth);	99	size = PixmapBytePad(width, depth);
		100
		101	if (size / 4 > 32767 \|\| height > 32767)
		102	return (PixmapPtr) NULL ;
		103
100	pPixmap = AllocatePixmap (pScreen, (height * size));	104	pPixmap = AllocatePixmap (pScreen, (height * size));
101		105
102	if ( !pPixmap )	106	if ( !pPixmap )

Lines 79-88 Link Here

(-)programs/Xserver/ilbm/ilbmpixmap.c (-2 / +4 lines)
79	int depth;	79	int depth;
80	{	80	{
81	PixmapPtr pPixmap;	81	PixmapPtr pPixmap;
82	int datasize;	82	size_t datasize;
83	int paddedWidth;	83	size_t paddedWidth;
84		84
85	paddedWidth = BitmapBytePad(width);	85	paddedWidth = BitmapBytePad(width);
		86	if (paddedWidth > 32767 \|\| height > 32767 \|\| depth > 4)
		87	return NullPixmap;
86	datasize = height * paddedWidth * depth;	88	datasize = height * paddedWidth * depth;
87	pPixmap = AllocatePixmap(pScreen, datasize);	89	pPixmap = AllocatePixmap(pScreen, datasize);
88	if (!pPixmap)	90	if (!pPixmap)

Lines 78-89 Link Here

(-)programs/Xserver/iplan2p4/iplpixmap.c (-2 / +4 lines)
78	int depth;	78	int depth;
79	{	79	{
80	PixmapPtr pPixmap;	80	PixmapPtr pPixmap;
81	int datasize;	81	size_t datasize;
82	int paddedWidth;	82	size_t paddedWidth;
83	int ipad=INTER_PLANES*2 - 1;	83	int ipad=INTER_PLANES*2 - 1;
84		84
85	paddedWidth = PixmapBytePad(width, depth);	85	paddedWidth = PixmapBytePad(width, depth);
86	paddedWidth = (paddedWidth + ipad) & ~ipad;	86	paddedWidth = (paddedWidth + ipad) & ~ipad;
		87	if (paddedWidth / 4 > 32767 \|\| height > 32767)
		88	return NullPixmap;
87	datasize = height * paddedWidth;	89	datasize = height * paddedWidth;
88	pPixmap = AllocatePixmap(pScreen, datasize);	90	pPixmap = AllocatePixmap(pScreen, datasize);
89	if (!pPixmap)	91	if (!pPixmap)

Lines 75-86 Link Here

(-)programs/Xserver/mfb/mfbpixmap.c (-2 / +4 lines)
75	int depth;	75	int depth;
76	{	76	{
77	PixmapPtr pPixmap;	77	PixmapPtr pPixmap;
78	int datasize;	78	size_t datasize;
79	int paddedWidth;	79	size_t paddedWidth;
80		80
81	if (depth != 1)	81	if (depth != 1)
82	return NullPixmap;	82	return NullPixmap;
83	paddedWidth = BitmapBytePad(width);	83	paddedWidth = BitmapBytePad(width);
		84	if (paddedWidth / 4 > 32767 \|\| height > 32767)
		85	return NullPixmap;
84	datasize = height * paddedWidth;	86	datasize = height * paddedWidth;
85	pPixmap = AllocatePixmap(pScreen, datasize);	87	pPixmap = AllocatePixmap(pScreen, datasize);
86	if (!pPixmap)	88	if (!pPixmap)

Return to bug 113227

Lines 1483-1488 Link Here

(-)programs/Xserver/dix/dispatch.c (+17 lines)
1483	client->errorValue = 0;	1483	client->errorValue = 0;
1484	return BadValue;	1484	return BadValue;
1485	}	1485	}
		1486	if (stuff->width > 32767 \|\| stuff->height > 32767)
		1487	{
		1488	/* It is allowed to try and allocate a pixmap which is larger than
		1489	* 32767 in either dimension. However, all of the framebuffer code
		1490	* is buggy and does not reliably draw to such big pixmaps, basically
		1491	* because the Region data structure operates with signed shorts
		1492	* for the rectangles in it.
		1493	*
		1494	* Furthermore, several places in the X server computes the
		1495	* size in bytes of the pixmap and tries to store it in an
		1496	* integer. This integer can overflow and cause the allocated size
		1497	* to be much smaller.
		1498	*
		1499	* So, such big pixmaps are rejected here with a BadAlloc
		1500	*/
		1501	return BadAlloc;
		1502	}
1486	if (stuff->depth != 1)	1503	if (stuff->depth != 1)
1487	{	1504	{
1488	pDepth = pDraw->pScreen->allowedDepths;	1505	pDepth = pDraw->pScreen->allowedDepths;