xwininfo fontconfig libX11 libXau libXdmcp libXext mesa libXinerama libxcb libxcb/xcb-proto libfontenc pixman xkbcomp mkfontscale xkeyboard-config git update 4 Jun 2013

xserver commit c21344add2fc589df83b29be5831c36a372201bd libxcb commit 9ae84ad187e2ba440c40f44b8eb21c82c2fdbf12 libxcb/xcb-proto commit bdfedfa57a13ff805580cfacafc70f9cc55df363 xkeyboard-config commit dad9ade4e83d1ef5a517fcc4cc9ad3a79b47acce libX11 commit 8496122eb00ce6cd5d2308ee54f64b68c378e455 libXdmcp commit 0b443c1b769b9c9a3b45b4252afe07e18b709ff4 libXext commit d8366afbb0d2e4fbb1e419b1187f490522270bea libfontenc commit 3acba630d8b57084f7e92c15732408711ed5137a libXinerama commit 6e1d1dc328ba8162bba2f4694e7f3c706a1491ff libXau commit 899790011304c4029e15abf410e49ce7cec17e0a xkbcomp commit ed582f4fccd4e23abcfba8b3b03649fea6414f44 pixman commit 2acfac5f8e097ee2ae225d986f981b55d65dd152 mkfontscale commit 19e2cb7c6a3ec2c5b1bc0d24866fa685eef0ee13 xwininfo commit ba0d1b0da21d2dbdd81098ed5778f3792b472e13 fontconfig commit cd9b1033a68816a7acfbba1718ba0aa5888f6ec7 mesa commit 7bafd88c153e395274b632e7eae4bc9fc3aec1d2
author: marha <marha@users.sourceforge.net> 2013-06-04 09:07:26 +0200
committer: marha <marha@users.sourceforge.net> 2013-06-04 09:07:26 +0200
commit: 150771e7aabf4c864b0b970c5b8d773634793abe (patch)
tree: 3d544cc0d8d06dd70e843d6ca7e4b0ef421d2758 /libX11/src/Font.c
parent: fbe681216618af573ce29ca03b382b39b5919a52 (diff)
download: vcxsrv-150771e7aabf4c864b0b970c5b8d773634793abe.tar.gz
vcxsrv-150771e7aabf4c864b0b970c5b8d773634793abe.tar.bz2
vcxsrv-150771e7aabf4c864b0b970c5b8d773634793abe.zip
1 files changed, 55 insertions, 35 deletions
diff --git a/libX11/src/Font.c b/libX11/src/Font.c
index 25e1790c8..a32f740bd 100644
--- a/libX11/src/Font.c
+++ b/libX11/src/Font.c
@@ -31,6 +31,7 @@ authorization from the X Consortium and the XFree86 Project.
 #include <config.h>
 #endif
 #include "Xlibint.h"
+#include <limits.h>
 
 #if defined(XF86BIGFONT)
 #define USE_XF86BIGFONT
@@ -183,7 +184,8 @@ _XQueryFont (
     unsigned long seq)
 {
     register XFontStruct *fs;
-    register long nbytes;
+    unsigned long nbytes;
+    unsigned long reply_left; /* unused data words left in reply buffer */
     xQueryFontReply reply;
     register xResourceReq *req;
     register _XExtension *ext;
@@ -211,9 +213,10 @@ _XQueryFont (
     }
     if (seq)
 	DeqAsyncHandler(dpy, &async);
-    if (! (fs = (XFontStruct *) Xmalloc (sizeof (XFontStruct)))) {
-	_XEatData(dpy, (unsigned long)(reply.nFontProps * SIZEOF(xFontProp) +
-				       reply.nCharInfos * SIZEOF(xCharInfo)));
+    reply_left = reply.length -
+	((SIZEOF(xQueryFontReply) - SIZEOF(xReply)) >> 2);
+    if (! (fs = Xmalloc (sizeof (XFontStruct)))) {
+	_XEatDataWords(dpy, reply_left);
 	return (XFontStruct *)NULL;
     }
     fs->ext_data 		= NULL;
@@ -239,16 +242,19 @@ _XQueryFont (
      */
     fs->properties = NULL;
     if (fs->n_properties > 0) {
-	    nbytes = reply.nFontProps * sizeof(XFontProp);
-	    fs->properties = (XFontProp *) Xmalloc ((unsigned) nbytes);
+	    /* nFontProps is a CARD16 */
 	    nbytes = reply.nFontProps * SIZEOF(xFontProp);
+	    if ((nbytes >> 2) <= reply_left) {
+		size_t pbytes = reply.nFontProps * sizeof(XFontProp);
+		fs->properties = Xmalloc (pbytes);
+	    }
 	    if (! fs->properties) {
 		Xfree((char *) fs);
-		_XEatData(dpy, (unsigned long)
-			  (nbytes + reply.nCharInfos * SIZEOF(xCharInfo)));
+		_XEatDataWords(dpy, reply_left);
 		return (XFontStruct *)NULL;
 	    }
 	    _XRead32 (dpy, (long *)fs->properties, nbytes);
+	    reply_left -= (nbytes >> 2);
     }
     /*
      * If no characters in font, then it is a bad font, but
@@ -256,16 +262,21 @@ _XQueryFont (
      */
     fs->per_char = NULL;
     if (reply.nCharInfos > 0){
-	nbytes = reply.nCharInfos * sizeof(XCharStruct);
-	if (! (fs->per_char = (XCharStruct *) Xmalloc ((unsigned) nbytes))) {
+	/* nCharInfos is a CARD32 */
+	if (reply.nCharInfos < (INT_MAX / sizeof(XCharStruct))) {
+	    nbytes = reply.nCharInfos * SIZEOF(xCharInfo);
+	    if ((nbytes >> 2) <= reply_left) {
+		size_t cibytes = reply.nCharInfos * sizeof(XCharStruct);
+		fs->per_char = Xmalloc (cibytes);
+	    }
+	}
+	if (! fs->per_char) {
 	    if (fs->properties) Xfree((char *) fs->properties);
 	    Xfree((char *) fs);
-	    _XEatData(dpy, (unsigned long)
-			    (reply.nCharInfos * SIZEOF(xCharInfo)));
+	    _XEatDataWords(dpy, reply_left);
 	    return (XFontStruct *)NULL;
 	}
 
