xorg-server/files/0.99.1-r10_CAN-2005-2495.patch

diff -urN afb/afbpixmap.c afb/afbpixmap.c
--- afb/afbpixmap.c     2005-08-26 15:35:33.000000000 -0400
+++ afb/afbpixmap.c     2005-08-26 14:09:24.000000000 -0400
@@ -77,10 +77,14 @@
        int                             depth;
 {
        PixmapPtr pPixmap;
-       int datasize;
-       int paddedWidth;
+       size_t datasize;
+       size_t paddedWidth;
 
        paddedWidth = BitmapBytePad(width);
+
+       if (paddedWidth > 32767 || height > 32767)
+               return NullPixmap;
+
        datasize = height * paddedWidth * depth;
        pPixmap = AllocatePixmap(pScreen, datasize);
        if (!pPixmap)
diff -urN cfb/cfbpixmap.c cfb/cfbpixmap.c
--- cfb/cfbpixmap.c     2005-08-26 15:35:33.000000000 -0400
+++ cfb/cfbpixmap.c     2005-08-26 14:10:14.000000000 -0400
@@ -68,10 +68,14 @@
     int                depth;
 {
     PixmapPtr pPixmap;
-    int datasize;
-    int paddedWidth;
+    size_t datasize;
+    size_t paddedWidth;
 
     paddedWidth = PixmapBytePad(width, depth);
+
+       if (paddedWidth > 32767 || height > 32767)
+               return NullPixmap;
+
     datasize = height * paddedWidth;
     pPixmap = AllocatePixmap(pScreen, datasize);
     if (!pPixmap)
diff -urN dix/dispatch.c dix/dispatch.c
--- dix/dispatch.c      2004-12-12 20:23:05.000000000 -0500
+++ dix/dispatch.c      2005-08-26 14:13:37.000000000 -0400
@@ -1506,6 +1506,23 @@
        client->errorValue = 0;
         return BadValue;
     }
+       if (stuff->width > 32767 || stuff->height > 32767)
+       {
+               /* It is allowed to try and allocate a pixmap which is larger than
+                * 32767 in either dimension.  However, all of the framebuffer code
+                * is buggy and does not reliably draw to such big pixmaps, basically
+                * because the Region data structure operates with signed shorts for
+                * the rectangles in it.
+                *
+                * Furthermore, several places in the X server compute the size in
+                * bytes of the pixmap and try to store it in an integer.  This
+                * integer can overflow and cause the allocated size to be much
+                * smaller.
+                *
+                * So, such big pixmaps are rejected here with a BadAlloc
+                */
+               return BadAlloc;
+       }
     if (stuff->depth != 1)
     {
         pDepth = pDraw->pScreen->allowedDepths;
diff -urN fb/fbpixmap.c fb/fbpixmap.c
--- fb/fbpixmap.c       2004-08-08 23:40:50.000000000 -0400
+++ fb/fbpixmap.c       2005-08-26 14:14:49.000000000 -0400
@@ -32,12 +32,16 @@
 fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp)
 {
     PixmapPtr  pPixmap;
-    int                datasize;
-    int                paddedWidth;
+    size_t     datasize;
+    size_t     paddedWidth;
     int                adjust;
     int                base;
 
     paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);
+
+       if (paddedWidth > 32767 || height > 32767)
+               return NullPixmap;
+
     datasize = height * paddedWidth;
 #ifdef PIXPRIV
     base = pScreen->totalPixmapSize;
diff -urN hw/xfree86/xaa/xaaInit.c hw/xfree86/xaa/xaaInit.c
--- hw/xfree86/xaa/xaaInit.c    2004-07-30 16:30:56.000000000 -0400
+++ hw/xfree86/xaa/xaaInit.c    2005-08-26 14:16:30.000000000 -0400
@@ -499,6 +499,9 @@
     PixmapPtr pPix = NULL;
     int size = w * h;
     
