[cairo-commit] 2 commits - src/cairo-xlib-private.h src/cairo-xlib-surface.c src/cairo-xlib-surface-shm.c

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Tue Jan 19 11:07:56 UTC 2021 

 src/cairo-xlib-private.h     |    2 ++
 src/cairo-xlib-surface-shm.c |    3 +++
 src/cairo-xlib-surface.c     |    2 --
 3 files changed, 5 insertions(+), 2 deletions(-)

New commits:
commit 01f38097a5eed340aab9d3e626864424482b34a5
Merge: d49d85581 81806c011
Author: Heiko Lewin <hlewin at gmx.de>
Date:   Tue Jan 19 11:07:54 2021 +0000

    cairo-xlib: Check for maximum surface size

commit 81806c01112bc504d96d79f969f229e27625344f
Author: Uli Schlachter <psychon at znc.in>
Date:   Wed Jan 13 16:36:33 2021 +0100

    cairo-xlib: Check for maximum surface size
    
    X11 use uint16_t for the width/height of things. Anything too large will
    be truncated when sending the request to the X11 server. This commit
    adds a size check to a function that did not check things and then later
    caused a segmentation fault.
    
    Not adding a test case because the test case from the below bug report
    allocates 3,5 GiB of memory, which I find too much for a test.
    
    Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/414
    Signed-off-by: Uli Schlachter <psychon at znc.in>

diff --git a/src/cairo-xlib-private.h b/src/cairo-xlib-private.h
index 71dccc3a7..8e338aea6 100644
--- a/src/cairo-xlib-private.h
+++ b/src/cairo-xlib-private.h
@@ -65,6 +65,8 @@ typedef struct _cairo_xlib_surface cairo_xlib_surface_t;
 #define RAMP_SIZE 16
 /* maximum number of cached GC's */
 #define GC_CACHE_SIZE 4
+/* maximum width/height of an X11 drawable */
+#define XLIB_COORD_MAX 32767
 
 struct _cairo_xlib_display {
     cairo_device_t base;
diff --git a/src/cairo-xlib-surface-shm.c b/src/cairo-xlib-surface-shm.c
index 1ee1e3d70..ccdaf4cbc 100644
--- a/src/cairo-xlib-surface-shm.c
+++ b/src/cairo-xlib-surface-shm.c
@@ -809,6 +809,9 @@ _cairo_xlib_shm_surface_create (cairo_xlib_surface_t *other,
     pixman_image_t *image;
     int stride, size;
 
+    if (width > XLIB_COORD_MAX || height > XLIB_COORD_MAX)
+	return NULL;
+
     stride = CAIRO_STRIDE_FOR_WIDTH_BPP (width, PIXMAN_FORMAT_BPP(format));
     size = stride * height;
     if (size < MIN_SIZE)
diff --git a/src/cairo-xlib-surface.c b/src/cairo-xlib-surface.c
index 2a6d896d3..7d368a8ba 100644
--- a/src/cairo-xlib-surface.c
+++ b/src/cairo-xlib-surface.c
@@ -72,8 +72,6 @@
 #include <sys/ipc.h>
 #include <sys/shm.h>
 
-#define XLIB_COORD_MAX 32767
-
 #define DEBUG 0
 
 #if DEBUG

More information about the cairo-commit mailing list