-	nbytes = reply.nCharInfos * SIZEOF(xCharInfo);
 	_XRead16 (dpy, (char *)fs->per_char, nbytes);
     }
 
@@ -312,7 +323,7 @@ _XF86BigfontCodes (
     if (pData)
 	return (XF86BigfontCodes *) pData->private_data;
 
-    pData = (XExtData *) Xmalloc(sizeof(XExtData) + sizeof(XF86BigfontCodes));
+    pData = Xmalloc(sizeof(XExtData) + sizeof(XF86BigfontCodes));
     if (!pData) {
 	/* Out of luck. */
 	return (XF86BigfontCodes *) NULL;
@@ -392,7 +403,8 @@ _XF86BigfontQueryFont (
     unsigned long seq)
 {
     register XFontStruct *fs;
-    register long nbytes;
+    unsigned long nbytes;
+    unsigned long reply_left; /* unused data left in reply buffer */
     xXF86BigfontQueryFontReply reply;
     register xXF86BigfontQueryFontReq *req;
     register _XExtension *ext;
@@ -445,13 +457,10 @@ _XF86BigfontQueryFont (
     DeqAsyncHandler(dpy, &async2);
     if (seq)
 	DeqAsyncHandler(dpy, &async1);
-    if (! (fs = (XFontStruct *) Xmalloc (sizeof (XFontStruct)))) {
-	_XEatData(dpy,
-	          reply.nFontProps * SIZEOF(xFontProp)
-	          + (reply.nCharInfos > 0 && reply.shmid == (CARD32)(-1)
-	             ? reply.nUniqCharInfos * SIZEOF(xCharInfo)
-	               + (reply.nCharInfos+1)/2 * 2 * sizeof(CARD16)
-	             : 0));
+    reply_left = reply.length -
+	((SIZEOF(xXF86BigfontQueryFontReply) - SIZEOF(xReply)) >> 2);
+    if (! (fs = Xmalloc (sizeof (XFontStruct)))) {
+	_XEatDataWords(dpy, reply_left);
 	return (XFontStruct *)NULL;
     }
     fs->ext_data 		= NULL;
@@ -477,23 +486,33 @@ _XF86BigfontQueryFont (
      */
     fs->properties = NULL;
     if (fs->n_properties > 0) {
-	nbytes = reply.nFontProps * sizeof(XFontProp);
-	fs->properties = (XFontProp *) Xmalloc ((unsigned) nbytes);
+	/* nFontProps is a CARD16 */
 	nbytes = reply.nFontProps * SIZEOF(xFontProp);
+	if ((nbytes >> 2) <= reply_left) {
+	    size_t pbytes = reply.nFontProps * sizeof(XFontProp);
+	    fs->properties = Xmalloc (pbytes);
+	}
 	if (! fs->properties) {
 	    Xfree((char *) fs);
-	    _XEatData(dpy,
-		      nbytes
-		      + (reply.nCharInfos > 0 && reply.shmid == (CARD32)(-1)
-		         ? reply.nUniqCharInfos * SIZEOF(xCharInfo)
-		           + (reply.nCharInfos+1)/2 * 2 * sizeof(CARD16)
-		         : 0));
+	    _XEatDataWords(dpy, reply_left);
 	    return (XFontStruct *)NULL;
 	}
 	_XRead32 (dpy, (long *)fs->properties, nbytes);
+	reply_left -= (nbytes >> 2);
     }
 
