diff options
author | Thomas Klausner <wiz@NetBSD.org> | 2013-06-25 22:35:29 +0200 |
---|---|---|
committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-19 21:40:27 +0200 |
commit | 39c6e5aa859c633fcb48e299643bb0189f333a0d (patch) | |
tree | 32e38227c9f0ef7ae5708879f94152bf1a44de18 | |
parent | ac3d26251f8de17839dbdada457ffcd670338d0a (diff) | |
download | nx-libs-39c6e5aa859c633fcb48e299643bb0189f333a0d.tar.gz nx-libs-39c6e5aa859c633fcb48e299643bb0189f333a0d.tar.bz2 nx-libs-39c6e5aa859c633fcb48e299643bb0189f333a0d.zip |
Tighten out-of-range comparisons.
[For all of these, LONG_MAX was the correct value to prevent overflows
for the recent CVEs. Lowering to INT_MAX catches buggy replies from
the server that 32-bit clients would reject but 64-bit would accept,
so we catch bugs sooner, and really, no sane & working server should
ever report more than 2gb of extension names, font path entries,
key modifier maps, etc. -alan- ]
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r-- | nx-X11/lib/X11/FontNames.c | 2 | ||||
-rw-r--r-- | nx-X11/lib/X11/GetFPath.c | 2 | ||||
-rw-r--r-- | nx-X11/lib/X11/ListExt.c | 2 | ||||
-rw-r--r-- | nx-X11/lib/X11/ModMap.c | 2 |
4 files changed, 4 insertions, 4 deletions
diff --git a/nx-X11/lib/X11/FontNames.c b/nx-X11/lib/X11/FontNames.c index b5bc7b4ba..764711559 100644 --- a/nx-X11/lib/X11/FontNames.c +++ b/nx-X11/lib/X11/FontNames.c @@ -66,7 +66,7 @@ int *actualCount) /* RETURN */ if (rep.nFonts) { flist = Xmalloc (rep.nFonts * sizeof(char *)); - if (rep.length < (LONG_MAX >> 2)) { + if (rep.length < (INT_MAX >> 2)) { rlen = rep.length << 2; ch = Xmalloc(rlen + 1); /* +1 to leave room for last null-terminator */ diff --git a/nx-X11/lib/X11/GetFPath.c b/nx-X11/lib/X11/GetFPath.c index abd4a5dbd..8f8c6144a 100644 --- a/nx-X11/lib/X11/GetFPath.c +++ b/nx-X11/lib/X11/GetFPath.c @@ -50,7 +50,7 @@ char **XGetFontPath( if (rep.nPaths) { flist = Xmalloc(rep.nPaths * sizeof (char *)); - if (rep.length < (LONG_MAX >> 2)) { + if (rep.length < (INT_MAX >> 2)) { nbytes = (unsigned long) rep.length << 2; ch = Xmalloc (nbytes + 1); /* +1 to leave room for last null-terminator */ diff --git a/nx-X11/lib/X11/ListExt.c b/nx-X11/lib/X11/ListExt.c index e925c4773..59599d1a6 100644 --- a/nx-X11/lib/X11/ListExt.c +++ b/nx-X11/lib/X11/ListExt.c @@ -55,7 +55,7 @@ char **XListExtensions( if (rep.nExtensions) { list = Xmalloc (rep.nExtensions * sizeof (char *)); - if (rep.length < (LONG_MAX >> 2)) { + if (rep.length < (INT_MAX >> 2)) { rlen = rep.length << 2; ch = Xmalloc (rlen + 1); /* +1 to leave room for last null-terminator */ diff --git a/nx-X11/lib/X11/ModMap.c b/nx-X11/lib/X11/ModMap.c index 5c5b42612..04cd676eb 100644 --- a/nx-X11/lib/X11/ModMap.c +++ b/nx-X11/lib/X11/ModMap.c @@ -42,7 +42,7 @@ XGetModifierMapping(register Display *dpy) GetEmptyReq(GetModifierMapping, req); (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); - if (rep.length < (LONG_MAX >> 2)) { + if (rep.length < (INT_MAX >> 2)) { nbytes = (unsigned long)rep.length << 2; res = Xmalloc(sizeof (XModifierKeymap)); if (res) |