From f9edadf3f2b1ddb138a7ad47a2a80d47ba6605de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20H=C3=B8gsberg?= Date: Wed, 26 Jan 2011 11:46:05 -0500 Subject: [PATCH] shm: Check width, height and stride for invalid values --- compositor/shm.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/compositor/shm.c b/compositor/shm.c index 913833e6..389eeaa4 100644 --- a/compositor/shm.c +++ b/compositor/shm.c @@ -97,9 +97,9 @@ shm_create_buffer(struct wl_client *client, struct wl_shm *shm, struct wlsc_compositor, shm); struct wlsc_shm_buffer *buffer; + /* FIXME: Define a real exception event instead of abusing the + * display.invalid_object error */ if (visual->object.interface != &wl_visual_interface) { - /* FIXME: Define a real exception event instead of - * abusing this one */ wl_client_post_event(client, (struct wl_object *) compositor->wl_display, WL_DISPLAY_INVALID_OBJECT, 0); @@ -108,6 +108,16 @@ shm_create_buffer(struct wl_client *client, struct wl_shm *shm, return; } + if (width < 0 || height < 0 || stride < width) { + wl_client_post_event(client, + (struct wl_object *) compositor->wl_display, + WL_DISPLAY_INVALID_OBJECT, 0); + fprintf(stderr, + "invalid width, height or stride in create_buffer\n"); + close(fd); + return; + } + buffer = malloc(sizeof *buffer); if (buffer == NULL) { close(fd);