Looking at ProcShmGetImage() there's a bunch of checking for out-of-bounds coordinates, but ProcShmPutImage() lacks this checking.
Is this patch reasonable or too much (it does fix the problem) but I'm wondering if the bounds are too strict for PutImage ? Alan. Index: shm.c =================================================================== RCS file: /X11R6/x-cvs/xc/programs/Xserver/Xext/shm.c,v retrieving revision 3.40 diff -u -r3.40 shm.c --- shm.c 17 Nov 2003 22:20:27 -0000 3.40 +++ shm.c 18 Dec 2003 14:17:07 -0000 @@ -815,6 +815,34 @@ REQUEST_SIZE_MATCH(xShmPutImageReq); VALIDATE_DRAWABLE_AND_GC(stuff->drawable, pDraw, pGC, client); VERIFY_SHMPTR(stuff->shmseg, stuff->offset, FALSE, shmdesc, client); + if (pDraw->type == DRAWABLE_WINDOW) + { + if( /* check for being viewable */ + !((WindowPtr) pDraw)->realized || + /* check for being on screen */ + pDraw->x + stuff->dstX < 0 || + pDraw->x + stuff->dstX + (int)stuff->srcWidth > pDraw->pScreen->width || + pDraw->y + stuff->dstY < 0 || + pDraw->y + stuff->dstY + (int)stuff->srcHeight > pDraw->pScreen->height || + /* check for being inside of border */ + stuff->dstX < - wBorderWidth((WindowPtr)pDraw) || + stuff->dstX + (int)stuff->srcWidth > + wBorderWidth((WindowPtr)pDraw) + (int)pDraw->width || + stuff->dstY < -wBorderWidth((WindowPtr)pDraw) || + stuff->dstY + (int)stuff->srcHeight > + wBorderWidth((WindowPtr)pDraw) + (int)pDraw->height + ) + return(BadMatch); + } + else + { + if (stuff->dstX < 0 || + stuff->dstX+(int)stuff->srcWidth > pDraw->width || + stuff->dstY < 0 || + stuff->dstY+(int)stuff->srcHeight > pDraw->height + ) + return(BadMatch); + } if ((stuff->sendEvent != xTrue) && (stuff->sendEvent != xFalse)) return BadValue; if (stuff->format == XYBitmap) _______________________________________________ Devel mailing list [EMAIL PROTECTED] http://XFree86.Org/mailman/listinfo/devel