aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/programs/Xserver/Xext/EVI.c
diff options
context:
space:
mode:
Diffstat (limited to 'nx-X11/programs/Xserver/Xext/EVI.c')
-rw-r--r--nx-X11/programs/Xserver/Xext/EVI.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/Xext/EVI.c b/nx-X11/programs/Xserver/Xext/EVI.c
index b59180685..93ed19fa6 100644
--- a/nx-X11/programs/Xserver/Xext/EVI.c
+++ b/nx-X11/programs/Xserver/Xext/EVI.c
@@ -36,6 +36,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/XEVIstr.h>
#include "EVIstruct.h"
#include "modinit.h"
+#include "scrnintstr.h"
#if 0
static unsigned char XEVIReqCode = 0;
@@ -89,10 +90,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
{
REQUEST(xEVIGetVisualInfoReq);
xEVIGetVisualInfoReply rep;
- int n, n_conflict, n_info, sz_info, sz_conflict;
+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
VisualID32 *conflict;
+ unsigned int total_visuals = 0;
xExtendedVisualInfo *eviInfo;
int status;
+
+ /*
+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
+ * here that you don't have more than 2^32 visuals over all your screens;
+ * this seems like a safe assumption.
+ */
+ for (i = 0; i < screenInfo.numScreens; i++)
+ total_visuals += screenInfo.screens[i]->numVisuals;
+ if (stuff->n_visual > total_visuals)
+ return BadValue;
+
REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
&eviInfo, &n_info, &conflict, &n_conflict);
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-04 21:43:41 +0000