aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Klausner <wiz@NetBSD.org>2013-06-25 22:35:29 +0200
committerUlrich Sibiller <uli42@gmx.de>2016-10-19 21:40:27 +0200
commit39c6e5aa859c633fcb48e299643bb0189f333a0d (patch)
tree32e38227c9f0ef7ae5708879f94152bf1a44de18
parentac3d26251f8de17839dbdada457ffcd670338d0a (diff)
downloadnx-libs-39c6e5aa859c633fcb48e299643bb0189f333a0d.tar.gz
nx-libs-39c6e5aa859c633fcb48e299643bb0189f333a0d.tar.bz2
nx-libs-39c6e5aa859c633fcb48e299643bb0189f333a0d.zip
Tighten out-of-range comparisons.
[For all of these, LONG_MAX was the correct value to prevent overflows for the recent CVEs. Lowering to INT_MAX catches buggy replies from the server that 32-bit clients would reject but 64-bit would accept, so we catch bugs sooner, and really, no sane & working server should ever report more than 2gb of extension names, font path entries, key modifier maps, etc. -alan- ] Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r--nx-X11/lib/X11/FontNames.c2
-rw-r--r--nx-X11/lib/X11/GetFPath.c2
-rw-r--r--nx-X11/lib/X11/ListExt.c2
-rw-r--r--nx-X11/lib/X11/ModMap.c2
4 files changed, 4 insertions, 4 deletions
diff --git a/nx-X11/lib/X11/FontNames.c b/nx-X11/lib/X11/FontNames.c
index b5bc7b4ba..764711559 100644
--- a/nx-X11/lib/X11/FontNames.c
+++ b/nx-X11/lib/X11/FontNames.c
@@ -66,7 +66,7 @@ int *actualCount) /* RETURN */
if (rep.nFonts) {
flist = Xmalloc (rep.nFonts * sizeof(char *));
- if (rep.length < (LONG_MAX >> 2)) {
+ if (rep.length < (INT_MAX >> 2)) {
rlen = rep.length << 2;
ch = Xmalloc(rlen + 1);
/* +1 to leave room for last null-terminator */
diff --git a/nx-X11/lib/X11/GetFPath.c b/nx-X11/lib/X11/GetFPath.c
index abd4a5dbd..8f8c6144a 100644
--- a/nx-X11/lib/X11/GetFPath.c
+++ b/nx-X11/lib/X11/GetFPath.c
@@ -50,7 +50,7 @@ char **XGetFontPath(
if (rep.nPaths) {
flist = Xmalloc(rep.nPaths * sizeof (char *));
- if (rep.length < (LONG_MAX >> 2)) {
+ if (rep.length < (INT_MAX >> 2)) {
nbytes = (unsigned long) rep.length << 2;
ch = Xmalloc (nbytes + 1);
/* +1 to leave room for last null-terminator */
diff --git a/nx-X11/lib/X11/ListExt.c b/nx-X11/lib/X11/ListExt.c
index e925c4773..59599d1a6 100644
--- a/nx-X11/lib/X11/ListExt.c
+++ b/nx-X11/lib/X11/ListExt.c
@@ -55,7 +55,7 @@ char **XListExtensions(
if (rep.nExtensions) {
list = Xmalloc (rep.nExtensions * sizeof (char *));
- if (rep.length < (LONG_MAX >> 2)) {
+ if (rep.length < (INT_MAX >> 2)) {
rlen = rep.length << 2;
ch = Xmalloc (rlen + 1);
/* +1 to leave room for last null-terminator */
diff --git a/nx-X11/lib/X11/ModMap.c b/nx-X11/lib/X11/ModMap.c
index 5c5b42612..04cd676eb 100644
--- a/nx-X11/lib/X11/ModMap.c
+++ b/nx-X11/lib/X11/ModMap.c
@@ -42,7 +42,7 @@ XGetModifierMapping(register Display *dpy)
GetEmptyReq(GetModifierMapping, req);
(void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
- if (rep.length < (LONG_MAX >> 2)) {
+ if (rep.length < (INT_MAX >> 2)) {
nbytes = (unsigned long)rep.length << 2;
res = Xmalloc(sizeof (XModifierKeymap));
if (res)