Here's a patch that bypasses the INT32_MAX check, allowing zero-height PutImage requests.
From 6dc2634aee9023ac9d20dc06a76d9fa1f03ff2cd Mon Sep 17 00:00:00 2001 From: Keith Packard <kei...@keithp.com> Date: Sat, 3 Jan 2015 08:46:45 -0800 Subject: [PATCH] dix: Allow zero-height PutImage requests The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check. Signed-off-by: Keith Packard <kei...@keithp.com> --- dix/dispatch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dix/dispatch.c b/dix/dispatch.c index 55b978d..9044ac7 100644 --- a/dix/dispatch.c +++ b/dix/dispatch.c @@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client) tmpImage = (char *) &stuff[1]; lengthProto = length; - if (lengthProto >= (INT32_MAX / stuff->height)) + if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) return BadLength; if ((bytes_to_int32(lengthProto * stuff->height) + -- 2.1.4
-- -keith
signature.asc
Description: PGP signature