diff options
| author | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2016-10-13 14:02:51 +0200 |
|---|---|---|
| committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2016-10-13 14:02:51 +0200 |
| commit | 133c91f732c6259fa9099100cd5b781d5b1cbfa1 (patch) | |
| tree | 478aa88a8c42cbcb8221dd6680a16131556b49be /nx-X11/lib/X11/GetProp.c | |
| parent | 051d521f6e20761ba6831cecd91883da960fa931 (diff) | |
| parent | a9f623f0a63372ca0705e8394fadf514dec55b1c (diff) | |
| download | nx-libs-133c91f732c6259fa9099100cd5b781d5b1cbfa1.tar.gz nx-libs-133c91f732c6259fa9099100cd5b781d5b1cbfa1.tar.bz2 nx-libs-133c91f732c6259fa9099100cd5b781d5b1cbfa1.zip | |
Merge branch 'uli42-pr/libX11_debian_backports' into 3.6.x
Attributes GH PR #215: https://github.com/ArcticaProject/nx-libs/pull/215
Diffstat (limited to 'nx-X11/lib/X11/GetProp.c')
| -rw-r--r-- | nx-X11/lib/X11/GetProp.c | 33 |
1 files changed, 23 insertions, 10 deletions
diff --git a/nx-X11/lib/X11/GetProp.c b/nx-X11/lib/X11/GetProp.c index a80c19c50..4149199f5 100644 --- a/nx-X11/lib/X11/GetProp.c +++ b/nx-X11/lib/X11/GetProp.c @@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> int XGetWindowProperty( @@ -48,6 +49,13 @@ XGetWindowProperty( register xGetPropertyReq *req; xError error; + /* Always initialize return values, in case callers fail to initialize + them and fail to check the return code for an error. */ + *actual_type = None; + *actual_format = 0; + *nitems = *bytesafter = 0L; + *prop = (unsigned char *) NULL; + LockDisplay(dpy); GetReq (GetProperty, req); req->window = w; @@ -64,10 +72,18 @@ XGetWindowProperty( return (1); /* not Success */ } - *prop = (unsigned char *) NULL; if (reply.propertyType != None) { - long nbytes, netbytes; - switch (reply.format) { + unsigned long nbytes, netbytes; + int format = reply.format; + + /* + * Protect against both integer overflow and just plain oversized + * memory allocation - no server should ever return this many props. + */ + if (reply.nItems >= (INT_MAX >> 4)) + format = -1; /* fall through to default error case */ + + switch (format) { /* * One extra byte is malloced than is needed to contain the property * data, but this last byte is null terminated and convenient for @@ -76,24 +92,21 @@ XGetWindowProperty( */ case 8: nbytes = netbytes = reply.nItems; - if (nbytes + 1 > 0 && - (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1))) + if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1))) _XReadPad (dpy, (char *) *prop, netbytes); break; case 16: nbytes = reply.nItems * sizeof (short); netbytes = reply.nItems << 1; - if (nbytes + 1 > 0 && - (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1))) + if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1))) _XRead16Pad (dpy, (short *) *prop, netbytes); break; case 32: nbytes = reply.nItems * sizeof (long); netbytes = reply.nItems << 2; - if (nbytes + 1 > 0 && - (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1))) + if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1))) _XRead32 (dpy, (long *) *prop, netbytes); break; @@ -115,7 +128,7 @@ XGetWindowProperty( break; } if (! *prop) { - _XEatData(dpy, (unsigned long) netbytes); + _XEatDataWords(dpy, reply.length); UnlockDisplay(dpy); SyncHandle(); return(BadAlloc); /* not Success */ |