You wrote (in your message from Friday 7) > > The vuln-dev Message-ID is <3B822F5F.99227A5Fat_private>. I saw a fix > for it on September 16th, so I'm rather hoping XFree86 releases newer > than that have the fix integrated. > This has indeed been reported several time to XFree86 since last september. The patch that is in current XFree86 and in the 4_1_0 branch is appended below. I have reports that it does not fix all possible cases of crashes, but I can not reproduce any crashes with this patch. May be someone can provide more details here (stack trace,...) ? Matthieu Herrb Index: fbglyph.c =================================================================== RCS file: /xf86/xc/programs/Xserver/fb/fbglyph.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- fbglyph.c 2001/05/29 04:54:09 1.11 +++ fbglyph.c 2001/09/07 15:16:00 1.12 @@ -34,9 +34,19 @@ int height) { BoxRec box; + BoxPtr pExtents = REGION_EXTENTS (0, pRegion); - if (x + width < 0) return FALSE; - if (y + height < 0) return FALSE; + /* + * Check extents by hand to avoid 16 bit overflows + */ + if (x < (int) pExtents->x1) + return FALSE; + if ((int) pExtents->x2 < x + width) + return FALSE; + if (y < (int) pExtents->y1) + return FALSE; + if ((int) pExtents->y2 < y + height) + return FALSE; box.x1 = x; box.x2 = x + width; box.y1 = y; @@ -261,10 +271,10 @@ FbBits, int, int); - FbBits *dst; - FbStride dstStride; - int dstBpp; - int dstXoff, dstYoff; + FbBits *dst = 0; + FbStride dstStride = 0; + int dstBpp = 0; + int dstXoff = 0, dstYoff = 0; glyph = 0; if (pGC->fillStyle == FillSolid && pPriv->and == 0) @@ -352,10 +362,10 @@ FbBits, int, int); - FbBits *dst; - FbStride dstStride; - int dstBpp; - int dstXoff, dstYoff; + FbBits *dst = 0; + FbStride dstStride = 0; + int dstBpp = 0; + int dstXoff = 0, dstYoff = 0; glyph = 0; if (pPriv->and == 0)
This archive was generated by hypermail 2b30 : Sat Dec 08 2001 - 12:24:10 PST