Index: programs/Xserver/afb/afbpixmap.c =================================================================== RCS file: /cvs/xorg/xc/programs/Xserver/afb/afbpixmap.c,v retrieving revision 1.5 diff -u -p -u -r1.5 afbpixmap.c --- programs/Xserver/afb/afbpixmap.c 3 Jul 2005 07:01:14 -0000 1.5 +++ programs/Xserver/afb/afbpixmap.c 26 Aug 2005 19:58:29 -0000 @@ -77,10 +77,14 @@ afbCreatePixmap(pScreen, width, height, int depth; { PixmapPtr pPixmap; - int datasize; - int paddedWidth; + size_t datasize; + size_t paddedWidth; paddedWidth = BitmapBytePad(width); + + if (paddedWidth > 32767 || height > 32767 || depth > 4) + return NullPixmap; + datasize = height * paddedWidth * depth; pPixmap = AllocatePixmap(pScreen, datasize); if (!pPixmap) Index: programs/Xserver/cfb/cfbpixmap.c =================================================================== RCS file: /cvs/xorg/xc/programs/Xserver/cfb/cfbpixmap.c,v retrieving revision 1.5 diff -u -p -u -r1.5 cfbpixmap.c --- programs/Xserver/cfb/cfbpixmap.c 3 Jul 2005 07:01:15 -0000 1.5 +++ programs/Xserver/cfb/cfbpixmap.c 26 Aug 2005 19:58:29 -0000 @@ -72,10 +72,13 @@ cfbCreatePixmap (pScreen, width, height, int depth; { PixmapPtr pPixmap; - int datasize; - int paddedWidth; + size_t datasize; + size_t paddedWidth; paddedWidth = PixmapBytePad(width, depth); + + if (paddedWidth / 4 > 32767 || height > 32767) + return NullPixmap; datasize = height * paddedWidth; pPixmap = AllocatePixmap(pScreen, datasize); if (!pPixmap) Index: programs/Xserver/dix/dispatch.c =================================================================== RCS file: /cvs/xorg/xc/programs/Xserver/dix/dispatch.c,v retrieving revision 1.12 diff -u -p -u -r1.12 dispatch.c --- programs/Xserver/dix/dispatch.c 16 Jul 2005 20:52:25 -0000 1.12 +++ programs/Xserver/dix/dispatch.c 26 Aug 2005 19:58:30 -0000 @@ -1483,6 +1483,23 @@ ProcCreatePixmap(register ClientPtr clie client->errorValue = 0; return BadValue; } + if (stuff->width > 32767 || stuff->height > 32767) + { + /* It is allowed to try and allocate a pixmap which is larger than + * 32767 in either dimension. However, all of the framebuffer code + * is buggy and does not reliably draw to such big pixmaps, basically + * because the Region data structure operates with signed shorts + * for the rectangles in it. + * + * Furthermore, several places in the X server computes the + * size in bytes of the pixmap and tries to store it in an + * integer. This integer can overflow and cause the allocated size + * to be much smaller. + * + * So, such big pixmaps are rejected here with a BadAlloc + */ + return BadAlloc; + } if (stuff->depth != 1) { pDepth = pDraw->pScreen->allowedDepths; Index: programs/Xserver/dix/pixmap.c =================================================================== RCS file: /cvs/xorg/xc/programs/Xserver/dix/pixmap.c,v retrieving revision 1.7 diff -u -p -u -r1.7 pixmap.c --- programs/Xserver/dix/pixmap.c 3 Jul 2005 08:53:38 -0000 1.7 +++ programs/Xserver/dix/pixmap.c 26 Aug 2005 19:58:30 -0000 @@ -118,6 +118,9 @@ AllocatePixmap(ScreenPtr pScreen, int pi unsigned size; int i; + if (pScreen->totalPixmapSize > ((size_t)-1) - pixDataSize) + return NullPixmap; + pPixmap = (PixmapPtr)xalloc(pScreen->totalPixmapSize + pixDataSize); if (!pPixmap) return NullPixmap; Index: programs/Xserver/fb/fbpixmap.c =================================================================== RCS file: /cvs/xorg/xc/programs/Xserver/fb/fbpixmap.c,v retrieving revision 1.5 diff -u -p -u -r1.5 fbpixmap.c --- programs/Xserver/fb/fbpixmap.c 3 Jul 2005 07:01:23 -0000 1.5 +++ programs/Xserver/fb/fbpixmap.c 26 Aug 2005 19:58:30 -0000 @@ -36,12 +36,14 @@ PixmapPtr fbCreatePixmapBpp (ScreenPtr pScreen, int width, int height, int depth, int bpp) { PixmapPtr pPixmap; - int datasize; - int paddedWidth; + size_t datasize; + size_t paddedWidth; int adjust; int base; paddedWidth = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (FbBits); + if (paddedWidth / 4 > 32767 || height > 32767) + return NullPixmap; datasize = height * paddedWidth; #ifdef PIXPRIV base = pScreen->totalPixmapSize; Index: programs/Xserver/hw/xfree86/exa/exa.c =================================================================== RCS file: /cvs/xorg/xc/programs/Xserver/hw/xfree86/exa/exa.c,v retrieving revision 1.14 diff -u -p -u -r1.14 exa.c --- programs/Xserver/hw/xfree86/exa/exa.c 