+       if (w > 32767 || h > 32767)
+               return NullPixmap;
+
     if (!infoRec->offscreenDepthsInitialized)
        XAAInitializeOffscreenDepths (pScreen);
 
diff -urN hw/xfree86/xf4bpp/ppcPixmap.c hw/xfree86/xf4bpp/ppcPixmap.c
--- hw/xfree86/xf4bpp/ppcPixmap.c       2004-04-23 15:54:17.000000000 -0400
+++ hw/xfree86/xf4bpp/ppcPixmap.c       2005-08-26 14:17:29.000000000 -0400
@@ -85,14 +85,18 @@
     int                depth ;
 {
     register PixmapPtr pPixmap  = (PixmapPtr)NULL;
-    int size ;
+    size_t size ;
     
     TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ;
 
     if ( depth > 8 )
-       return (PixmapPtr) NULL ;
+               return (PixmapPtr) NULL ;
+
+       if (width > 32767 || height > 32767)
+               return (PixmapPtr) NULL ;
 
     size = PixmapBytePad(width, depth);
+
     pPixmap = AllocatePixmap (pScreen, (height * size));
     
     if ( !pPixmap )
diff -urN mfb/mfbpixmap.c mfb/mfbpixmap.c
--- mfb/mfbpixmap.c     2003-11-14 11:48:57.000000000 -0500
+++ mfb/mfbpixmap.c     2005-08-26 15:34:32.000000000 -0400
@@ -72,11 +72,15 @@
     int                depth;
 {
     PixmapPtr pPixmap;
-    int datasize;
-    int paddedWidth;
+    size_t datasize;
+    size_t paddedWidth;
 
