aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nx-X11/programs/Xserver/Xi/chgdctl.c4
-rw-r--r--nx-X11/programs/Xserver/Xi/chgfctl.c2
-rw-r--r--nx-X11/programs/Xserver/Xi/sendexev.c3
-rw-r--r--nx-X11/programs/Xserver/include/dix.h4
4 files changed, 11 insertions, 2 deletions
diff --git a/nx-X11/programs/Xserver/Xi/chgdctl.c b/nx-X11/programs/Xserver/Xi/chgdctl.c
index 63a3c9c69..144a51ed4 100644
--- a/nx-X11/programs/Xserver/Xi/chgdctl.c
+++ b/nx-X11/programs/Xserver/Xi/chgdctl.c
@@ -87,7 +87,7 @@ SProcXChangeDeviceControl(client)
REQUEST(xChangeDeviceControlReq);
swaps(&stuff->length, n);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
swaps(&stuff->control, n);
return(ProcXChangeDeviceControl(client));
}
@@ -111,7 +111,7 @@ ProcXChangeDeviceControl(client)
CARD32 *resolution;
REQUEST(xChangeDeviceControlReq);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
len = stuff->length - (sizeof(xChangeDeviceControlReq) >>2);
dev = LookupDeviceIntRec (stuff->deviceid);
diff --git a/nx-X11/programs/Xserver/Xi/chgfctl.c b/nx-X11/programs/Xserver/Xi/chgfctl.c
index fe8bd1fac..3ffac39b3 100644
--- a/nx-X11/programs/Xserver/Xi/chgfctl.c
+++ b/nx-X11/programs/Xserver/Xi/chgfctl.c
@@ -160,6 +160,8 @@ ProcXChangeFeedbackControl(client)
xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
if (client->swapped)
{
+ if (len < (sizeof(xStringFeedbackCtl) + 3) >> 2)
+ return BadLength;
swaps(&f->num_keysyms,n);
}
if (len != ((sizeof(xStringFeedbackCtl)>>2) + f->num_keysyms))
diff --git a/nx-X11/programs/Xserver/Xi/sendexev.c b/nx-X11/programs/Xserver/Xi/sendexev.c
index 9b441f2d8..0b2a701bb 100644
--- a/nx-X11/programs/Xserver/Xi/sendexev.c
+++ b/nx-X11/programs/Xserver/Xi/sendexev.c
@@ -154,6 +154,9 @@ ProcXSendExtensionEvent (client)
return Success;
}
+ if (stuff->num_events == 0)
+ return ret;
+
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) &stuff[1]);
diff --git a/nx-X11/programs/Xserver/include/dix.h b/nx-X11/programs/Xserver/include/dix.h
index d82979c86..9fe575e53 100644
--- a/nx-X11/programs/Xserver/include/dix.h
+++ b/nx-X11/programs/Xserver/include/dix.h
@@ -73,6 +73,10 @@ SOFTWARE.
if ((sizeof(req) >> 2) > client->req_len )\
return(BadLength)
+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \
+ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
+ return(BadLength)
+
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
((n >> 2) >= client->req_len) || \