24 Aug 2005 23:48:11 -0000 1.14 +++ programs/Xserver/hw/xfree86/exa/exa.c 26 Aug 2005 19:58:31 -0000 @@ -360,6 +360,9 @@ exaCreatePixmap(ScreenPtr pScreen, int w ScrnInfoPtr pScrn = XF86SCRNINFO(pScreen); ExaScreenPriv(pScreen); + if (w > 32767 || h > 32767) + return NullPixmap; + if (!pScrn->vtSema || pExaScr->swappedOut) { pPixmap = pExaScr->SavedCreatePixmap(pScreen, w, h, depth); } else { Index: programs/Xserver/hw/xfree86/xaa/xaaInit.c =================================================================== RCS file: /cvs/xorg/xc/programs/Xserver/hw/xfree86/xaa/xaaInit.c,v retrieving revision 1.7 diff -u -p -u -r1.7 xaaInit.c --- programs/Xserver/hw/xfree86/xaa/xaaInit.c 3 Jul 2005 08:53:49 -0000 1.7 +++ programs/Xserver/hw/xfree86/xaa/xaaInit.c 26 Aug 2005 19:58:31 -0000 @@ -502,6 +502,9 @@ XAACreatePixmap(ScreenPtr pScreen, int w XAAPixmapPtr pPriv; PixmapPtr pPix = NULL; int size = w * h; + + if (w > 32767 || h > 32767) + return NullPixmap; if (!infoRec->offscreenDepthsInitialized) XAAInitializeOffscreenDepths (pScreen); Index: programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c =================================================================== RCS file: /cvs/xorg/xc/programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c,v retrieving revision 1.3 diff -u -p -u -r1.3 ppcPixmap.c --- programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c 3 Jul 2005 07:01:41 -0000 1.3 +++ programs/Xserver/hw/xfree86/xf4bpp/ppcPixmap.c 26 Aug 2005 19:58:31 -0000 @@ -89,7 +89,7 @@ xf4bppCreatePixmap( pScreen, width, heig int depth ; { register PixmapPtr pPixmap = (PixmapPtr)NULL; - int size ; + size_t size ; TRACE(("xf4bppCreatePixmap(pScreen=0x%x, width=%d, height=%d, depth=%d)\n", pScreen, width, height, depth)) ; @@ -97,6 +97,10 @@ xf4bppCreatePixmap( pScreen, width, heig return (PixmapPtr) NULL ; size = PixmapBytePad(width, depth); + + if (size / 4 > 32767 || height > 32767) + return (PixmapPtr) NULL ; + pPixmap = AllocatePixmap (pScreen, (height * size)); if ( !pPixmap ) Index: programs/Xserver/ilbm/ilbmpixmap.c =================================================================== RCS file: /cvs/xorg/xc/programs/Xserver/ilbm/ilbmpixmap.c,v retrieving revision 1.4 diff -u -p -u -r1.4 ilbmpixmap.c --- programs/Xserver/ilbm/ilbmpixmap.c 3 Jul 2005 07:01:44 -0000 1.4 +++ programs/Xserver/ilbm/ilbmpixmap.c 26 Aug 2005 19:58:31 -0000 @@ -79,10 +79,12 @@ ilbmCreatePixmap(pScreen, width, height, int depth; { PixmapPtr pPixmap; - int datasize; - int paddedWidth; + size_t datasize; + size_t paddedWidth; paddedWidth = BitmapBytePad(width); + if (paddedWidth > 32767 || height > 32767 || depth > 4) + return NullPixmap; datasize = height * paddedWidth * depth; pPixmap = AllocatePixmap(pScreen, datasize); if (!pPixmap) Index: programs/Xserver/iplan2p4/iplpixmap.c =================================================================== RCS file: /cvs/xorg/xc/programs/Xserver/iplan2p4/iplpixmap.c,v retrieving revision 1.4 diff -u -p -u -r1.4 iplpixmap.c --- programs/Xserver/iplan2p4/iplpixmap.c 3 Jul 2005 07:01:46 -0000 1.4 +++ programs/Xserver/iplan2p4/iplpixmap.c 26 Aug 2005 19:58:31 -0000 @@ -78,12 +78,14 @@ iplCreatePixmap (pScreen, width, height, int depth; { PixmapPtr pPixmap; - int datasize; - int paddedWidth; + size_t datasize; + size_t paddedWidth; int ipad=INTER_PLANES*2 - 1; paddedWidth = PixmapBytePad(width, depth); paddedWidth = (paddedWidth + ipad) & ~ipad; + if (paddedWidth / 4 > 32767 || height > 32767) + return NullPixmap; datasize = height * paddedWidth; pPixmap = AllocatePixmap(pScreen, datasize); if (!pPixmap) Index: programs/Xserver/mfb/mfbpixmap.c =================================================================== RCS file: /cvs/xorg/xc/programs/Xserver/mfb/mfbpixmap.c,v retrieving revision 1.4 diff -u -p -u -r1.4 mfbpixmap.c --- programs/Xserver/mfb/mfbpixmap.c 3 Jul 2005 07:01:50 -0000 1.4 +++ programs/Xserver/mfb/mfbpixmap.c 26 Aug 2005 19:58:31 -0000 @@ -75,12 +75,14 @@ mfbCreatePixmap (pScreen, width, height, int depth; { PixmapPtr pPixmap; - int datasize; - int paddedWidth; + size_t datasize; + size_t paddedWidth; if (depth != 1) return NullPixmap; paddedWidth = BitmapBytePad(width); + if (paddedWidth / 4 > 32767 || height > 32767) + return NullPixmap; datasize = height * paddedWidth; pPixmap = AllocatePixmap(pScreen, datasize); if (!pPixmap)