[PATCH] [cairo-xlib] Guard the public entry points against massive drawables.

Chris Wilson chris at chris-wilson.co.uk
Tue Apr 8 00:08:26 PDT 2008 

In order to prevent generating BadAlloc internally, we must prevent the
user from tricking us into constructing massive similar surfaces by
exaggerating the size of the destination surface.
---
 src/cairo-xlib-surface.c |   21 +++++++++++++++++++++
 1 files changed, 21 insertions(+), 0 deletions(-)

diff --git a/src/cairo-xlib-surface.c b/src/cairo-xlib-surface.c
index 454095b..4bdaea3 100644
--- a/src/cairo-xlib-surface.c
+++ b/src/cairo-xlib-surface.c
@@ -2338,6 +2338,9 @@ cairo_xlib_surface_create (Display     *dpy,
     if (screen == NULL)
 	return _cairo_surface_create_in_error (_cairo_error (CAIRO_STATUS_INVALID_VISUAL));
 
+    if (width > INT16_MAX || height > INT16_MAX)
+	return _cairo_surface_create_in_error (_cairo_error (CAIRO_STATUS_NO_MEMORY));
+
     return _cairo_xlib_surface_create_internal (dpy, drawable, screen,
 						visual, NULL, width, height, 0);
 }
@@ -2362,6 +2365,9 @@ cairo_xlib_surface_create_for_bitmap (Display  *dpy,
 				      int	width,
 				      int	height)
 {
+    if (width > INT16_MAX || height > INT16_MAX)
+	return _cairo_surface_create_in_error (_cairo_error (CAIRO_STATUS_NO_MEMORY));
+
     return _cairo_xlib_surface_create_internal (dpy, bitmap, screen,
 						NULL, NULL, width, height, 1);
 }
@@ -2395,6 +2401,9 @@ cairo_xlib_surface_create_with_xrender_format (Display		    *dpy,
 					       int		    width,
 					       int		    height)
 {
+    if (width > INT16_MAX || height > INT16_MAX)
+	return _cairo_surface_create_in_error (_cairo_error (CAIRO_STATUS_NO_MEMORY));
+
     return _cairo_xlib_surface_create_internal (dpy, drawable, screen,
 						NULL, format, width, height, 0);
 }
@@ -2459,6 +2468,12 @@ cairo_xlib_surface_set_size (cairo_surface_t *abstract_surface,
 	return;
     }
 
+    if (width > INT16_MAX || height > INT16_MAX) {
+	status = _cairo_surface_set_error (abstract_surface,
+		                           CAIRO_STATUS_NO_MEMORY);
+	return;
+    }
+
     surface->width = width;
     surface->height = height;
 }
@@ -2491,6 +2506,12 @@ cairo_xlib_surface_set_drawable (cairo_surface_t   *abstract_surface,
 	return;
     }
 
+    if (width > INT16_MAX || height > INT16_MAX) {
+	status = _cairo_surface_set_error (abstract_surface,
+		                           CAIRO_STATUS_NO_MEMORY);
+	return;
+    }
+
     /* XXX: and what about this case? */
     if (surface->owns_pixmap)
 	return;
-- 
1.5.4.5


--=-fn1OCLrMEL6CA85ai4ve--

More information about the cairo mailing list