diff options
Diffstat (limited to 'nx-X11/programs/Xserver/hw/nxagent/X')
15 files changed, 293 insertions, 54 deletions
diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXdispatch.c index 845c6cfb9..f84ca0e03 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdispatch.c +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdispatch.c @@ -3835,6 +3835,8 @@ ProcSetScreenSaver (register ClientPtr client) { ScreenSaverInterval = defaultScreenSaverInterval; } + + SetScreenSaverTimer(); } #ifdef TEST @@ -3846,7 +3848,6 @@ ProcSetScreenSaver (register ClientPtr client) #endif - SetScreenSaverTimer(); return (client->noClientException); } diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXdispatch.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXdispatch.c.NX.original index 845c6cfb9..f84ca0e03 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXdispatch.c.NX.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXdispatch.c.NX.original @@ -3835,6 +3835,8 @@ ProcSetScreenSaver (register ClientPtr client) { ScreenSaverInterval = defaultScreenSaverInterval; } + + SetScreenSaverTimer(); } #ifdef TEST @@ -3846,7 +3848,6 @@ ProcSetScreenSaver (register ClientPtr client) #endif - SetScreenSaverTimer(); return (client->noClientException); } diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXglyph.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXglyph.c index 06dabddaa..f51a8bce9 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXglyph.c +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXglyph.c @@ -69,6 +69,17 @@ #undef DEBUG #undef TEST +#else + +#include "picturestr.h" +#include "glyphstr.h" + +#endif + +#if HAVE_STDINT_H +#include <stdint.h> +#elif !defined(UINT32_MAX) +#define UINT32_MAX 0xffffffffU #endif /* @@ -401,8 +412,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth) { int size; GlyphPtr glyph; - - size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]); + size_t padded_width; + + padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]); + if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height) + return 0; + size = gi->height * padded_width; glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec)); if (!glyph) return 0; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXglyph.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXglyph.c.NX.original index 06dabddaa..f51a8bce9 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXglyph.c.NX.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXglyph.c.NX.original @@ -69,6 +69,17 @@ #undef DEBUG #undef TEST +#else + +#include "picturestr.h" +#include "glyphstr.h" + +#endif + +#if HAVE_STDINT_H +#include <stdint.h> +#elif !defined(UINT32_MAX) +#define UINT32_MAX 0xffffffffU #endif /* @@ -401,8 +412,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth) { int size; GlyphPtr glyph; - - size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]); + size_t padded_width; + + padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]); + if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height) + return 0; + size = gi->height * padded_width; glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec)); if (!glyph) return 0; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXglyph.c.X.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXglyph.c.X.original index 45c5dd975..9f4d1c87b 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXglyph.c.X.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXglyph.c.X.original @@ -43,6 +43,12 @@ #include "picturestr.h" #include "glyphstr.h" +#if HAVE_STDINT_H +#include <stdint.h> +#elif !defined(UINT32_MAX) +#define UINT32_MAX 0xffffffffU +#endif + /* * From Knuth -- a good choice for hash/rehash values is p, p-2 where * p and p-2 are both prime. These tables are sized to have an extra 10% @@ -334,8 +340,12 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth) { int size; GlyphPtr glyph; - - size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]); + size_t