You wrote (in your message from Friday 7)
>
> The vuln-dev Message-ID is <3B822F5F.99227A5F@snosoft.com>. I saw a fix
> for it on September 16th, so I'm rather hoping XFree86 releases newer
> than that have the fix integrated.
>
This has indeed been reported several time to XFree86 since last
september.
The patch that is in current XFree86 and in the 4_1_0 branch is
appended below. I have reports that it does not fix all possible cases
of crashes, but I can not reproduce any crashes with this patch.
May be someone can provide more details here (stack trace,...) ?
Matthieu Herrb
Index: fbglyph.c
===================================================================
RCS file: /xf86/xc/programs/Xserver/fb/fbglyph.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- fbglyph.c 2001/05/29 04:54:09 1.11
+++ fbglyph.c 2001/09/07 15:16:00 1.12
@@ -34,9 +34,19 @@
int height)
{
BoxRec box;
+ BoxPtr pExtents = REGION_EXTENTS (0, pRegion);
- if (x + width < 0) return FALSE;
- if (y + height < 0) return FALSE;
+ /*
+ * Check extents by hand to avoid 16 bit overflows
+ */
+ if (x < (int) pExtents->x1)
+ return FALSE;
+ if ((int) pExtents->x2 < x + width)
+ return FALSE;
+ if (y < (int) pExtents->y1)
+ return FALSE;
+ if ((int) pExtents->y2 < y + height)
+ return FALSE;
box.x1 = x;
box.x2 = x + width;
box.y1 = y;
@@ -261,10 +271,10 @@
FbBits,
int,
int);
- FbBits *dst;
- FbStride dstStride;
- int dstBpp;
- int dstXoff, dstYoff;
+ FbBits *dst = 0;
+ FbStride dstStride = 0;
+ int dstBpp = 0;
+ int dstXoff = 0, dstYoff = 0;
glyph = 0;
if (pGC->fillStyle == FillSolid && pPriv->and == 0)
@@ -352,10 +362,10 @@
FbBits,
int,
int);
- FbBits *dst;
- FbStride dstStride;
- int dstBpp;
- int dstXoff, dstYoff;
+ FbBits *dst = 0;
+ FbStride dstStride = 0;
+ int dstBpp = 0;
+ int dstXoff = 0, dstYoff = 0;
glyph = 0;
if (pPriv->and == 0)
