From be6c17fcf9efebc0bbcc3d9a25f8c5a2450c2161 Mon Sep 17 00:00:00 2001
From: Matthias Hopf <mhopf@suse.de>
Date: Mon, 21 Jan 2008 16:13:21 +0100
Subject: [PATCH] CVE-2007-6429: Always test for size+offset wrapping.

---
 Xext/shm.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Xext/shm.c b/Xext/shm.c
index e46f6fc..a7a1ecf 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -799,10 +799,10 @@ CreatePmap:
     if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
         if (size < width * height)
             return BadAlloc;
-        /* thankfully, offset is unsigned */
-        if (stuff->offset + size < size)
-            return BadAlloc;
     }
+    /* thankfully, offset is unsigned */
+    if (stuff->offset + size < size)
+	return BadAlloc;
 
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
 
@@ -1144,10 +1144,10 @@ CreatePmap:
     if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
 	if (size < width * height)
 	    return BadAlloc;
-	/* thankfully, offset is unsigned */
-	if (stuff->offset + size < size)
-	    return BadAlloc;
     }
+    /* thankfully, offset is unsigned */
+    if (stuff->offset + size < size)
+	return BadAlloc;
 
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
-- 
1.5.3.8