diff options
author | marha <marha@users.sourceforge.net> | 2013-06-04 09:07:26 +0200 |
---|---|---|
committer | marha <marha@users.sourceforge.net> | 2013-06-04 09:48:59 +0200 |
commit | fd2b28971a2afbf54b6cb641aa6a2d5e940a1450 (patch) | |
tree | 1b103a8b2114125ffa8d79827d931aba3744a0d2 /libX11/src | |
parent | 62a1ce0583cf41c173f4edb91511430b552e04da (diff) | |
download | vcxsrv-fd2b28971a2afbf54b6cb641aa6a2d5e940a1450.tar.gz vcxsrv-fd2b28971a2afbf54b6cb641aa6a2d5e940a1450.tar.bz2 vcxsrv-fd2b28971a2afbf54b6cb641aa6a2d5e940a1450.zip |
xwininfo fontconfig libX11 libXau libXdmcp libXext mesa libXinerama libxcb libxcb/xcb-proto libfontenc pixman xkbcomp mkfontscale xkeyboard-config git update 4 Jun 2013
xserver commit c21344add2fc589df83b29be5831c36a372201bd
libxcb commit 9ae84ad187e2ba440c40f44b8eb21c82c2fdbf12
libxcb/xcb-proto commit bdfedfa57a13ff805580cfacafc70f9cc55df363
xkeyboard-config commit dad9ade4e83d1ef5a517fcc4cc9ad3a79b47acce
libX11 commit 8496122eb00ce6cd5d2308ee54f64b68c378e455
libXdmcp commit 0b443c1b769b9c9a3b45b4252afe07e18b709ff4
libXext commit d8366afbb0d2e4fbb1e419b1187f490522270bea
libfontenc commit 3acba630d8b57084f7e92c15732408711ed5137a
libXinerama commit 6e1d1dc328ba8162bba2f4694e7f3c706a1491ff
libXau commit 899790011304c4029e15abf410e49ce7cec17e0a
xkbcomp commit ed582f4fccd4e23abcfba8b3b03649fea6414f44
pixman commit 2acfac5f8e097ee2ae225d986f981b55d65dd152
mkfontscale commit 19e2cb7c6a3ec2c5b1bc0d24866fa685eef0ee13
xwininfo commit ba0d1b0da21d2dbdd81098ed5778f3792b472e13
fontconfig commit cd9b1033a68816a7acfbba1718ba0aa5888f6ec7
mesa commit 7bafd88c153e395274b632e7eae4bc9fc3aec1d2
Diffstat (limited to 'libX11/src')
66 files changed, 604 insertions, 413 deletions
diff --git a/libX11/src/AllCells.c b/libX11/src/AllCells.c index ddd9c22ef..6e97e1181 100644 --- a/libX11/src/AllCells.c +++ b/libX11/src/AllCells.c @@ -53,8 +53,13 @@ Status XAllocColorCells( status = _XReply(dpy, (xReply *)&rep, 0, xFalse); if (status) { - _XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels)); - _XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks)); + if ((rep.nPixels > ncolors) || (rep.nMasks > nplanes)) { + _XEatDataWords(dpy, rep.length); + status = 0; /* Failure */ + } else { + _XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels)); + _XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks)); + } } UnlockDisplay(dpy); diff --git a/libX11/src/Cmap.h b/libX11/src/Cmap.h index 062b5383b..78cc3ea67 100644 --- a/libX11/src/Cmap.h +++ b/libX11/src/Cmap.h @@ -2,6 +2,8 @@ #ifndef _CMAP_H_ #define _CMAP_H_ +#include <X11/Xlib.h> + extern void _XcmsDeleteCmapRec( Display *dpy, diff --git a/libX11/src/Context.c b/libX11/src/Context.c index 79ae7d66c..4bb465b1a 100644 --- a/libX11/src/Context.c +++ b/libX11/src/Context.c @@ -111,7 +111,7 @@ static void ResizeTable(DB db) otable = db->table; for (i = INITHASHMASK+1; (i + i) < db->numentries; ) i += i; - db->table = (TableEntry *) Xcalloc((unsigned)i, sizeof(TableEntry)); + db->table = Xcalloc(i, sizeof(TableEntry)); if (!db->table) { db->table = otable; return; @@ -180,11 +180,11 @@ int XSaveContext( UnlockDisplay(display); } if (!db) { - db = (DB) Xmalloc(sizeof(DBRec)); + db = Xmalloc(sizeof(DBRec)); if (!db) return XCNOMEM; db->mask = INITHASHMASK; - db->table = (TableEntry *)Xcalloc(db->mask + 1, sizeof(TableEntry)); + db->table = Xcalloc(db->mask + 1, sizeof(TableEntry)); if (!db->table) { Xfree((char *)db); return XCNOMEM; @@ -210,7 +210,7 @@ int XSaveContext( return 0; } } - entry = (TableEntry) Xmalloc(sizeof(TableEntryRec)); + entry = Xmalloc(sizeof(TableEntryRec)); if (!entry) return XCNOMEM; entry->rid = rid; diff --git a/libX11/src/Cr.h b/libX11/src/Cr.h index 800c9ab1c..635e9e452 100644 --- a/libX11/src/Cr.h +++ b/libX11/src/Cr.h @@ -2,6 +2,8 @@ #ifndef _CR_H_ #define _CR_H_ +#include <X11/Xlib.h> + extern int _XUpdateGCCache( register GC gc, register unsigned long mask, diff --git a/libX11/src/CrGC.c b/libX11/src/CrGC.c index 11de94c1f..2d5f17c00 100644 --- a/libX11/src/CrGC.c +++ b/libX11/src/CrGC.c @@ -72,7 +72,7 @@ GC XCreateGC ( register _XExtension *ext; LockDisplay(dpy); - if ((gc = (GC)Xmalloc (sizeof(struct _XGC))) == NULL) { + if ((gc = Xmalloc (sizeof(struct _XGC))) == NULL) { UnlockDisplay(dpy); SyncHandle(); return (NULL); diff --git a/libX11/src/Depths.c b/libX11/src/Depths.c index f49655cb2..a8b719d00 100644 --- a/libX11/src/Depths.c +++ b/libX11/src/Depths.c @@ -49,7 +49,7 @@ int *XListDepths ( register Depth *dp; register int i; - depths = (int *) Xmalloc (count * sizeof(int)); + depths = Xmalloc (count * sizeof(int)); if (!depths) return NULL; for (i = 0, dp = scr->depths; i < count; i++, dp++) depths[i] = dp->depth; diff --git a/libX11/src/FSWrap.c b/libX11/src/FSWrap.c index 63ca00e05..49ec3ff29 100644 --- a/libX11/src/FSWrap.c +++ b/libX11/src/FSWrap.c @@ -112,7 +112,7 @@ _XParseBaseFontNameList( if (!*ptr) break; } - if (!(list = (char **) Xmalloc((unsigned)sizeof(char *) * (*num + 1)))) { + if (!(list = Xmalloc(sizeof(char *) * (*num + 1)))) { Xfree(psave); return (char **)NULL; } @@ -133,7 +133,7 @@ copy_string_list( if (string_list == NULL || list_count <= 0) return (char **) NULL; - string_list_ret = (char **) Xmalloc(sizeof(char *) * list_count); + string_list_ret = Xmalloc(sizeof(char *) * list_count); if (string_list_ret == NULL) return (char **) NULL; @@ -142,7 +142,7 @@ copy_string_list( for (length = 0; count-- > 0; list_src++) length += strlen(*list_src) + 1; - dst = (char *) Xmalloc(length); + dst = Xmalloc(length); if (dst == NULL) { Xfree(string_list_ret); return (char **) NULL; diff --git a/libX11/src/Font.c b/libX11/src/Font.c index 25e1790c8..a32f740bd 100644 --- a/libX11/src/Font.c +++ b/libX11/src/Font.c @@ -31,6 +31,7 @@ authorization from the X Consortium and the XFree86 Project. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> #if defined(XF86BIGFONT) #define USE_XF86BIGFONT @@ -183,7 +184,8 @@ _XQueryFont ( unsigned long seq) { register XFontStruct *fs; - register long nbytes; + unsigned long nbytes; + unsigned long reply_left; /* unused data words left in reply buffer */ xQueryFontReply reply; register xResourceReq *req; register _XExtension *ext; @@ -211,9 +213,10 @@ _XQueryFont ( } if (seq) DeqAsyncHandler(dpy, &async); - if (! (fs = (XFontStruct *) Xmalloc (sizeof (XFontStruct)))) { - _XEatData(dpy, (unsigned long)(reply.nFontProps * SIZEOF(xFontProp) + - reply.nCharInfos * SIZEOF(xCharInfo))); + reply_left = reply.length - + ((SIZEOF(xQueryFontReply) - SIZEOF(xReply)) >> 2); + if (! (fs = Xmalloc (sizeof (XFontStruct)))) { + _XEatDataWords(dpy, reply_left); return (XFontStruct *)NULL; } fs->ext_data = NULL; @@ -239,16 +242,19 @@ _XQueryFont ( */ fs->properties = NULL; if (fs->n_properties > 0) { - nbytes = reply.nFontProps * sizeof(XFontProp); - fs->properties = (XFontProp *) Xmalloc ((unsigned) nbytes); + /* nFontProps is a CARD16 */ nbytes = reply.nFontProps * SIZEOF(xFontProp); + if ((nbytes >> 2) <= reply_left) { + size_t pbytes = reply.nFontProps * sizeof(XFontProp); + fs->properties = Xmalloc (pbytes); + } if (! fs->properties) { Xfree((char *) fs); - _XEatData(dpy, (unsigned long) - (nbytes + reply.nCharInfos * SIZEOF(xCharInfo))); + _XEatDataWords(dpy, reply_left); return (XFontStruct *)NULL; } _XRead32 (dpy, (long *)fs->properties, nbytes); + reply_left -= (nbytes >> 2); } /* * If no characters in font, then it is a bad font, but @@ -256,16 +262,21 @@ _XQueryFont ( */ fs->per_char = NULL; if (reply.nCharInfos > 0){ - nbytes = reply.nCharInfos * sizeof(XCharStruct); - if (! (fs->per_char = (XCharStruct *) Xmalloc ((unsigned) nbytes))) { + /* nCharInfos is a CARD32 */ + if (reply.nCharInfos < (INT_MAX / sizeof(XCharStruct))) { + nbytes = reply.nCharInfos * SIZEOF(xCharInfo); + if ((nbytes >> 2) <= reply_left) { + size_t cibytes = reply.nCharInfos * sizeof(XCharStruct); + fs->per_char = Xmalloc (cibytes); + } + } + if (! fs->per_char) { if (fs->properties) Xfree((char *) fs->properties); Xfree((char *) fs); - _XEatData(dpy, (unsigned long) - (reply.nCharInfos * SIZEOF(xCharInfo))); + _XEatDataWords(dpy, reply_left); return (XFontStruct *)NULL; } - nbytes = reply.nCharInfos * SIZEOF(xCharInfo); _XRead16 (dpy, (char *)fs->per_char, nbytes); } @@ -312,7 +323,7 @@ _XF86BigfontCodes ( if (pData) return (XF86BigfontCodes *) pData->private_data; - pData = (XExtData *) Xmalloc(sizeof(XExtData) + sizeof(XF86BigfontCodes)); + pData = Xmalloc(sizeof(XExtData) + sizeof(XF86BigfontCodes)); if (!pData) { /* Out of luck. */ return (XF86BigfontCodes *) NULL; @@ -392,7 +403,8 @@ _XF86BigfontQueryFont ( unsigned long seq) { register XFontStruct *fs; - register long nbytes; + unsigned long nbytes; + unsigned long reply_left; /* unused data left in reply buffer */ xXF86BigfontQueryFontReply reply; register xXF86BigfontQueryFontReq *req; register _XExtension *ext; @@ -445,13 +457,10 @@ _XF86BigfontQueryFont ( DeqAsyncHandler(dpy, &async2); if (seq) DeqAsyncHandler(dpy, &async1); - if (! (fs = (XFontStruct *) Xmalloc (sizeof (XFontStruct)))) { - _XEatData(dpy, - reply.nFontProps * SIZEOF(xFontProp) - + (reply.nCharInfos > 0 && reply.shmid == (CARD32)(-1) - ? reply.nUniqCharInfos * SIZEOF(xCharInfo) - + (reply.nCharInfos+1)/2 * 2 * sizeof(CARD16) - : 0)); + reply_left = reply.length - + ((SIZEOF(xXF86BigfontQueryFontReply) - SIZEOF(xReply)) >> 2); + if (! (fs = Xmalloc (sizeof (XFontStruct)))) { + _XEatDataWords(dpy, reply_left); return (XFontStruct *)NULL; } fs->ext_data = NULL; @@ -477,23 +486,33 @@ _XF86BigfontQueryFont ( */ fs->properties = NULL; if (fs->n_properties > 0) { - nbytes = reply.nFontProps * sizeof(XFontProp); - fs->properties = (XFontProp *) Xmalloc ((unsigned) nbytes); + /* nFontProps is a CARD16 */ nbytes = reply.nFontProps * SIZEOF(xFontProp); + if ((nbytes >> 2) <= reply_left) { + size_t pbytes = reply.nFontProps * sizeof(XFontProp); + fs->properties = Xmalloc (pbytes); + } if (! fs->properties) { Xfree((char *) fs); - _XEatData(dpy, - nbytes - + (reply.nCharInfos > 0 && reply.shmid == (CARD32)(-1) - ? reply.nUniqCharInfos * SIZEOF(xCharInfo) - + (reply.nCharInfos+1)/2 * 2 * sizeof(CARD16) - : 0)); + _XEatDataWords(dpy, reply_left); return (XFontStruct *)NULL; } _XRead32 (dpy, (long *)fs->properties, nbytes); + reply_left -= (nbytes >> 2); } fs->per_char = NULL; +#ifndef LONG64 + /* compares each part to half the maximum, which should be far more than + any real font needs, so the combined total doesn't overflow either */ + if (reply.nUniqCharInfos > ((ULONG_MAX / 2) / SIZEOF(xCharInfo)) || + reply.nCharInfos > ((ULONG_MAX / 2) / sizeof(CARD16))) { + Xfree((char *) fs->properties); + Xfree((char *) fs); + _XEatDataWords(dpy, reply_left); + return (XFontStruct *)NULL; + } +#endif if (reply.nCharInfos > 0) { /* fprintf(stderr, "received font metrics, nCharInfos = %d, nUniqCharInfos = %d, shmid = %d\n", reply.nCharInfos, reply.nUniqCharInfos, reply.shmid); */ if (reply.shmid == (CARD32)(-1)) { @@ -503,18 +522,18 @@ _XF86BigfontQueryFont ( nbytes = reply.nUniqCharInfos * SIZEOF(xCharInfo) + (reply.nCharInfos+1)/2 * 2 * sizeof(CARD16); - pUniqCI = (xCharInfo *) Xmalloc (nbytes); + pUniqCI = Xmalloc (nbytes); if (!pUniqCI) { if (fs->properties) Xfree((char *) fs->properties); Xfree((char *) fs); - _XEatData(dpy, nbytes); + _XEatDataWords(dpy, reply_left); return (XFontStruct *)NULL; } - if (! (fs->per_char = (XCharStruct *) Xmalloc (reply.nCharInfos * sizeof(XCharStruct)))) { + if (! (fs->per_char = Xmalloc (reply.nCharInfos * sizeof(XCharStruct)))) { Xfree((char *) pUniqCI); if (fs->properties) Xfree((char *) fs->properties); Xfree((char *) fs); - _XEatData(dpy, nbytes); + _XEatDataWords(dpy, reply_left); return (XFontStruct *)NULL; } _XRead16 (dpy, (char *) pUniqCI, nbytes); @@ -537,7 +556,7 @@ _XF86BigfontQueryFont ( XEDataObject fs_union; char *addr; - pData = (XExtData *) Xmalloc(sizeof(XExtData)); + pData = Xmalloc(sizeof(XExtData)); if (!pData) { if (fs->properties) Xfree((char *) fs->properties); Xfree((char *) fs); @@ -569,6 +588,7 @@ _XF86BigfontQueryFont ( if (!(extcodes->serverCapabilities & CAP_VerifiedLocal)) { struct shmid_ds buf; if (!(shmctl(reply.shmid, IPC_STAT, &buf) >= 0 + && reply.nCharInfos < (LONG_MAX / sizeof(XCharStruct)) && buf.shm_segsz >= reply.shmsegoffset + reply.nCharInfos * sizeof(XCharStruct) + sizeof(CARD32) && *(CARD32 *)(addr + reply.shmsegoffset + reply.nCharInfos * sizeof(XCharStruct)) == extcodes->serverSignature)) { shmdt(addr); diff --git a/libX11/src/FontInfo.c b/libX11/src/FontInfo.c index fb296b8a8..0cb5b1910 100644 --- a/libX11/src/FontInfo.c +++ b/libX11/src/FontInfo.c @@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> #if defined(XF86BIGFONT) #define USE_XF86BIGFONT @@ -45,10 +46,11 @@ int maxNames, int *actualCount, /* RETURN */ XFontStruct **info) /* RETURN */ { - register long nbytes; + unsigned long nbytes; + unsigned long reply_left; /* unused data left in reply buffer */ register int i; register XFontStruct *fs; - register int size = 0; + unsigned int size = 0; XFontStruct *finfo = NULL; char **flist = NULL; xListFontsWithInfoReply reply; @@ -67,52 +69,44 @@ XFontStruct **info) /* RETURN */ if (!_XReply (dpy, (xReply *) &reply, ((SIZEOF(xListFontsWithInfoReply) - SIZEOF(xGenericReply)) >> 2), xFalse)) { - for (j=(i-1); (j >= 0); j--) { - Xfree(flist[j]); - if (finfo[j].properties) Xfree((char *) finfo[j].properties); - } - if (flist) Xfree((char *) flist); - if (finfo) Xfree((char *) finfo); - UnlockDisplay(dpy); - SyncHandle(); - return ((char **) NULL); + reply.nameLength = 0; /* avoid trying to read more replies */ + reply_left = 0; + goto badmem; } - if (reply.nameLength == 0) + reply_left = reply.length - + ((SIZEOF(xListFontsWithInfoReply) - SIZEOF(xGenericReply)) >> 2); + if (reply.nameLength == 0) { + _XEatDataWords(dpy, reply_left); break; + } + if (reply.nReplies >= (INT_MAX - i)) /* avoid overflowing size */ + goto badmem; if ((i + reply.nReplies) >= size) { size = i + reply.nReplies + 1; + if (size >= (INT_MAX / sizeof(XFontStruct))) + goto badmem; + if (finfo) { - XFontStruct * tmp_finfo = (XFontStruct *) - Xrealloc ((char *) finfo, - (unsigned) (sizeof(XFontStruct) * size)); - char ** tmp_flist = (char **) - Xrealloc ((char *) flist, - (unsigned) (sizeof(char *) * (size+1))); + XFontStruct * tmp_finfo; + char ** tmp_flist; + tmp_finfo = Xrealloc (finfo, sizeof(XFontStruct) * size); if (tmp_finfo) finfo = tmp_finfo; + else + goto badmem; + + tmp_flist = Xrealloc (flist, sizeof(char *) * (size+1)); if (tmp_flist) flist = tmp_flist; - - if ((! tmp_finfo) || (! tmp_flist)) { - /* free all the memory that we allocated */ - for (j=(i-1); (j >= 0); j--) { - Xfree(flist[j]); - if (finfo[j].properties) - Xfree((char *) finfo[j].properties); - } - Xfree((char *) flist); - Xfree((char *) finfo); - goto clearwire; - } + else + goto badmem; } else { - if (! (finfo = (XFontStruct *) - Xmalloc((unsigned) (sizeof(XFontStruct) * size)))) + if (! (finfo = Xmalloc(sizeof(XFontStruct) * size))) goto clearwire; - if (! (flist = (char **) - Xmalloc((unsigned) (sizeof(char *) * (size+1))))) { + if (! (flist = Xmalloc(sizeof(char *) * (size+1)))) { Xfree((char *) finfo); goto clearwire; } @@ -138,24 +132,27 @@ XFontStruct **info) /* RETURN */ fs->max_bounds = * (XCharStruct *) &reply.maxBounds; fs->n_properties = reply.nFontProps; + fs->properties = NULL; if (fs->n_properties > 0) { - nbytes = reply.nFontProps * sizeof(XFontProp); - if (! (fs->properties = (XFontProp *) Xmalloc((unsigned) nbytes))) - goto badmem; + /* nFontProps is a CARD16 */ nbytes = reply.nFontProps * SIZEOF(xFontProp); + if ((nbytes >> 2) <= reply_left) { + size_t pbytes = reply.nFontProps * sizeof(XFontProp); + fs->properties = Xmalloc (pbytes); + } + if (! fs->properties) + goto badmem; _XRead32 (dpy, (long *)fs->properties, nbytes); + reply_left -= (nbytes >> 2); + } - } else - fs->properties = NULL; - - j = reply.nameLength + 1; + /* nameLength is a CARD8 */ + nbytes = reply.nameLength + 1; if (!i) - j++; /* make first string 1 byte longer, to match XListFonts */ - flist[i] = (char *) Xmalloc ((unsigned int) j); + nbytes++; /* make first string 1 byte longer, to match XListFonts */ + flist[i] = Xmalloc (nbytes); if (! flist[i]) { if (finfo[i].properties) Xfree((char *) finfo[i].properties); - nbytes = (reply.nameLength + 3) & ~3; - _XEatData(dpy, (unsigned long) nbytes); goto badmem; } if (!i) { @@ -177,27 +174,25 @@ XFontStruct **info) /* RETURN */ badmem: /* Free all memory allocated by this function. */ for (j=(i-1); (j >= 0); j--) { - Xfree(flist[j]); - if (finfo[j].properties) Xfree((char *) finfo[j].properties); + if (j == 0) + flist[j]--; /* was incremented above */ + Xfree(flist[j]); + if (finfo[j].properties) Xfree((char *) finfo[j].properties); } if (flist) Xfree((char *) flist); if (finfo) Xfree((char *) finfo); clearwire: /* Clear the wire. */ - do { - if (reply.nFontProps) - _XEatData(dpy, (unsigned long) - (reply.nFontProps * SIZEOF(xFontProp))); - nbytes = (reply.nameLength + 3) & ~3; - _XEatData(dpy, (unsigned long) nbytes); - } - while (_XReply(dpy,(xReply *) &reply, ((SIZEOF(xListFontsWithInfoReply) - - SIZEOF(xGenericReply)) >> 2), - xFalse) && (reply.nameLength != 0)); - + _XEatDataWords(dpy, reply_left); + while ((reply.nameLength != 0) && + _XReply(dpy, (xReply *) &reply, + ((SIZEOF(xListFontsWithInfoReply) - SIZEOF(xGenericReply)) + >> 2), xTrue)); UnlockDisplay(dpy); SyncHandle(); + *info = NULL; + *actualCount = 0; return (char **) NULL; } diff --git a/libX11/src/FontNames.c b/libX11/src/FontNames.c index 3018cf2cf..b5bc7b4ba 100644 --- a/libX11/src/FontNames.c +++ b/libX11/src/FontNames.c @@ -29,6 +29,7 @@ in this Software without prior written authorization from The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> char ** XListFonts( @@ -40,11 +41,13 @@ int *actualCount) /* RETURN */ register long nbytes; register unsigned i; register int length; - char **flist; - char *ch; + char **flist = NULL; + char *ch = NULL; + char *chend; + int count = 0; xListFontsReply rep; register xListFontsReq *req; - register long rlen; + unsigned long rlen; LockDisplay(dpy); GetReq(ListFonts, req); @@ -62,15 +65,17 @@ int *actualCount) /* RETURN */ } if (rep.nFonts) { - flist = (char **)Xmalloc ((unsigned)rep.nFonts * sizeof(char *)); - rlen = rep.length << 2; - ch = (char *) Xmalloc((unsigned) (rlen + 1)); + flist = Xmalloc (rep.nFonts * sizeof(char *)); + if (rep.length < (LONG_MAX >> 2)) { + rlen = rep.length << 2; + ch = Xmalloc(rlen + 1); /* +1 to leave room for last null-terminator */ + } if ((! flist) || (! ch)) { if (flist) Xfree((char *) flist); if (ch) Xfree(ch); - _XEatData(dpy, (unsigned long) rlen); + _XEatDataWords(dpy, rep.length); *actualCount = 0; UnlockDisplay(dpy); SyncHandle(); @@ -81,17 +86,21 @@ int *actualCount) /* RETURN */ /* * unpack into null terminated strings. */ + chend = ch + (rlen + 1); length = *(unsigned char *)ch; *ch = 1; /* make sure it is non-zero for XFreeFontNames */ for (i = 0; i < rep.nFonts; i++) { - flist[i] = ch + 1; /* skip over length */ - ch += length + 1; /* find next length ... */ - length = *(unsigned char *)ch; - *ch = '\0'; /* and replace with null-termination */ + if (ch + length < chend) { + flist[i] = ch + 1; /* skip over length */ + ch += length + 1; /* find next length ... */ + length = *(unsigned char *)ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else + flist[i] = NULL; } } - else flist = (char **) NULL; - *actualCount = rep.nFonts; + *actualCount = count; UnlockDisplay(dpy); SyncHandle(); return (flist); diff --git a/libX11/src/GetAtomNm.c b/libX11/src/GetAtomNm.c index 9823c690c..32de50d23 100644 --- a/libX11/src/GetAtomNm.c +++ b/libX11/src/GetAtomNm.c @@ -46,7 +46,7 @@ char *_XGetAtomName( for (idx = TABLESIZE; --idx >= 0; ) { if ((e = *table++) && (e->atom == atom)) { idx = strlen(EntryName(e)) + 1; - if ((name = (char *)Xmalloc(idx))) + if ((name = Xmalloc(idx))) strcpy(name, EntryName(e)); return name; } @@ -73,12 +73,12 @@ char *XGetAtomName( SyncHandle(); return(NULL); } - if ((name = (char *) Xmalloc(rep.nameLength+1))) { + if ((name = Xmalloc(rep.nameLength + 1))) { _XReadPad(dpy, name, (long)rep.nameLength); name[rep.nameLength] = '\0'; _XUpdateAtomCache(dpy, name, atom, 0, -1, 0); } else { - _XEatData(dpy, (unsigned long) (rep.nameLength + 3) & ~3); + _XEatDataWords(dpy, rep.length); name = (char *) NULL; } UnlockDisplay(dpy); @@ -124,7 +124,7 @@ Bool _XGetAtomNameHandler( _XGetAsyncReply(dpy, (char *)&replbuf, rep, buf, len, (SIZEOF(xGetAtomNameReply) - SIZEOF(xReply)) >> 2, False); - state->names[state->idx] = (char *) Xmalloc(repl->nameLength+1); + state->names[state->idx] = Xmalloc(repl->nameLength + 1); _XGetAsyncData(dpy, state->names[state->idx], buf, len, SIZEOF(xGetAtomNameReply), repl->nameLength, repl->length << 2); @@ -170,13 +170,13 @@ XGetAtomNames ( } if (missed >= 0) { if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { - if ((names_return[missed] = (char *) Xmalloc(rep.nameLength+1))) { + if ((names_return[missed] = Xmalloc(rep.nameLength + 1))) { _XReadPad(dpy, names_return[missed], (long)rep.nameLength); names_return[missed][rep.nameLength] = '\0'; _XUpdateAtomCache(dpy, names_return[missed], atoms[missed], 0, -1, 0); } else { - _XEatData(dpy, (unsigned long) (rep.nameLength + 3) & ~3); + _XEatDataWords(dpy, rep.length); async_state.status = 0; } } diff --git a/libX11/src/GetDflt.c b/libX11/src/GetDflt.c index d32b3c65a..68ab4c918 100644 --- a/libX11/src/GetDflt.c +++ b/libX11/src/GetDflt.c @@ -52,30 +52,7 @@ SOFTWARE. #include "Xlibint.h" #include <X11/Xos.h> #include <X11/Xresource.h> - -#ifndef X_NOT_POSIX -#ifdef _POSIX_SOURCE -#include <limits.h> -#else -#define _POSIX_SOURCE -#include <limits.h> -#undef _POSIX_SOURCE -#endif -#endif -#ifndef PATH_MAX -#ifdef WIN32 -#define PATH_MAX 512 -#else -#include <sys/param.h> -#endif -#ifndef PATH_MAX -#ifdef MAXPATHLEN -#define PATH_MAX MAXPATHLEN -#else -#define PATH_MAX 1024 -#endif -#endif -#endif +#include "pathmax.h" #ifdef XTHREADS #include <X11/Xthreads.h> diff --git a/libX11/src/GetFPath.c b/libX11/src/GetFPath.c index 7d497c92e..abd4a5dbd 100644 --- a/libX11/src/GetFPath.c +++ b/libX11/src/GetFPath.c @@ -28,15 +28,18 @@ in this Software without prior written authorization from The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> char **XGetFontPath( register Display *dpy, int *npaths) /* RETURN */ { xGetFontPathReply rep; - register long nbytes; - char **flist; - char *ch; + unsigned long nbytes; + char **flist = NULL; + char *ch = NULL; + char *chend; + int count = 0; register unsigned i; register int length; register xReq *req; @@ -46,16 +49,17 @@ char **XGetFontPath( (void) _XReply (dpy, (xReply *) &rep, 0, xFalse); if (rep.nPaths) { - flist = (char **) - Xmalloc((unsigned) rep.nPaths * sizeof (char *)); - nbytes = (long)rep.length << 2; - ch = (char *) Xmalloc ((unsigned) (nbytes + 1)); + flist = Xmalloc(rep.nPaths * sizeof (char *)); + if (rep.length < (LONG_MAX >> 2)) { + nbytes = (unsigned long) rep.length << 2; + ch = Xmalloc (nbytes + 1); /* +1 to leave room for last null-terminator */ + } if ((! flist) || (! ch)) { if (flist) Xfree((char *) flist); if (ch) Xfree(ch); - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (char **) NULL; @@ -65,16 +69,20 @@ char **XGetFontPath( /* * unpack into null terminated strings. */ + chend = ch + (nbytes + 1); length = *ch; for (i = 0; i < rep.nPaths; i++) { - flist[i] = ch+1; /* skip over length */ - ch += length + 1; /* find next length ... */ - length = *ch; - *ch = '\0'; /* and replace with null-termination */ + if (ch + length < chend) { + flist[i] = ch+1; /* skip over length */ + ch += length + 1; /* find next length ... */ + length = *ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else + flist[i] = NULL; } } - else flist = NULL; - *npaths = rep.nPaths; + *npaths = count; UnlockDisplay(dpy); SyncHandle(); return (flist); diff --git a/libX11/src/GetHints.c b/libX11/src/GetHints.c index 4800fe793..3c410d33d 100644 --- a/libX11/src/GetHints.c +++ b/libX11/src/GetHints.c @@ -128,7 +128,7 @@ XWMHints *XGetWMHints ( return(NULL); } /* static copies not allowed in library, due to reentrancy constraint*/ - if ((hints = (XWMHints *) Xcalloc (1, (unsigned) sizeof(XWMHints)))) { + if ((hints = Xcalloc (1, sizeof(XWMHints)))) { hints->flags = prop->flags; hints->input = (prop->input ? True : False); hints->initial_state = cvtINT32toInt (prop->initialState); @@ -203,8 +203,7 @@ Status XGetIconSizes ( /* static copies not allowed in library, due to reentrancy constraint*/ nitems /= NumPropIconSizeElements; - if (! (hp = hints = (XIconSize *) - Xcalloc ((unsigned) nitems, (unsigned) sizeof(XIconSize)))) { + if (! (hp = hints = Xcalloc (nitems, sizeof(XIconSize)))) { if (prop) Xfree ((char *) prop); return 0; } @@ -317,14 +316,14 @@ XGetClassHint( if ( (actual_type == XA_STRING) && (actual_format == 8) ) { len_name = strlen((char *) data); - if (! (classhint->res_name = Xmalloc((unsigned) (len_name+1)))) { + if (! (classhint->res_name = Xmalloc(len_name + 1))) { Xfree((char *) data); return (0); } strcpy(classhint->res_name, (char *) data); if (len_name == nitems) len_name--; len_class = strlen((char *) (data+len_name+1)); - if (! (classhint->res_class = Xmalloc((unsigned) (len_class+1)))) { + if (! (classhint->res_class = Xmalloc(len_class + 1))) { Xfree(classhint->res_name); classhint->res_name = (char *) NULL; Xfree((char *) data); diff --git a/libX11/src/GetImage.c b/libX11/src/GetImage.c index e8f1b0309..c461abc09 100644 --- a/libX11/src/GetImage.c +++ b/libX11/src/GetImage.c @@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. #include "Xlibint.h" #include <X11/Xutil.h> /* for XDestroyImage */ #include "ImUtil.h" +#include <limits.h> #define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad)) @@ -56,7 +57,7 @@ XImage *XGetImage ( xGetImageReply rep; register xGetImageReq *req; char *data; - long nbytes; + unsigned long nbytes; XImage *image; LockDisplay(dpy); GetReq (GetImage, req); @@ -78,10 +79,13 @@ XImage *XGetImage ( return (XImage *)NULL; } - nbytes = (long)rep.length << 2; - data = (char *) Xmalloc((unsigned) nbytes); + if (rep.length < (INT_MAX >> 2)) { + nbytes = (unsigned long)rep.length << 2; + data = Xmalloc(nbytes); + } else + data = NULL; if (! data) { - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (XImage *) NULL; diff --git a/libX11/src/GetMoEv.c b/libX11/src/GetMoEv.c index 3db176feb..ad9c77277 100644 --- a/libX11/src/GetMoEv.c +++ b/libX11/src/GetMoEv.c @@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> XTimeCoord *XGetMotionEvents( register Display *dpy, @@ -39,7 +40,6 @@ XTimeCoord *XGetMotionEvents( xGetMotionEventsReply rep; register xGetMotionEventsReq *req; XTimeCoord *tc = NULL; - long nbytes; LockDisplay(dpy); GetReq(GetMotionEvents, req); req->window = w; @@ -52,26 +52,22 @@ XTimeCoord *XGetMotionEvents( return (NULL); } - if (rep.nEvents) { - if (! (tc = (XTimeCoord *) - Xmalloc( (unsigned) - (nbytes = (long) rep.nEvents * sizeof(XTimeCoord))))) { - _XEatData (dpy, (unsigned long) nbytes); - UnlockDisplay(dpy); - SyncHandle(); - return (NULL); - } + if (rep.nEvents && (rep.nEvents < (INT_MAX / sizeof(XTimeCoord)))) + tc = Xmalloc(rep.nEvents * sizeof(XTimeCoord)); + if (tc == NULL) { + /* server returned either no events or a bad event count */ + *nEvents = 0; + _XEatDataWords (dpy, rep.length); } - - *nEvents = rep.nEvents; - nbytes = SIZEOF (xTimecoord); + else { register XTimeCoord *tcptr; - register int i; + unsigned int i; xTimecoord xtc; + *nEvents = (int) rep.nEvents; for (i = rep.nEvents, tcptr = tc; i > 0; i--, tcptr++) { - _XRead (dpy, (char *) &xtc, nbytes); + _XRead (dpy, (char *) &xtc, SIZEOF (xTimecoord)); tcptr->time = xtc.time; tcptr->x = cvtINT16toShort (xtc.x); tcptr->y = cvtINT16toShort (xtc.y); diff --git a/libX11/src/GetPntMap.c b/libX11/src/GetPntMap.c index 0fcdb6696..29fdf21f0 100644 --- a/libX11/src/GetPntMap.c +++ b/libX11/src/GetPntMap.c @@ -29,6 +29,7 @@ in this Software without prior written authorization from The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> #ifdef MIN /* some systems define this in <sys/param.h> */ #undef MIN @@ -42,7 +43,7 @@ int XGetPointerMapping ( { unsigned char mapping[256]; /* known fixed size */ - long nbytes, remainder = 0; + unsigned long nbytes, remainder = 0; xGetPointerMappingReply rep; register xReq *req; @@ -54,9 +55,15 @@ int XGetPointerMapping ( return 0; } - nbytes = (long)rep.length << 2; - /* Don't count on the server returning a valid value */ + if (rep.length >= (INT_MAX >> 2)) { + _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return 0; + } + + nbytes = (unsigned long) rep.length << 2; if (nbytes > sizeof mapping) { remainder = nbytes - sizeof mapping; nbytes = sizeof mapping; @@ -69,7 +76,7 @@ int XGetPointerMapping ( } if (remainder) - _XEatData(dpy, (unsigned long)remainder); + _XEatData(dpy, remainder); UnlockDisplay(dpy); SyncHandle(); @@ -86,8 +93,8 @@ XGetKeyboardMapping (Display *dpy, int count, int *keysyms_per_keycode) { - long nbytes; - unsigned long nkeysyms; + unsigned long nbytes; + CARD32 nkeysyms; register KeySym *mapping = NULL; xGetKeyboardMappingReply rep; register xGetKeyboardMappingReq *req; @@ -102,17 +109,19 @@ XGetKeyboardMapping (Display *dpy, return (KeySym *) NULL; } - nkeysyms = (unsigned long) rep.length; + nkeysyms = rep.length; if (nkeysyms > 0) { - nbytes = nkeysyms * sizeof (KeySym); - mapping = (KeySym *) Xmalloc ((unsigned) nbytes); - nbytes = nkeysyms << 2; + if (nkeysyms < (INT_MAX / sizeof (KeySym))) { + nbytes = nkeysyms * sizeof (KeySym); + mapping = Xmalloc (nbytes); + } if (! mapping) { - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (KeySym *) NULL; } + nbytes = nkeysyms << 2; _XRead32 (dpy, (long *) mapping, nbytes); } *keysyms_per_keycode = rep.keySymsPerKeyCode; diff --git a/libX11/src/GetProp.c b/libX11/src/GetProp.c index 5d6e0b8c4..9eb422ee3 100644 --- a/libX11/src/GetProp.c +++ b/libX11/src/GetProp.c @@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> int XGetWindowProperty( @@ -48,6 +49,13 @@ XGetWindowProperty( register xGetPropertyReq *req; xError error = {0}; + /* Always initialize return values, in case callers fail to initialize + them and fail to check the return code for an error. */ + *actual_type = None; + *actual_format = 0; + *nitems = *bytesafter = 0L; + *prop = (unsigned char *) NULL; + LockDisplay(dpy); GetReq (GetProperty, req); req->window = w; @@ -64,10 +72,18 @@ XGetWindowProperty( return (1); /* not Success */ } - *prop = (unsigned char *) NULL; if (reply.propertyType != None) { - long nbytes, netbytes; - switch (reply.format) { + unsigned long nbytes, netbytes; + int format = reply.format; + + /* + * Protect against both integer overflow and just plain oversized + * memory allocation - no server should ever return this many props. + */ + if (reply.nItems >= (INT_MAX >> 4)) + format = -1; /* fall through to default error case */ + + switch (format) { /* * One extra byte is malloced than is needed to contain the property * data, but this last byte is null terminated and convenient for @@ -76,24 +92,21 @@ XGetWindowProperty( */ case 8: nbytes = netbytes = reply.nItems; - if (nbytes + 1 > 0 && - (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1))) + if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1))) _XReadPad (dpy, (char *) *prop, netbytes); break; case 16: nbytes = reply.nItems * sizeof (short); netbytes = reply.nItems << 1; - if (nbytes + 1 > 0 && - (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1))) + if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1))) _XRead16Pad (dpy, (short *) *prop, netbytes); break; case 32: nbytes = reply.nItems * sizeof (long); netbytes = reply.nItems << 2; - if (nbytes + 1 > 0 && - (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1))) + if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1))) _XRead32 (dpy, (long *) *prop, netbytes); break; @@ -115,7 +128,7 @@ XGetWindowProperty( break; } if (! *prop) { - _XEatData(dpy, (unsigned long) netbytes); + _XEatDataWords(dpy, reply.length); UnlockDisplay(dpy); SyncHandle(); return(BadAlloc); /* not Success */ diff --git a/libX11/src/GetRGBCMap.c b/libX11/src/GetRGBCMap.c index 9e227a263..2f0b752a8 100644 --- a/libX11/src/GetRGBCMap.c +++ b/libX11/src/GetRGBCMap.c @@ -99,8 +99,7 @@ Status XGetRGBColormaps ( /* * allocate array */ - cmaps = (XStandardColormap *) Xmalloc (ncmaps * - sizeof (XStandardColormap)); + cmaps = Xmalloc (ncmaps * sizeof (XStandardColormap)); if (!cmaps) { if (data) Xfree ((char *) data); return False; diff --git a/libX11/src/ImUtil.c b/libX11/src/ImUtil.c index fa8d464aa..240a26181 100644 --- a/libX11/src/ImUtil.c +++ b/libX11/src/ImUtil.c @@ -332,7 +332,7 @@ XImage *XCreateImage ( (xpad != 8 && xpad != 16 && xpad != 32) || offset < 0) return (XImage *) NULL; - if ((image = (XImage *) Xcalloc(1, (unsigned) sizeof(XImage))) == NULL) + if ((image = Xcalloc(1, sizeof(XImage))) == NULL) return (XImage *) NULL; image->width = width; @@ -842,7 +842,7 @@ static XImage *_XSubImage ( register unsigned long pixel; char *data; - if ((subimage = (XImage *) Xcalloc (1, sizeof (XImage))) == NULL) + if ((subimage = Xcalloc (1, sizeof (XImage))) == NULL) return (XImage *) NULL; subimage->width = width; subimage->height = height; @@ -868,7 +868,7 @@ static XImage *_XSubImage ( _XInitImageFuncPtrs (subimage); dsize = subimage->bytes_per_line * height; if (subimage->format == XYPixmap) dsize = dsize * subimage->depth; - if (((data = Xcalloc (1, (unsigned) dsize)) == NULL) && (dsize > 0)) { + if (((data = Xcalloc (1, dsize)) == NULL) && (dsize > 0)) { Xfree((char *) subimage); return (XImage *) NULL; } diff --git a/libX11/src/InitExt.c b/libX11/src/InitExt.c index 53c2dbe90..f50b54984 100644 --- a/libX11/src/InitExt.c +++ b/libX11/src/InitExt.c @@ -50,7 +50,7 @@ XExtCodes *XInitExtension ( &codes.first_error)) return (NULL); LockDisplay (dpy); - if (! (ext = (_XExtension *) Xcalloc (1, sizeof (_XExtension))) || + if (! (ext = Xcalloc (1, sizeof (_XExtension))) || ! (ext->name = strdup(name))) { if (ext) Xfree((char *) ext); UnlockDisplay(dpy); @@ -72,7 +72,7 @@ XExtCodes *XAddExtension (Display *dpy) register _XExtension *ext; LockDisplay (dpy); - if (! (ext = (_XExtension *) Xcalloc (1, sizeof (_XExtension)))) { + if (! (ext = Xcalloc (1, sizeof (_XExtension)))) { UnlockDisplay(dpy); return (XExtCodes *) NULL; } diff --git a/libX11/src/IntAtom.c b/libX11/src/IntAtom.c index 7a5625840..25466ca20 100644 --- a/libX11/src/IntAtom.c +++ b/libX11/src/IntAtom.c @@ -72,7 +72,7 @@ Atom _XInternAtom( /* look in the cache first */ if (!(atoms = dpy->atoms)) { - dpy->atoms = atoms = (AtomTable *)Xcalloc(1, sizeof(AtomTable)); + dpy->atoms = atoms = Xcalloc(1, sizeof(AtomTable)); dpy->free_funcs->atoms = _XFreeAtomTable; } sig = 0; @@ -127,7 +127,7 @@ _XUpdateAtomCache( if (!dpy->atoms) { if (idx < 0) { - dpy->atoms = (AtomTable *)Xcalloc(1, sizeof(AtomTable)); + dpy->atoms = Xcalloc(1, sizeof(AtomTable)); dpy->free_funcs->atoms = _XFreeAtomTable; } if (!dpy->atoms) @@ -147,7 +147,7 @@ _XUpdateAtomCache( } } } - e = (Entry)Xmalloc(sizeof(EntryRec) + n + 1); + e = Xmalloc(sizeof(EntryRec) + n + 1); if (e) { e->sig = sig; e->atom = atom; diff --git a/libX11/src/Key.h b/libX11/src/Key.h index 0fe89ba37..bb254393c 100644 --- a/libX11/src/Key.h +++ b/libX11/src/Key.h @@ -2,6 +2,9 @@ #ifndef _KEY_H_ #define _KEY_H_ +#include <X11/Xlib.h> +#include <X11/Xresource.h> + #ifndef NEEDKTABLE extern const unsigned char _XkeyTable[]; #endif diff --git a/libX11/src/KeyBind.c b/libX11/src/KeyBind.c index f22feca59..2110772ce 100644 --- a/libX11/src/KeyBind.c +++ b/libX11/src/KeyBind.c @@ -997,11 +997,9 @@ XRebindKeysym ( tmp = dpy->key_bindings; nb = sizeof(KeySym) * nm; - if ((! (p = (struct _XKeytrans *) Xcalloc( 1, sizeof(struct _XKeytrans)))) || - ((! (p->string = (char *) Xmalloc( (unsigned) nbytes))) && - (nbytes > 0)) || - ((! (p->modifiers = (KeySym *) Xmalloc( (unsigned) nb))) && - (nb > 0))) { + if ((! (p = Xcalloc( 1, sizeof(struct _XKeytrans)))) || + ((! (p->string = Xmalloc(nbytes))) && (nbytes > 0)) || + ((! (p->modifiers = Xmalloc(nb))) && (nb > 0))) { if (p) { if (p->string) Xfree(p->string); if (p->modifiers) Xfree((char *) p->modifiers); diff --git a/libX11/src/LiHosts.c b/libX11/src/LiHosts.c index 0f5e837d1..83cf3c791 100644 --- a/libX11/src/LiHosts.c +++ b/libX11/src/LiHosts.c @@ -62,6 +62,8 @@ X Window System is a trademark of The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> + /* * can be freed using XFree. */ @@ -73,7 +75,6 @@ XHostAddress *XListHosts ( { register XHostAddress *outbuf = NULL, *op; xListHostsReply reply; - long nbytes; unsigned char *buf, *bp; register unsigned i; register xListHostsReq *req; @@ -90,19 +91,26 @@ XHostAddress *XListHosts ( } if (reply.nHosts) { - nbytes = reply.length << 2; /* compute number of bytes in reply */ + unsigned long nbytes = reply.length << 2; /* number of bytes in reply */ + const unsigned long max_hosts = INT_MAX / + (sizeof(XHostAddress) + sizeof(XServerInterpretedAddress)); + + if (reply.nHosts < max_hosts) { + unsigned long hostbytes = reply.nHosts * + (sizeof(XHostAddress) + sizeof(XServerInterpretedAddress)); - op = outbuf = (XHostAddress *) - Xmalloc((unsigned) (nbytes + - (reply.nHosts * sizeof(XHostAddress)) + - (reply.nHosts * sizeof(XServerInterpretedAddress)))); + if (reply.length < (INT_MAX >> 2) && + (hostbytes >> 2) < ((INT_MAX >> 2) - reply.length)) + outbuf = Xmalloc(nbytes + hostbytes); + } if (! outbuf) { - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, reply.length); UnlockDisplay(dpy); SyncHandle(); return (XHostAddress *) NULL; } + op = outbuf; sip = (XServerInterpretedAddress *) (((unsigned char *) outbuf) + (reply.nHosts * sizeof(XHostAddress))); bp = buf = ((unsigned char *) sip) diff --git a/libX11/src/LiICmaps.c b/libX11/src/LiICmaps.c index e98161916..45a2f2fd3 100644 --- a/libX11/src/LiICmaps.c +++ b/libX11/src/LiICmaps.c @@ -34,7 +34,7 @@ Colormap *XListInstalledColormaps( Window win, int *n) /* RETURN */ { - long nbytes; + unsigned long nbytes; Colormap *cmaps; xListInstalledColormapsReply rep; register xResourceReq *req; @@ -51,14 +51,14 @@ Colormap *XListInstalledColormaps( if (rep.nColormaps) { nbytes = rep.nColormaps * sizeof(Colormap); - cmaps = (Colormap *) Xmalloc((unsigned) nbytes); - nbytes = rep.nColormaps << 2; + cmaps = Xmalloc(nbytes); if (! cmaps) { - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return((Colormap *) NULL); } + nbytes = rep.nColormaps << 2; _XRead32 (dpy, (long *) cmaps, nbytes); } else cmaps = (Colormap *) NULL; diff --git a/libX11/src/LiProps.c b/libX11/src/LiProps.c index 72560aba7..d9c746563 100644 --- a/libX11/src/LiProps.c +++ b/libX11/src/LiProps.c @@ -34,7 +34,7 @@ Atom *XListProperties( Window window, int *n_props) /* RETURN */ { - long nbytes; + unsigned long nbytes; xListPropertiesReply rep; Atom *properties; register xResourceReq *req; @@ -50,14 +50,14 @@ Atom *XListProperties( if (rep.nProperties) { nbytes = rep.nProperties * sizeof(Atom); - properties = (Atom *) Xmalloc ((unsigned) nbytes); - nbytes = rep.nProperties << 2; + properties = Xmalloc (nbytes); if (! properties) { - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (Atom *) NULL; } + nbytes = rep.nProperties << 2; _XRead32 (dpy, (long *) properties, nbytes); } else properties = (Atom *) NULL; diff --git a/libX11/src/ListExt.c b/libX11/src/ListExt.c index 16b522e88..e925c4773 100644 --- a/libX11/src/ListExt.c +++ b/libX11/src/ListExt.c @@ -28,18 +28,21 @@ in this Software without prior written authorization from The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> char **XListExtensions( register Display *dpy, int *nextensions) /* RETURN */ { xListExtensionsReply rep; - char **list; - char *ch; + char **list = NULL; + char *ch = NULL; + char *chend; + int count = 0; register unsigned i; register int length; register xReq *req; - register long rlen; + unsigned long rlen; LockDisplay(dpy); GetEmptyReq (ListExtensions, req); @@ -51,16 +54,17 @@ char **XListExtensions( } if (rep.nExtensions) { - list = (char **) Xmalloc ( - (unsigned)(rep.nExtensions * sizeof (char *))); - rlen = rep.length << 2; - ch = (char *) Xmalloc ((unsigned) rlen + 1); + list = Xmalloc (rep.nExtensions * sizeof (char *)); + if (rep.length < (LONG_MAX >> 2)) { + rlen = rep.length << 2; + ch = Xmalloc (rlen + 1); /* +1 to leave room for last null-terminator */ + } if ((!list) || (!ch)) { if (list) Xfree((char *) list); if (ch) Xfree((char *) ch); - _XEatData(dpy, (unsigned long) rlen); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (char **) NULL; @@ -70,17 +74,21 @@ char **XListExtensions( /* * unpack into null terminated strings. */ + chend = ch + (rlen + 1); length = *ch; for (i = 0; i < rep.nExtensions; i++) { - list[i] = ch+1; /* skip over length */ - ch += length + 1; /* find next length ... */ - length = *ch; - *ch = '\0'; /* and replace with null-termination */ + if (ch + length < chend) { + list[i] = ch+1; /* skip over length */ + ch += length + 1; /* find next length ... */ + length = *ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else + list[i] = NULL; } } - else list = (char **) NULL; - *nextensions = rep.nExtensions; + *nextensions = count; UnlockDisplay(dpy); SyncHandle(); return (list); diff --git a/libX11/src/Makefile.am b/libX11/src/Makefile.am index 71e02e71b..27b74b014 100644 --- a/libX11/src/Makefile.am +++ b/libX11/src/Makefile.am @@ -210,6 +210,7 @@ libX11_la_SOURCES = \ ParseCmd.c \ ParseCol.c \ ParseGeom.c \ + pathmax.h \ PeekEvent.c \ PeekIfEv.c \ Pending.c \ diff --git a/libX11/src/ModMap.c b/libX11/src/ModMap.c index c99bfdd5f..5c5b42612 100644 --- a/libX11/src/ModMap.c +++ b/libX11/src/ModMap.c @@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> XModifierKeymap * XGetModifierMapping(register Display *dpy) @@ -41,13 +42,17 @@ XGetModifierMapping(register Display *dpy) GetEmptyReq(GetModifierMapping, req); (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); - nbytes = (unsigned long)rep.length << 2; - res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); - if (res) res->modifiermap = (KeyCode *) Xmalloc ((unsigned) nbytes); + if (rep.length < (LONG_MAX >> 2)) { + nbytes = (unsigned long)rep.length << 2; + res = Xmalloc(sizeof (XModifierKeymap)); + if (res) + res->modifiermap = Xmalloc (nbytes); + } else + res = NULL; if ((! res) || (! res->modifiermap)) { if (res) Xfree((char *) res); res = (XModifierKeymap *) NULL; - _XEatData(dpy, nbytes); + _XEatDataWords(dpy, rep.length); } else { _XReadPad(dpy, (char *) res->modifiermap, (long) nbytes); res->max_keypermod = rep.numKeyPerModifier; @@ -92,11 +97,11 @@ XSetModifierMapping( XModifierKeymap * XNewModifiermap(int keyspermodifier) { - XModifierKeymap *res = (XModifierKeymap *) Xmalloc((sizeof (XModifierKeymap))); + XModifierKeymap *res = Xmalloc((sizeof (XModifierKeymap))); if (res) { res->max_keypermod = keyspermodifier; res->modifiermap = (keyspermodifier > 0 ? - (KeyCode *) Xmalloc((unsigned) (8 * keyspermodifier)) + Xmalloc(8 * keyspermodifier) : (KeyCode *) NULL); if (keyspermodifier && (res->modifiermap == NULL)) { Xfree((char *) res); diff --git a/libX11/src/OpenDis.c b/libX11/src/OpenDis.c index 87a3fc430..90ac8b36c 100644 --- a/libX11/src/OpenDis.c +++ b/libX11/src/OpenDis.c @@ -113,7 +113,7 @@ XOpenDisplay ( /* * Attempt to allocate a display structure. Return NULL if allocation fails. */ - if ((dpy = (Display *)Xcalloc(1, sizeof(Display))) == NULL) { + if ((dpy = Xcalloc(1, sizeof(Display))) == NULL) { return(NULL); } @@ -247,9 +247,7 @@ XOpenDisplay ( dpy->qlen = 0; /* Set up free-function record */ - if ((dpy->free_funcs = (_XFreeFuncRec *)Xcalloc(1, - sizeof(_XFreeFuncRec))) - == NULL) { + if ((dpy->free_funcs = Xcalloc(1, sizeof(_XFreeFuncRec))) == NULL) { OutOfMemory (dpy); return(NULL); } @@ -317,7 +315,7 @@ XOpenDisplay ( return (NULL); } - dpy->vendor = (char *) Xmalloc((unsigned) (u.setup->nbytesVendor + 1)); + dpy->vendor = Xmalloc(u.setup->nbytesVendor + 1); if (dpy->vendor == NULL) { OutOfMemory(dpy); return (NULL); @@ -343,9 +341,7 @@ XOpenDisplay ( /* * Now iterate down setup information..... */ - dpy->pixmap_format = - (ScreenFormat *)Xmalloc( - (unsigned) (dpy->nformats *sizeof(ScreenFormat))); + dpy->pixmap_format = Xcalloc(dpy->nformats, sizeof(ScreenFormat)); if (dpy->pixmap_format == NULL) { OutOfMemory (dpy); return(NULL); @@ -373,8 +369,7 @@ XOpenDisplay ( /* * next the Screen structures. */ - dpy->screens = - (Screen *)Xmalloc((unsigned) dpy->nscreens*sizeof(Screen)); + dpy->screens = Xcalloc(dpy->nscreens, sizeof(Screen)); if (dpy->screens == NULL) { OutOfMemory (dpy); return(NULL); @@ -416,8 +411,7 @@ XOpenDisplay ( /* * lets set up the depth structures. */ - sp->depths = (Depth *)Xmalloc( - (unsigned)sp->ndepths*sizeof(Depth)); + sp->depths = Xcalloc(sp->ndepths, sizeof(Depth)); if (sp->depths == NULL) { OutOfMemory (dpy); return(NULL); @@ -439,8 +433,7 @@ XOpenDisplay ( dp->nvisuals = u.dp->nVisuals; u.dp = (xDepth *) (((char *) u.dp) + sz_xDepth); if (dp->nvisuals > 0) { - dp->visuals = - (Visual *)Xmalloc((unsigned)dp->nvisuals*sizeof(Visual)); + dp->visuals = Xcalloc(dp->nvisuals, sizeof(Visual)); if (dp->visuals == NULL) { OutOfMemory (dpy); return(NULL); @@ -553,7 +546,7 @@ XOpenDisplay ( dpy->xdefaults[reply.nItems] = '\0'; } else if (reply.propertyType != None) - _XEatData(dpy, reply.nItems * (reply.format >> 3)); + _XEatDataWords(dpy, reply.length); } } UnlockDisplay(dpy); diff --git a/libX11/src/PixFormats.c b/libX11/src/PixFormats.c index 8e4a10027..6d9f64d2c 100644 --- a/libX11/src/PixFormats.c +++ b/libX11/src/PixFormats.c @@ -38,8 +38,8 @@ XPixmapFormatValues *XListPixmapFormats ( Display *dpy, int *count) /* RETURN */ { - XPixmapFormatValues *formats = (XPixmapFormatValues *) - Xmalloc((unsigned) (dpy->nformats * sizeof (XPixmapFormatValues))); + XPixmapFormatValues *formats = + Xmalloc(dpy->nformats * sizeof (XPixmapFormatValues)); if (formats) { register int i; diff --git a/libX11/src/PolyReg.c b/libX11/src/PolyReg.c index 74c8765fe..6d0277332 100644 --- a/libX11/src/PolyReg.c +++ b/libX11/src/PolyReg.c @@ -95,8 +95,7 @@ InsertEdgeInET( { if (*iSLLBlock > SLLSPERBLOCK-1) { - tmpSLLBlock = - (ScanLineListBlock *)Xmalloc(sizeof(ScanLineListBlock)); + tmpSLLBlock = Xmalloc(sizeof(ScanLineListBlock)); (*SLLBlock)->next = tmpSLLBlock; tmpSLLBlock->next = (ScanLineListBlock *)NULL; *SLLBlock = tmpSLLBlock; @@ -410,8 +409,7 @@ static int PtsToRegion( numRects = ((numFullPtBlocks * NUMPTSTOBUFFER) + iCurPtBlock) >> 1; - if (!(reg->rects = (BOX *)Xrealloc((char *)reg->rects, - (unsigned) (sizeof(BOX) * numRects)))) { + if (!(reg->rects = Xrealloc(reg->rects, sizeof(BOX) * numRects))) { Xfree(prevRects); return(0); } @@ -521,8 +519,7 @@ XPolygonRegion( if (Count < 2) return region; - if (! (pETEs = (EdgeTableEntry *) - Xmalloc((unsigned) (sizeof(EdgeTableEntry) * Count)))) { + if (! (pETEs = Xmalloc(sizeof(EdgeTableEntry) * Count))) { XDestroyRegion(region); return (Region) NULL; } @@ -559,7 +556,7 @@ XPolygonRegion( * send out the buffer */ if (iPts == NUMPTSTOBUFFER) { - tmpPtBlock = (POINTBLOCK *)Xmalloc(sizeof(POINTBLOCK)); + tmpPtBlock = Xmalloc(sizeof(POINTBLOCK)); curPtBlock->next = tmpPtBlock; curPtBlock = tmpPtBlock; pts = curPtBlock->pts; @@ -605,7 +602,7 @@ XPolygonRegion( * send out the buffer */ if (iPts == NUMPTSTOBUFFER) { - tmpPtBlock = (POINTBLOCK *)Xmalloc(sizeof(POINTBLOCK)); + tmpPtBlock = Xmalloc(sizeof(POINTBLOCK)); curPtBlock->next = tmpPtBlock; curPtBlock = tmpPtBlock; pts = curPtBlock->pts; diff --git a/libX11/src/PropAlloc.c b/libX11/src/PropAlloc.c index 516283080..87817d88a 100644 --- a/libX11/src/PropAlloc.c +++ b/libX11/src/PropAlloc.c @@ -39,20 +39,19 @@ in this Software without prior written authorization from The Open Group. XSizeHints *XAllocSizeHints (void) { - return ((XSizeHints *) Xcalloc (1, (unsigned) sizeof (XSizeHints))); + return Xcalloc (1, sizeof (XSizeHints)); } XStandardColormap *XAllocStandardColormap (void) { - return ((XStandardColormap *) - Xcalloc (1, (unsigned) sizeof (XStandardColormap))); + return Xcalloc (1, sizeof (XStandardColormap)); } XWMHints *XAllocWMHints (void) { - return ((XWMHints *) Xcalloc (1, (unsigned) sizeof (XWMHints))); + return Xcalloc (1, sizeof (XWMHints)); } @@ -64,7 +63,7 @@ XClassHint *XAllocClassHint (void) XIconSize *XAllocIconSize (void) { - return ((XIconSize *) Xcalloc (1, (unsigned) sizeof (XIconSize))); + return Xcalloc (1, sizeof (XIconSize)); } diff --git a/libX11/src/PutBEvent.c b/libX11/src/PutBEvent.c index f9d4c29bd..1768e032c 100644 --- a/libX11/src/PutBEvent.c +++ b/libX11/src/PutBEvent.c @@ -41,7 +41,7 @@ _XPutBackEvent ( XEvent store = *event; if (!dpy->qfree) { - if ((dpy->qfree = (_XQEvent *) Xmalloc (sizeof (_XQEvent))) == NULL) { + if ((dpy->qfree = Xmalloc (sizeof (_XQEvent))) == NULL) { return 0; } dpy->qfree->next = NULL; diff --git a/libX11/src/PutImage.c b/libX11/src/PutImage.c index 6dad4f13a..2a694f099 100644 --- a/libX11/src/PutImage.c +++ b/libX11/src/PutImage.c @@ -680,7 +680,7 @@ SendXYImage( length = ROUNDUP(length, 4); if ((dpy->bufptr + length) > dpy->bufmax) { - if ((buf = _XAllocScratch(dpy, (unsigned long) (length))) == NULL) { + if ((buf = _XAllocScratch(dpy, length)) == NULL) { UnGetReq(PutImage); return; } @@ -703,13 +703,13 @@ SendXYImage( bytes_per_temp_plane = bytes_per_line * req->height; temp_length = ROUNDUP(bytes_per_temp_plane * image->depth, 4); if (buf == dpy->bufptr) { - if (! (temp = _XAllocScratch(dpy, (unsigned long) temp_length))) { + if (! (temp = _XAllocScratch(dpy, temp_length))) { UnGetReq(PutImage); return; } } else - if ((extra = temp = Xmalloc((unsigned) temp_length)) == NULL) { + if ((extra = temp = Xmalloc(temp_length)) == NULL) { UnGetReq(PutImage); return; } @@ -778,8 +778,7 @@ SendZImage( (req_yoffset * image->bytes_per_line) + ((req_xoffset * image->bits_per_pixel) >> 3); if ((image->bits_per_pixel == 4) && ((unsigned int) req_xoffset & 0x01)) { - if (! (shifted_src = (unsigned char *) - Xmalloc((unsigned) (req->height * image->bytes_per_line)))) { + if (! (shifted_src = Xmalloc(req->height * image->bytes_per_line))) { UnGetReq(PutImage); return; } @@ -810,7 +809,7 @@ SendZImage( dest = (unsigned char *)dpy->bufptr; else if ((dest = (unsigned char *) - _XAllocScratch(dpy, (unsigned long)(length))) == NULL) { + _XAllocScratch(dpy, length)) == NULL) { if (shifted_src) Xfree((char *) shifted_src); UnGetReq(PutImage); return; @@ -1001,7 +1000,7 @@ XPutImage ( img.bits_per_pixel = dest_bits_per_pixel; img.bytes_per_line = ROUNDUP((dest_bits_per_pixel * width), dest_scanline_pad) >> 3; - img.data = Xmalloc((unsigned) (img.bytes_per_line * height)); + img.data = Xmalloc(img.bytes_per_line * height); if (img.data == NULL) return 0; _XInitImageFuncPtrs(&img); diff --git a/libX11/src/QuColors.c b/libX11/src/QuColors.c index d02958eca..af7102297 100644 --- a/libX11/src/QuColors.c +++ b/libX11/src/QuColors.c @@ -37,9 +37,7 @@ _XQueryColors( int ncolors) { register int i; - xrgb *color; xQueryColorsReply rep; - long nbytes; register xQueryColorsReq *req; GetReq(QueryColors, req); @@ -52,8 +50,9 @@ _XQueryColors( /* XXX this isn't very efficient */ if (_XReply(dpy, (xReply *) &rep, 0, xFalse) != 0) { - if ((color = (xrgb *) - Xmalloc((unsigned) (nbytes = (long) ncolors * SIZEOF(xrgb))))) { + unsigned