     fs->per_char = NULL;
+#ifndef LONG64
+    /* compares each part to half the maximum, which should be far more than
+       any real font needs, so the combined total doesn't overflow either */
+    if (reply.nUniqCharInfos > ((ULONG_MAX / 2) / SIZEOF(xCharInfo)) ||
+	reply.nCharInfos > ((ULONG_MAX / 2) / sizeof(CARD16))) {
+	Xfree((char *) fs->properties);
+	Xfree((char *) fs);
+	_XEatDataWords(dpy, reply_left);
+	return (XFontStruct *)NULL;
+    }
+#endif
     if (reply.nCharInfos > 0) {
 	/* fprintf(stderr, "received font metrics, nCharInfos = %d, nUniqCharInfos = %d, shmid = %d\n", reply.nCharInfos, reply.nUniqCharInfos, reply.shmid); */
 	if (reply.shmid == (CARD32)(-1)) {
@@ -503,18 +522,18 @@ _XF86BigfontQueryFont (
 
 	    nbytes = reply.nUniqCharInfos * SIZEOF(xCharInfo)
 	             + (reply.nCharInfos+1)/2 * 2 * sizeof(CARD16);
-	    pUniqCI = (xCharInfo *) Xmalloc (nbytes);
+	    pUniqCI = Xmalloc (nbytes);
 	    if (!pUniqCI) {
 		if (fs->properties) Xfree((char *) fs->properties);
 		Xfree((char *) fs);
-		_XEatData(dpy, nbytes);
+		_XEatDataWords(dpy, reply_left);
 		return (XFontStruct *)NULL;
 	    }
-	    if (! (fs->per_char = (XCharStruct *) Xmalloc (reply.nCharInfos * sizeof(XCharStruct)))) {
+	    if (! (fs->per_char = Xmalloc (reply.nCharInfos * sizeof(XCharStruct)))) {
 		Xfree((char *) pUniqCI);
 		if (fs->properties) Xfree((char *) fs->properties);
 		Xfree((char *) fs);
-		_XEatData(dpy, nbytes);
+		_XEatDataWords(dpy, reply_left);
 		return (XFontStruct *)NULL;
 	    }
 	    _XRead16 (dpy, (char *) pUniqCI, nbytes);
@@ -537,7 +556,7 @@ _XF86BigfontQueryFont (
 	    XEDataObject fs_union;
 	    char *addr;
 
-	    pData = (XExtData *) Xmalloc(sizeof(XExtData));
+	    pData = Xmalloc(sizeof(XExtData));
 	    if (!pData) {
 		if (fs->properties) Xfree((char *) fs->properties);
 		Xfree((char *) fs);
@@ -569,6 +588,7 @@ _XF86BigfontQueryFont (
 	    if (!(extcodes->serverCapabilities & CAP_VerifiedLocal)) {
 		struct shmid_ds buf;
 		if (!(shmctl(reply.shmid, IPC_STAT, &buf) >= 0
+		      && reply.nCharInfos < (LONG_MAX / sizeof(XCharStruct))
 		      && buf.shm_segsz >= reply.shmsegoffset + reply.nCharInfos * sizeof(XCharStruct) + sizeof(CARD32)
 		      && *(CARD32 *)(addr + reply.shmsegoffset + reply.nCharInfos * sizeof(XCharStruct)) == extcodes->serverSignature)) {
 		    shmdt(addr);
author	marha <marha@users.sourceforge.net>	2013-06-04 09:07:26 +0200
committer	marha <marha@users.sourceforge.net>	2013-06-04 09:07:26 +0200
commit	150771e7aabf4c864b0b970c5b8d773634793abe (patch)
tree	3d544cc0d8d06dd70e843d6ca7e4b0ef421d2758 /libX11/src/Font.c
parent	fbe681216618af573ce29ca03b382b39b5919a52 (diff)
download	vcxsrv-150771e7aabf4c864b0b970c5b8d773634793abe.tar.gz vcxsrv-150771e7aabf4c864b0b970c5b8d773634793abe.tar.bz2 vcxsrv-150771e7aabf4c864b0b970c5b8d773634793abe.zip