diff -up ./render/glyph.c.cve-2008-2360 ./render/glyph.c --- ./render/glyph.c.cve-2008-2360 2006-07-06 04:31:44.000000000 +1000 +++ ./render/glyph.c 2008-05-29 16:22:06.000000000 +1000 @@ -43,6 +43,12 @@ #include "picturestr.h" #include "glyphstr.h" +#if HAVE_STDINT_H +#include <stdint.h> +#else +#define UINT32_MAX 0xffffffffU +#endif + /* * From Knuth -- a good choice for hash/rehash values is p, p-2 where * p and p-2 are both prime. These tables are sized to have an extra 10% @@ -627,8 +633,14 @@ AllocateGlyph (xGlyphInfo *gi, int fdept int size; GlyphPtr glyph; int i; + size_t padded_width; + + padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]); + + if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height) + return 0; - size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]); + size = gi->height * padded_width; glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec)); if (!glyph) return 0;