From dc777c346d5d452a53b13b917c45f6a1bad2f20b Mon Sep 17 00:00:00 2001

From: Keith Packard <keithp@keithp.com>

Date: Sat, 3 Jan 2015 08:46:45 -0800

Subject: [PATCH] dix: Allow zero-height PutImage requests

The length checking code validates PutImage height and byte width by

making sure that byte-width >= INT32_MAX / height. If height is zero,

this generates a divide by zero exception. Allow zero height requests

explicitly, bypassing the INT32_MAX check.

Signed-off-by: Keith Packard <keithp@keithp.com>

Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>

---

dix/dispatch.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dix/dispatch.c b/dix/dispatch.c

index 55b978d..9044ac7 100644

--- a/dix/dispatch.c

+++ b/dix/dispatch.c

@@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client)

tmpImage = (char *) &stuff[1];

lengthProto = length;

- if (lengthProto >= (INT32_MAX / stuff->height))

+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))

return BadLength;

if ((bytes_to_int32(lengthProto * stuff->height) +

--

1.7.9.2