     if (depth != 1)
        return NullPixmap;
+
+       if (width > 32767 || height > 32767)
+               return NullPixmap;
+
     paddedWidth = BitmapBytePad(width);
     datasize = height * paddedWidth;
     pPixmap = AllocatePixmap(pScreen, datasize);
1	diff -urN afb/afbpixmap.c afb/afbpixmap.c
2	--- afb/afbpixmap.c 2005-08-26 15:35:33.000000000 -0400
3	+++ afb/afbpixmap.c 2005-08-26 14:09:24.000000000 -0400
4	@@ -77,10 +77,14 @@
5	int depth;
6	{
7	PixmapPtr pPixmap;
8	- int datasize;
9	- int paddedWidth;
10	+ size_t datasize;
11	+ size_t paddedWidth;
12
13	paddedWidth = BitmapBytePad(width);
14	+
15	+ if (paddedWidth > 32767 \|\| height > 32767)
16	+ return NullPixmap;
17	+
18	datasize = height * paddedWidth * depth;
19	pPixmap = AllocatePixmap(pScreen, datasize);
20	if (!pPixmap)
21	diff -urN cfb/cfbpixmap.c cfb/cfbpixmap.c
22	--- cfb/cfbpixmap.c 2005-08-26 15:35:33.000000000 -0400
23	+++ cfb/cfbpixmap.c 2005-08-26 14:10:14.000000000 -0400
24	@@ -68,10 +68,14 @@
25	int depth;
26	{
27	PixmapPtr pPixmap;
28	- int datasize;
29	- int paddedWidth;
30	+ size_t datasize;
31	+ size_t paddedWidth;
32
33	paddedWidth = PixmapBytePad(width, depth);
34	+
35	+ if (paddedWidth > 32767 \|\| height > 32767)
36	+ return NullPixmap;
37	+
38	datasize = height * paddedWidth;
39	pPixmap = AllocatePixmap(pScreen, datasize);
40	if (!pPixmap)
41	diff -urN dix/dispatch.c dix/dispatch.c
42	--- dix/dispatch.c 2004-12-12 20:23:05.000000000 -0500
43	+++ dix/dispatch.c 2005-08-26 14:13:37.000000000 -0400
44	@@ -1506,6 +1506,23 @@
45	client->errorValue = 0;
46	return BadValue;
47	}
48	+ if (stuff->width > 32767 \|\| stuff->height > 32767)
49	+ {
50	+ /* It is allowed to try and allocate a pixmap which is larger than
51	+ * 32767 in either dimension. However, all of the framebuffer code
52	+ * is buggy and does not reliably draw to such big pixmaps, basically
53	+ * because the Region data structure operates with signed shorts for
54	+ * the rectangles in it.
55	+ *
56	+ * Furthermore, several places in the X server compute the size in
57	+ * bytes of the pixmap and try to store it in an integer. This
58	+ * integer can overflow and cause the allocated size to be much
59	+ * smaller.
60	+ *
61	+ * So, such big pixmaps are rejected here with a BadAlloc
62	+ */
63	+ return BadAlloc;
64	+ }
65	if (stuff->depth != 1)
66	{
67	pDepth = pDraw->pScreen->allowedDepths;
68	diff -urN fb/fbpixmap.c fb/fbpixmap.c
69	--- fb/fbpixmap.c 2004-08-08 23:40:50.000000000 -0400
70	+++ fb/fbpixmap.c 2005-08-26 14:14:49.000000000 -0400
71	@@ -32,12 +32,16 @@
72	fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp)
73	{
74	PixmapPtr pPixmap;
75	- int datasize;
76	- int paddedWidth;
77	+ size_t datasize;
78	+ size_t paddedWidth;
79	int adjust;
80	int base;
81
82	paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits);
83	+
84	+ if (paddedWidth > 32767 \|\| height > 32767)
85	+ return NullPixmap;
86	+
87	datasize = height * paddedWidth;
88	#ifdef PIXPRIV
89	base = pScreen->totalPixmapSize;
90	diff -urN hw/xfree86/xaa/xaaInit.c hw/xfree86/xaa/xaaInit.c
91	--- hw/xfree86/xaa/xaaInit.c 2004-07-30 16:30:56.000000000 -0400
92	+++ hw/xfree86/xaa/xaaInit.c 2005-08-26 14:16:30.000000000 -0400
93	@@ -499,6 +499,9 @@
94	PixmapPtr pPix = NULL;
95	int size = w * h;
96
97	+ if (w > 32767 \|\| h > 32767)
98	+ return NullPixmap;
99	+
100	if (!infoRec->offscreenDepthsInitialized)
101	XAAInitializeOffscreenDepths (pScreen);
102
103	diff -urN hw/xfree86/xf4bpp/ppcPixmap.c hw/xfree86/xf4bpp/ppcPixmap.c
104	--- hw/xfree86/xf4bpp/ppcPixmap.c 2004-04-23 15:54:17.000000000 -0400
105	+++ hw/xfree86/xf4bpp/ppcPixmap.c 2005-08-26 14:17:29.000000000 -0400
106	@@ -85,14 +85,18 @@
107	int depth ;
108	{
109	register PixmapPtr pPixmap = (PixmapPtr)NULL;
110	- int size ;
111	+ size_t size ;
112
113	TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ;
114
115	if ( depth > 8 )
116	- return (PixmapPtr) NULL ;
117	+ return (PixmapPtr) NULL ;
118	+
119	+ if (width > 32767 \|\| height > 32767)
120	+ return (PixmapPtr) NULL ;
121
122	size = PixmapBytePad(width, depth);
123	+
124	pPixmap = AllocatePixmap (pScreen, (height * size));
125
126	if ( !pPixmap )
127	diff -urN mfb/mfbpixmap.c mfb/mfbpixmap.c
128	--- mfb/mfbpixmap.c 2003-11-14 11:48:57.000000000 -0500
129	+++ mfb/mfbpixmap.c 2005-08-26 15:34:32.000000000 -0400
130	@@ -72,11 +72,15 @@
131	int depth;
132	{
133	PixmapPtr pPixmap;
134	- int datasize;
135	- int paddedWidth;
136	+ size_t datasize;
137	+ size_t paddedWidth;
138
139	if (depth != 1)
140	return NullPixmap;
141	+
142	+ if (width > 32767 \|\| height > 32767)
143	+ return NullPixmap;
144	+
145	paddedWidth = BitmapBytePad(width);
146	datasize = height * paddedWidth;
147	pPixmap = AllocatePixmap(pScreen, datasize);