Looking at ProcShmGetImage() there's a bunch of checking for out-of-bounds
coordinates, but ProcShmPutImage() lacks this checking.
Is this patch reasonable or too much (it does fix the problem) but I'm
wondering if the bounds are too strict for PutImage ?
Alan.
Index: shm.c
===================================================================
RCS file: /X11R6/x-cvs/xc/programs/Xserver/Xext/shm.c,v
retrieving revision 3.40
diff -u -r3.40 shm.c
--- shm.c 17 Nov 2003 22:20:27 -0000 3.40
+++ shm.c 18 Dec 2003 14:17:07 -0000
@@ -815,6 +815,34 @@
REQUEST_SIZE_MATCH(xShmPutImageReq);
VALIDATE_DRAWABLE_AND_GC(stuff->drawable, pDraw, pGC, client);
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, FALSE, shmdesc, client);
+ if (pDraw->type == DRAWABLE_WINDOW)
+ {
+ if( /* check for being viewable */
+ !((WindowPtr) pDraw)->realized ||
+ /* check for being on screen */
+ pDraw->x + stuff->dstX < 0 ||
+ pDraw->x + stuff->dstX + (int)stuff->srcWidth > pDraw->pScreen->width ||
+ pDraw->y + stuff->dstY < 0 ||
+ pDraw->y + stuff->dstY + (int)stuff->srcHeight > pDraw->pScreen->height ||
+ /* check for being inside of border */
+ stuff->dstX < - wBorderWidth((WindowPtr)pDraw) ||
+ stuff->dstX + (int)stuff->srcWidth >
+ wBorderWidth((WindowPtr)pDraw) + (int)pDraw->width ||
+ stuff->dstY < -wBorderWidth((WindowPtr)pDraw) ||
+ stuff->dstY + (int)stuff->srcHeight >
+ wBorderWidth((WindowPtr)pDraw) + (int)pDraw->height
+ )
+ return(BadMatch);
+ }
+ else
+ {
+ if (stuff->dstX < 0 ||
+ stuff->dstX+(int)stuff->srcWidth > pDraw->width ||
+ stuff->dstY < 0 ||
+ stuff->dstY+(int)stuff->srcHeight > pDraw->height
+ )
+ return(BadMatch);
+ }
if ((stuff->sendEvent != xTrue) && (stuff->sendEvent != xFalse))
return BadValue;
if (stuff->format == XYBitmap)
_______________________________________________
Devel mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/devel
