From 39c6e5aa859c633fcb48e299643bb0189f333a0d Mon Sep 17 00:00:00 2001 From: Thomas Klausner Date: Tue, 25 Jun 2013 22:35:29 +0200 Subject: Tighten out-of-range comparisons. [For all of these, LONG_MAX was the correct value to prevent overflows for the recent CVEs. Lowering to INT_MAX catches buggy replies from the server that 32-bit clients would reject but 64-bit would accept, so we catch bugs sooner, and really, no sane & working server should ever report more than 2gb of extension names, font path entries, key modifier maps, etc. -alan- ] Reviewed-by: Alan Coopersmith Signed-off-by: Alan Coopersmith Backported-to-NX-by: Ulrich Sibiller --- nx-X11/lib/X11/ListExt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nx-X11/lib/X11/ListExt.c') diff --git a/nx-X11/lib/X11/ListExt.c b/nx-X11/lib/X11/ListExt.c index e925c4773..59599d1a6 100644 --- a/nx-X11/lib/X11/ListExt.c +++ b/nx-X11/lib/X11/ListExt.c @@ -55,7 +55,7 @@ char **XListExtensions( if (rep.nExtensions) { list = Xmalloc (rep.nExtensions * sizeof (char *)); - if (rep.length < (LONG_MAX >> 2)) { + if (rep.length < (INT_MAX >> 2)) { rlen = rep.length << 2; ch = Xmalloc (rlen + 1); /* +1 to leave room for last null-terminator */ -- cgit v1.2.3 From 26256188b498e122e21ce0e05521dfc58f8b60a5 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 11 Aug 2013 00:07:33 -0700 Subject: Remove unnecessary casts of pointers to (char *) in calls to Xfree() Left one cast behind that is necessary to change from const char * to char * in nx-X11/lib/X11/lcCharSet.c. Signed-off-by: Alan Coopersmith Backported-to-NX-by: Ulrich Sibiller --- nx-X11/lib/X11/ListExt.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'nx-X11/lib/X11/ListExt.c') diff --git a/nx-X11/lib/X11/ListExt.c b/nx-X11/lib/X11/ListExt.c index 59599d1a6..f40924df7 100644 --- a/nx-X11/lib/X11/ListExt.c +++ b/nx-X11/lib/X11/ListExt.c @@ -62,8 +62,8 @@ char **XListExtensions( } if ((!list) || (!ch)) { - if (list) Xfree((char *) list); - if (ch) Xfree((char *) ch); + if (list) Xfree(list); + if (ch) Xfree(ch); _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); @@ -99,7 +99,7 @@ XFreeExtensionList (char **list) { if (list != NULL) { Xfree (list[0]-1); - Xfree ((char *)list); + Xfree (list); } return 1; } -- cgit v1.2.3 From fc26b97ea9053a2aba54824243282e27bc4a1e15 Mon Sep 17 00:00:00 2001 From: walter harms Date: Thu, 5 Jun 2014 18:37:40 +0200 Subject: Remove redundant null checks before free This patch removes some redundant null checks before free. It should not change the code otherwise. Be aware that this is only the first series. Signed-off-by: Harms Reviewed-by: Alan Coopersmith Signed-off-by: Alan Coopersmith Backported-to-NX-by: Ulrich Sibiller --- nx-X11/lib/X11/ListExt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nx-X11/lib/X11/ListExt.c') diff --git a/nx-X11/lib/X11/ListExt.c b/nx-X11/lib/X11/ListExt.c index f40924df7..431ae6784 100644 --- a/nx-X11/lib/X11/ListExt.c +++ b/nx-X11/lib/X11/ListExt.c @@ -62,8 +62,8 @@ char **XListExtensions( } if ((!list) || (!ch)) { - if (list) Xfree(list); - if (ch) Xfree(ch); + Xfree(list); + Xfree(ch); _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); -- cgit v1.2.3 From 73f2d66e0ec90ac5140e5015ca511f914016786e Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Tue, 19 May 2015 12:30:22 +1000 Subject: Fix three "use of uninitialized variable" coverity warnings False positive, if rlen/nbytes are unset we quit early before using it. Still, initialize it so we don't have to deal with these warnings again. Signed-off-by: Peter Hutterer Reviewed-by: Hans de Goede Reviewed-by: Alan Coopersmith Backported-to-NX-by: Ulrich Sibiller --- nx-X11/lib/X11/ListExt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'nx-X11/lib/X11/ListExt.c') diff --git a/nx-X11/lib/X11/ListExt.c b/nx-X11/lib/X11/ListExt.c index 431ae6784..be6b989a3 100644 --- a/nx-X11/lib/X11/ListExt.c +++ b/nx-X11/lib/X11/ListExt.c @@ -42,7 +42,7 @@ char **XListExtensions( register unsigned i; register int length; register xReq *req; - unsigned long rlen; + unsigned long rlen = 0; LockDisplay(dpy); GetEmptyReq (ListExtensions, req); -- cgit v1.2.3 From b17557f9f0cd0ba992415411040e20390fa881f0 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sun, 25 Sep 2016 21:22:57 +0200 Subject: The validation of server responses avoids out of boundary accesses. v2: FontNames.c return a NULL list whenever a single length field from the server is incohent. Signed-off-by: Tobias Stoeckmann Reviewed-by: Matthieu Herrb Backported-to-NX-by: Ulrich Sibiller --- nx-X11/lib/X11/ListExt.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'nx-X11/lib/X11/ListExt.c') diff --git a/nx-X11/lib/X11/ListExt.c b/nx-X11/lib/X11/ListExt.c index be6b989a3..0516e4596 100644 --- a/nx-X11/lib/X11/ListExt.c +++ b/nx-X11/lib/X11/ListExt.c @@ -55,7 +55,7 @@ char **XListExtensions( if (rep.nExtensions) { list = Xmalloc (rep.nExtensions * sizeof (char *)); - if (rep.length < (INT_MAX >> 2)) { + if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { rlen = rep.length << 2; ch = Xmalloc (rlen + 1); /* +1 to leave room for last null-terminator */ @@ -80,9 +80,13 @@ char **XListExtensions( if (ch + length < chend) { list[i] = ch+1; /* skip over length */ ch += length + 1; /* find next length ... */ - length = *ch; - *ch = '\0'; /* and replace with null-termination */ - count++; + if (ch <= chend) { + length = *ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else { + list[i] = NULL; + } } else list[i] = NULL; } -- cgit v1.2.3