aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/programs/Xserver/Xext
diff options
context:
space:
mode:
authorReinhard Tartler <siretart@tauware.de>2011-10-10 17:47:30 +0200
committerReinhard Tartler <siretart@tauware.de>2011-10-10 17:47:30 +0200
commit30463b084b2833193aa6fdc2ceafefc8a1c06fee (patch)
treefd062f7ac7b98d742a781d5f95e59cbb38fb81bc /nx-X11/programs/Xserver/Xext
parent713da22603c4abc7a97feddd931f29c507b7984b (diff)
downloadnx-libs-30463b084b2833193aa6fdc2ceafefc8a1c06fee.tar.gz
nx-libs-30463b084b2833193aa6fdc2ceafefc8a1c06fee.tar.bz2
nx-libs-30463b084b2833193aa6fdc2ceafefc8a1c06fee.zip
Imported nx-X11-3.2.0-2.tar.gznx-X11/3.2.0-2
Summary: Imported nx-X11-3.2.0-2.tar.gz Keywords: Imported nx-X11-3.2.0-2.tar.gz into Git repository
Diffstat (limited to 'nx-X11/programs/Xserver/Xext')
-rw-r--r--nx-X11/programs/Xserver/Xext/security.c10
-rw-r--r--nx-X11/programs/Xserver/Xext/security.c.NX.original10
-rw-r--r--nx-X11/programs/Xserver/Xext/security.c.X.original10
-rw-r--r--nx-X11/programs/Xserver/Xext/shm.c13
4 files changed, 32 insertions, 11 deletions
diff --git a/nx-X11/programs/Xserver/Xext/security.c b/nx-X11/programs/Xserver/Xext/security.c
index cee89354a..e3cca43eb 100644
--- a/nx-X11/programs/Xserver/Xext/security.c
+++ b/nx-X11/programs/Xserver/Xext/security.c
@@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization(
register char n;
CARD32 *values;
unsigned long nvalues;
+ int values_offset;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
swaps(&stuff->nbytesAuthProto, n);
swaps(&stuff->nbytesAuthData, n);
swapl(&stuff->valueMask, n);
- values = (CARD32 *)(&stuff[1]) +
- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ if (values_offset >
+ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+ return BadLength;
+ values = (CARD32 *)(&stuff[1]) + values_offset;
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
SwapLongs(values, nvalues);
return ProcSecurityGenerateAuthorization(client);
diff --git a/nx-X11/programs/Xserver/Xext/security.c.NX.original b/nx-X11/programs/Xserver/Xext/security.c.NX.original
index cee89354a..e3cca43eb 100644
--- a/nx-X11/programs/Xserver/Xext/security.c.NX.original
+++ b/nx-X11/programs/Xserver/Xext/security.c.NX.original
@@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization(
register char n;
CARD32 *values;
unsigned long nvalues;
+ int values_offset;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
swaps(&stuff->nbytesAuthProto, n);
swaps(&stuff->nbytesAuthData, n);
swapl(&stuff->valueMask, n);
- values = (CARD32 *)(&stuff[1]) +
- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ if (values_offset >
+ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+ return BadLength;
+ values = (CARD32 *)(&stuff[1]) + values_offset;
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
SwapLongs(values, nvalues);
return ProcSecurityGenerateAuthorization(client);
diff --git a/nx-X11/programs/Xserver/Xext/security.c.X.original b/nx-X11/programs/Xserver/Xext/security.c.X.original
index 765769a7c..c6a516733 100644
--- a/nx-X11/programs/Xserver/Xext/security.c.X.original
+++ b/nx-X11/programs/Xserver/Xext/security.c.X.original
@@ -652,15 +652,19 @@ SProcSecurityGenerateAuthorization(
register char n;
CARD32 *values;
unsigned long nvalues;
+ int values_offset;
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
swaps(&stuff->nbytesAuthProto, n);
swaps(&stuff->nbytesAuthData, n);
swapl(&stuff->valueMask, n);
- values = (CARD32 *)(&stuff[1]) +
- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+ if (values_offset >
+ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+ return BadLength;
+ values = (CARD32 *)(&stuff[1]) + values_offset;
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
SwapLongs(values, nvalues);
return ProcSecurityGenerateAuthorization(client);
diff --git a/nx-X11/programs/Xserver/Xext/shm.c b/nx-X11/programs/Xserver/Xext/shm.c
index e2cf8cd24..f25bb9b5d 100644
--- a/nx-X11/programs/Xserver/Xext/shm.c
+++ b/nx-X11/programs/Xserver/Xext/shm.c
@@ -863,8 +863,17 @@ ProcShmPutImage(client)
return BadValue;
}
- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
- client);
+ /*
+ * There's a potential integer overflow in this check:
+ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+ * client);
+ * the version below ought to avoid it
+ */
+ if (stuff->totalHeight != 0 &&
+ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+ client->errorValue = stuff->totalWidth;
+ return BadValue;
+ }
if (stuff->srcX > stuff->totalWidth)
{
client->errorValue = stuff->srcX;