padded_width; + + padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]); + if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height) + return 0; + size = gi->height * padded_width; glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec)); if (!glyph) return 0; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c index 00c55cde7..de2df855f 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c @@ -1893,6 +1893,8 @@ ProcRenderCreateCursor (ClientPtr client) pScreen = pSrc->pDrawable->pScreen; width = pSrc->pDrawable->width; height = pSrc->pDrawable->height; + if (height && width > UINT32_MAX/(height*sizeof(CARD32))) + return BadAlloc; if ( stuff->x > width || stuff->y > height ) return (BadMatch); @@ -2353,6 +2355,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client) LEGAL_NEW_RESOURCE(stuff->pid, client); len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -2955,18 +2959,18 @@ SProcRenderCreateSolidFill(ClientPtr client) return (*ProcRenderVector[stuff->renderReqType]) (client); } -static void swapStops(void *stuff, int n) +static void swapStops(void *stuff, int num) { - int i; + int i, n; CARD32 *stops; CARD16 *colors; stops = (CARD32 *)(stuff); - for (i = 0; i < n; ++i) { + for (i = 0; i < num; ++i) { swapl(stops, n); ++stops; } colors = (CARD16 *)(stops); - for (i = 0; i < 4*n; ++i) { + for (i = 0; i < 4*num; ++i) { swaps(stops, n); ++stops; } @@ -2989,6 +2993,8 @@ SProcRenderCreateLinearGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -3016,6 +3022,8 @@ SProcRenderCreateRadialGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -3040,6 +3048,8 @@ SProcRenderCreateConicalGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c.NX.original index 00c55cde7..de2df855f 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c.NX.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c.NX.original @@ -1893,6 +1893,8 @@ ProcRenderCreateCursor (ClientPtr client) pScreen = pSrc->pDrawable->pScreen; width = pSrc->pDrawable->width; height = pSrc->pDrawable->height; + if (height && width > UINT32_MAX/(height*sizeof(CARD32))) + return BadAlloc; if ( stuff->x > width || stuff->y > height ) return (BadMatch); @@ -2353,6 +2355,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client) LEGAL_NEW_RESOURCE(stuff->pid, client); len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -2955,18 +2959,18 @@ SProcRenderCreateSolidFill(ClientPtr client) return (*ProcRenderVector[stuff->renderReqType]) (client); } -static void swapStops(void *stuff, int n) +static void swapStops(void *stuff, int num) { - int i; + int i, n; CARD32 *stops; CARD16 *colors; stops = (CARD32 *)(stuff); - for (i = 0; i < n; ++i) { + for (i = 0; i < num; ++i) { swapl(stops, n); ++stops; } colors = (CARD16 *)(stops); - for (i = 0; i < 4*n; ++i) { + for (i = 0; i < 4*num; ++i) { swaps(stops, n); ++stops; } @@ -2989,6 +2993,8 @@ SProcRenderCreateLinearGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -3016,6 +3022,8 @@ SProcRenderCreateRadialGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -3040,6 +3048,8 @@ SProcRenderCreateConicalGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c.X.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c.X.original index d2759ab10..d25d49756 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c.X.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXrender.c.X.original @@ -1505,6 +1505,8 @@ ProcRenderCreateCursor (ClientPtr client) pScreen = pSrc->pDrawable->pScreen; width = pSrc->pDrawable->width; height = pSrc->pDrawable->height; + if (height && width > UINT32_MAX/(height*sizeof(CARD32))) + return BadAlloc; if ( stuff->x > width || stuff->y > height ) return (BadMatch); @@ -1918,6 +1920,8 @@ static int ProcRenderCreateLinearGradient (ClientPtr client) LEGAL_NEW_RESOURCE(stuff->pid, client); len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -2489,18 +2493,18 @@ SProcRenderCreateSolidFill(ClientPtr client) return (*ProcRenderVector[stuff->renderReqType]) (client); } -static void swapStops(void *stuff, int n) +static void swapStops(void *stuff, int num) { - int i; + int i, n; CARD32 *stops; CARD16 *colors; stops = (CARD32 *)(stuff); - for (i = 0; i < n; ++i) { + for (i = 0; i < num; ++i) { swapl(stops, n); ++stops; } colors = (CARD16 *)(stops); - for (i = 0; i < 4*n; ++i) { + for (i = 0; i < 4*num; ++i) { swaps(stops, n); ++stops; } @@ -2523,6 +2527,8 @@ SProcRenderCreateLinearGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateLinearGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -2550,6 +2556,8 @@ SProcRenderCreateRadialGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -2574,6 +2582,8 @@ SProcRenderCreateConicalGradient (ClientPtr client) swapl(&stuff->nStops, n); len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq); + if (stuff->nStops > UINT32_MAX/(sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops*(sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXresource.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXresource.c index 9af5c4187..91e03cb0e 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXresource.c +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXresource.c @@ -201,6 +201,10 @@ void RegisterResourceName (RESTYPE type, char *name) #endif +#ifdef NXAGENT_SERVER +static int nxagentResChangedFlag = 0; +#endif + RESTYPE CreateNewResourceType(DeleteType deleteFunc) { @@ -590,6 +594,9 @@ AddResource(XID id, RESTYPE type, pointer value) res->value = value; *head = res; rrec->elements++; + #ifdef NXAGENT_SERVER + nxagentResChangedFlag = 1; + #endif if (!(id & SERVER_BIT) && (id >= rrec->expectID)) rrec->expectID = id + 1; return TRUE; @@ -675,6 +682,9 @@ FreeResource(XID id, RESTYPE skipDeleteFuncType) RESTYPE rtype = res->type; *prev = res->next; elements = --*eltptr; + #ifdef NXAGENT_SERVER + nxagentResChangedFlag = 1; + #endif if (rtype & RC_CACHED) FlushClientCaches(res->id); if (rtype != skipDeleteFuncType) @@ -715,6 +725,9 @@ FreeResourceByType(XID id, RESTYPE type, Bool skipFree) if (res->id == id && res->type == type) { *prev = res->next; + #ifdef NXAGENT_SERVER + nxagentResChangedFlag = 1; + #endif if (type & RC_CACHED) FlushClientCaches(res->id); if (!skipFree) @@ -809,12 +822,44 @@ RestartLoop: next = this->next; if (!type || this->type == type) { elements = *eltptr; + + /* + * FIXME: + * It is not safe to let a function change the resource + * table we are reading! + */ + + #ifdef NXAGENT_SERVER + nxagentResChangedFlag = 0; + #endif (*func)(this->value, this->id, cdata); + + /* + * Avoid that a call to RebuildTable() could invalidate the + * pointer. This is safe enough, because in RebuildTable() + * the new pointer is allocated just before the old one is + * freed, so it can't point to the same address. + */ + #ifdef NXAGENT_SERVER if (*resptr != resources) goto RestartLoop; #endif + + /* + * It's not enough to check if the number of elements has + * changed, beacause it could happen that the number of + * resources that have been added matches the number of + * the freed ones. + * 'nxagentResChangedFlag' is set if a resource has been + * added or freed. + */ + + #ifdef NXAGENT_SERVER + if (*eltptr != elements || nxagentResChangedFlag) + #else if (*eltptr != elements) + #endif next = resources[i]; /* start over */ } } @@ -861,12 +906,44 @@ RestartLoop: { next = this->next; elements = *eltptr; + + /* + * FIXME: + * It is not safe to let a function change the resource + * table we are reading! + */ + + #ifdef NXAGENT_SERVER + nxagentResChangedFlag = 0; + #endif (*func)(this->value, this->id, this->type, cdata); + + /* + * Avoid that a call to RebuildTable() could invalidate the + * pointer. This is safe enough, because in RebuildTable() + * the new pointer is allocated just before the old one is + * freed, so it can't point to the same address. + */ + #ifdef NXAGENT_SERVER if (*resptr != resources) goto RestartLoop; #endif + + /* + * It's not enough to check if the number of elements has + * changed, beacause it could happen that the number of + * resources that have been added matches the number of + * the freed ones. + * 'nxagentResChangedFlag' is set if a resource has been + * added or freed. + */ + + #ifdef NXAGENT_SERVER + if (*eltptr != elements || nxagentResChangedFlag) + #else if (*eltptr != elements) + #endif next = resources[i]; /* start over */ } } diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXresource.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXresource.c.NX.original index 9af5c4187..91e03cb0e 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXresource.c.NX.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXresource.c.NX.original @@ -201,6 +201,10 @@ void RegisterResourceName (RESTYPE type, char *name) #endif +#ifdef NXAGENT_SERVER +static int nxagentResChangedFlag = 0; +#endif + RESTYPE CreateNewResourceType(DeleteType deleteFunc) { @@ -590,6 +594,9 @@ AddResource(XID id, RESTYPE type, pointer value) res->value = value; *head = res; rrec->elements++; + #ifdef NXAGENT_SERVER + nxagentResChangedFlag = 1; + #endif if (!(id & SERVER_BIT) && (id >= rrec->expectID)) rrec->expectID = id + 1; return TRUE; @@ -675,6 +682,9 @@ FreeResource(XID id, RESTYPE skipDeleteFuncType) RESTYPE rtype = res->type; *prev = res->next; elements = --*eltptr; + #ifdef NXAGENT_SERVER + nxagentResChangedFlag = 1; + #endif if (rtype & RC_CACHED) FlushClientCaches(res->id); if (rtype != skipDeleteFuncType) @@ -715,6 +725,9 @@ FreeResourceByType(XID id, RESTYPE type, Bool skipFree) if (res->id == id && res->type == type) { *prev = res->next; + #ifdef NXAGENT_SERVER + nxagentResChangedFlag = 1; + #endif if (type & RC_CACHED) FlushClientCaches(res->id); if (!skipFree) @@ -809,12 +822,44 @@ RestartLoop: next = this->next; if (!type || this->type == type) { elements = *eltptr; + + /* + * FIXME: + * It is not safe to let a function change the resource + * table we are reading! + */ + + #ifdef NXAGENT_SERVER + nxagentResChangedFlag = 0; + #endif (*func)(this->value, this->id, cdata); + + /* + * Avoid that a call to RebuildTable() could invalidate the + * pointer. This is safe enough, because in RebuildTable() + * the new pointer is allocated just before the old one is + * freed, so it can't point to the same address. + */ + #ifdef NXAGENT_SERVER if (*resptr != resources) goto RestartLoop; #endif + + /* + * It's not enough to check if the number of elements has + * changed, beacause it could happen that the number of + * resources that have been added matches the number of + * the freed ones. + * 'nxagentResChangedFlag' is set if a resource has been + * added or freed. + */ + + #ifdef NXAGENT_SERVER + if (*eltptr != elements || nxagentResChangedFlag) + #else if (*eltptr != elements) + #endif next = resources[i]; /* start over */ } } @@ -861,12 +906,44 @@ RestartLoop: { next = this->next; elements = *eltptr; + + /* + * FIXME: + * It is not safe to let a function change the resource + * table we are reading! + */ + + #ifdef NXAGENT_SERVER + nxagentResChangedFlag = 0; + #endif (*func)(this->value, this->id, this->type, cdata); + + /* + * Avoid that a call to RebuildTable() could invalidate the + * pointer. This is safe enough, because in RebuildTable() + * the new pointer is allocated just before the old one is + * freed, so it can't point to the same address. + */ + #ifdef NXAGENT_SERVER if (*resptr != resources) goto RestartLoop; #endif + + /* + * It's not enough to check if the number of elements has + * changed, beacause it could happen that the number of + * resources that have been added matches the number of + * the freed ones. + * 'nxagentResChangedFlag' is set if a resource has been + * added or freed. + */ + + #ifdef NXAGENT_SERVER + if (*eltptr != elements || nxagentResChangedFlag) + #else if (*eltptr != elements) + #endif next = resources[i]; /* start over */ } } diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c index e3e4f4b83..a6d638ea7 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c @@ -967,8 +967,17 @@ ProcShmPutImage(client) return BadValue; } - VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, - client); + /* + * There's a potential integer overflow in this check: + * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, + * client); + * the version below ought to avoid it + */ + if (stuff->totalHeight != 0 && + length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { + client->errorValue = stuff->totalWidth; + return BadValue; + } if (stuff->srcX > stuff->totalWidth) { client->errorValue = stuff->srcX; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original index e3e4f4b83..a6d638ea7 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.NX.original @@ -967,8 +967,17 @@ ProcShmPutImage(client) return BadValue; } - VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, - client); + /* + * There's a potential integer overflow in this check: + * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, + * client); + * the version below ought to avoid it + */ + if (stuff->totalHeight != 0 && + length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { + client->errorValue = stuff->totalWidth; + return BadValue; + } if (stuff->srcX > stuff->totalWidth) { client->errorValue = stuff->srcX; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original index e2cf8cd24..f25bb9b5d 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXshm.c.X.original @@ -863,8 +863,17 @@ ProcShmPutImage(client) return BadValue; } - VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, - client); + /* + * There's a potential integer overflow in this check: + * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, + * client); + * the version below ought to avoid it + */ + if (stuff->totalHeight != 0 && + length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { + client->errorValue = stuff->totalWidth; + return BadValue; + } if (stuff->srcX > stuff->totalWidth) { client->errorValue = stuff->srcX; diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXwindow.c b/nx-X11/programs/Xserver/hw/nxagent/X/NXwindow.c index 7ba468ac0..24dad322f 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXwindow.c +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXwindow.c @@ -153,6 +153,9 @@ extern Bool nxagentScreenTrap; * ******/ +static unsigned char _back_lsb[4] = {0x88, 0x22, 0x44, 0x11}; +static unsigned char _back_msb[4] = {0x11, 0x44, 0x22, 0x88}; + int screenIsSaved = SCREEN_SAVER_OFF; ScreenSaverStuffRec savedScreenInfo[MAXSCREENS]; @@ -355,18 +358,7 @@ void nxagentClearSplash(WindowPtr pW) (*pScreen->ChangeWindowAttributes)(pW, CWBackPixmap|CWBackPixel); } -static void -#if NeedFunctionPrototypes -MakeRootTile(WindowPtr pWin) -#else -MakeRootTile(pWin) - WindowPtr pWin; -#endif -{ - nxagentRootTileWindow = pWin; -} - -#else /* NXAGENT_SERVER */ +#endif /* NXAGENT_SERVER */ static void MakeRootTile(WindowPtr pWin) @@ -412,9 +404,10 @@ MakeRootTile(WindowPtr pWin) FreeScratchGC(pGC); -} - +#ifdef NXAGENT_SERVER + nxagentRootTileWindow = pWin; #endif /* NXAGENT_SERVER */ +} WindowPtr AllocateWindow(ScreenPtr pScreen) diff --git a/nx-X11/programs/Xserver/hw/nxagent/X/NXwindow.c.NX.original b/nx-X11/programs/Xserver/hw/nxagent/X/NXwindow.c.NX.original index 7ba468ac0..24dad322f 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/X/NXwindow.c.NX.original +++ b/nx-X11/programs/Xserver/hw/nxagent/X/NXwindow.c.NX.original @@ -153,6 +153,9 @@ extern Bool nxagentScreenTrap; * ******/ +static unsigned char _back_lsb[4] = {0x88, 0x22, 0x44, 0x11}; +static unsigned char _back_msb[4] = {0x11, 0x44, 0x22, 0x88}; + int screenIsSaved = SCREEN_SAVER_OFF; ScreenSaverStuffRec savedScreenInfo[MAXSCREENS]; @@ -355,18 +358,7 @@ void nxagentClearSplash(WindowPtr pW) (*pScreen->ChangeWindowAttributes)(pW, CWBackPixmap|CWBackPixel); } -static void -#if NeedFunctionPrototypes -MakeRootTile(WindowPtr pWin) -#else -MakeRootTile(pWin) - WindowPtr pWin; -#endif -{ - nxagentRootTileWindow = pWin; -} - -#else /* NXAGENT_SERVER */ +#endif /* NXAGENT_SERVER */ static void MakeRootTile(WindowPtr pWin) @@ -412,9 +404,10 @@ MakeRootTile(WindowPtr pWin) FreeScratchGC(pGC); -} - +#ifdef NXAGENT_SERVER + nxagentRootTileWindow = pWin; #endif /* NXAGENT_SERVER */ +} WindowPtr AllocateWindow(ScreenPtr pScreen) |