long nbytes = (long) ncolors * SIZEOF(xrgb); + xrgb *color = Xmalloc(nbytes); + if (color != NULL) { _XRead(dpy, (char *) color, nbytes); @@ -67,7 +66,8 @@ _XQueryColors( } Xfree((char *)color); } - else _XEatData(dpy, (unsigned long) nbytes); + else + _XEatDataWords(dpy, rep.length); } } diff --git a/libX11/src/QuTree.c b/libX11/src/QuTree.c index 3cea282fa..8da2ae261 100644 --- a/libX11/src/QuTree.c +++ b/libX11/src/QuTree.c @@ -37,7 +37,7 @@ Status XQueryTree ( Window **children, /* RETURN */ unsigned int *nchildren) /* RETURN */ { - long nbytes; + unsigned long nbytes; xQueryTreeReply rep; register xResourceReq *req; @@ -52,14 +52,14 @@ Status XQueryTree ( *children = (Window *) NULL; if (rep.nChildren != 0) { nbytes = rep.nChildren * sizeof(Window); - *children = (Window *) Xmalloc((unsigned) nbytes); - nbytes = rep.nChildren << 2; + *children = Xmalloc(nbytes); if (! *children) { - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (0); } + nbytes = rep.nChildren << 2; _XRead32 (dpy, (long *) *children, nbytes); } *parent = rep.parent; diff --git a/libX11/src/Quarks.c b/libX11/src/Quarks.c index 4eb90c51d..60fe127bd 100644 --- a/libX11/src/Quarks.c +++ b/libX11/src/Quarks.c @@ -186,15 +186,14 @@ ExpandQuarkTable(void) newmask = (oldmask << 1) + 1; else { if (!stringTable) { - stringTable = (XrmString **)Xmalloc(sizeof(XrmString *) * - CHUNKPER); + stringTable = Xmalloc(sizeof(XrmString *) * CHUNKPER); if (!stringTable) return False; stringTable[0] = (XrmString *)NULL; } #ifdef PERMQ if (!permTable) - permTable = (Bits **)Xmalloc(sizeof(Bits *) * CHUNKPER); + permTable = Xmalloc(sizeof(Bits *) * CHUNKPER); if (!permTable) return False; #endif @@ -289,13 +288,13 @@ nomatch: if (!rehash) q = nextQuark; if (!(q & QUANTUMMASK)) { if (!(q & CHUNKMASK)) { - if (!(new = Xrealloc((char *)stringTable, + if (!(new = Xrealloc(stringTable, sizeof(XrmString *) * ((q >> QUANTUMSHIFT) + CHUNKPER)))) goto fail; stringTable = (XrmString **)new; #ifdef PERMQ - if (!(new = Xrealloc((char *)permTable, + if (!(new = Xrealloc(permTable, sizeof(Bits *) * ((q >> QUANTUMSHIFT) + CHUNKPER)))) goto fail; diff --git a/libX11/src/RdBitF.c b/libX11/src/RdBitF.c index afdaee7fc..d20731215 100644 --- a/libX11/src/RdBitF.c +++ b/libX11/src/RdBitF.c @@ -192,7 +192,7 @@ XReadBitmapFileData ( bytes_per_line = (ww+7)/8 + padding; size = bytes_per_line * hh; - bits = (unsigned char *) Xmalloc ((unsigned int) size); + bits = Xmalloc (size); if (!bits) RETURN (BitmapNoMemory); diff --git a/libX11/src/Region.c b/libX11/src/Region.c index 41047b242..d3d431a64 100644 --- a/libX11/src/Region.c +++ b/libX11/src/Region.c @@ -139,9 +139,9 @@ XCreateRegion(void) { Region temp; - if (! (temp = ( Region )Xmalloc( (unsigned) sizeof( REGION )))) + if (! (temp = Xmalloc(sizeof( REGION )))) return (Region) NULL; - if (! (temp->rects = ( BOX * )Xmalloc( (unsigned) sizeof( BOX )))) { + if (! (temp->rects = Xmalloc(sizeof( BOX )))) { Xfree((char *) temp); return (Region) NULL; } @@ -521,9 +521,9 @@ miRegionCopy( { BOX *prevRects = dstrgn->rects; - if (! (dstrgn->rects = (BOX *) - Xrealloc((char *) dstrgn->rects, - (unsigned) rgn->numRects * (sizeof(BOX))))) { + dstrgn->rects = Xrealloc(dstrgn->rects, + rgn->numRects * (sizeof(BOX))); + if (! dstrgn->rects) { Xfree(prevRects); return; } @@ -788,8 +788,7 @@ miRegionOp( */ newReg->size = max(reg1->numRects,reg2->numRects) * 2; - if (! (newReg->rects = (BoxPtr) - Xmalloc ((unsigned) (sizeof(BoxRec) * newReg->size)))) { + if (! (newReg->rects = Xmalloc (sizeof(BoxRec) * newReg->size))) { newReg->size = 0; return; } @@ -980,8 +979,8 @@ miRegionOp( { BoxPtr prev_rects = newReg->rects; newReg->size = newReg->numRects; - newReg->rects = (BoxPtr) Xrealloc ((char *) newReg->rects, - (unsigned) (sizeof(BoxRec) * newReg->size)); + newReg->rects = Xrealloc (newReg->rects, + sizeof(BoxRec) * newReg->size); if (! newReg->rects) newReg->rects = prev_rects; } @@ -993,7 +992,7 @@ miRegionOp( */ newReg->size = 1; Xfree((char *) newReg->rects); - newReg->rects = (BoxPtr) Xmalloc(sizeof(BoxRec)); + newReg->rects = Xmalloc(sizeof(BoxRec)); } } Xfree ((char *) oldRects); diff --git a/libX11/src/RegstFlt.c b/libX11/src/RegstFlt.c index 9a560e794..5a1faa7e9 100644 --- a/libX11/src/RegstFlt.c +++ b/libX11/src/RegstFlt.c @@ -85,7 +85,7 @@ _XRegisterFilterByMask( { XFilterEventRec *rec; - rec = (XFilterEventList)Xmalloc(sizeof(XFilterEventRec)); + rec = Xmalloc(sizeof(XFilterEventRec)); if (!rec) return; rec->window = window; @@ -117,7 +117,7 @@ _XRegisterFilterByType( { XFilterEventRec *rec; - rec = (XFilterEventList)Xmalloc(sizeof(XFilterEventRec)); + rec = Xmalloc(sizeof(XFilterEventRec)); if (!rec) return; rec->window = window; diff --git a/libX11/src/SetFPath.c b/libX11/src/SetFPath.c index 89955c23e..b1afd8201 100644 --- a/libX11/src/SetFPath.c +++ b/libX11/src/SetFPath.c @@ -52,7 +52,7 @@ XSetFontPath ( } nbytes = (n + 3) & ~3; req->length += nbytes >> 2; - if ((p = (char *) Xmalloc ((unsigned) nbytes))) { + if ((p = Xmalloc (nbytes))) { /* * pack into counted strings. */ diff --git a/libX11/src/SetHints.c b/libX11/src/SetHints.c index 1cde48f85..0ae076438 100644 --- a/libX11/src/SetHints.c +++ b/libX11/src/SetHints.c @@ -184,7 +184,7 @@ XSetIconSizes ( #define size_of_the_real_thing sizeof /* avoid grepping screwups */ unsigned nbytes = count * size_of_the_real_thing(xPropIconSize); #undef size_of_the_real_thing - if ((prop = pp = (xPropIconSize *) Xmalloc (nbytes))) { + if ((prop = pp = Xmalloc (nbytes))) { for (i = 0; i < count; i++) { pp->minWidth = list->min_width; pp->minHeight = list->min_height; @@ -216,7 +216,7 @@ XSetCommand ( for (i = 0, nbytes = 0; i < argc; i++) { nbytes += safestrlen(argv[i]) + 1; } - if ((bp = buf = Xmalloc((unsigned) nbytes))) { + if ((bp = buf = Xmalloc(nbytes))) { /* copy arguments into single buffer */ for (i = 0; i < argc; i++) { if (argv[i]) { @@ -299,7 +299,7 @@ XSetClassHint( len_nm = safestrlen(classhint->res_name); len_cl = safestrlen(classhint->res_class); - if ((class_string = s = Xmalloc((unsigned) (len_nm + len_cl + 2)))) { + if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) { if (len_nm) { strcpy(s, classhint->res_name); s += len_nm + 1; diff --git a/libX11/src/StrToText.c b/libX11/src/StrToText.c index b5327e8fc..ef927f3d9 100644 --- a/libX11/src/StrToText.c +++ b/libX11/src/StrToText.c @@ -78,7 +78,7 @@ Status XStringListToTextProperty ( } } } else { - proto.value = (unsigned char *) Xmalloc (1); /* easier for client */ + proto.value = Xmalloc (1); /* easier for client */ if (!proto.value) return False; proto.value[0] = '\0'; diff --git a/libX11/src/TextToStr.c b/libX11/src/TextToStr.c index 216391c2e..36d9f0706 100644 --- a/libX11/src/TextToStr.c +++ b/libX11/src/TextToStr.c @@ -72,10 +72,10 @@ Status XTextPropertyToStringList ( /* * allocate list and duplicate */ - list = (char **) Xmalloc (nelements * sizeof (char *)); + list = Xmalloc (nelements * sizeof (char *)); if (!list) return False; - start = (char *) Xmalloc ((datalen + 1) * sizeof (char)); /* for <NUL> */ + start = Xmalloc ((datalen + 1) * sizeof (char)); /* for <NUL> */ if (!start) { Xfree ((char *) list); return False; diff --git a/libX11/src/VisUtil.c b/libX11/src/VisUtil.c index 3434c0161..aa679928a 100644 --- a/libX11/src/VisUtil.c +++ b/libX11/src/VisUtil.c @@ -75,8 +75,7 @@ XVisualInfo *XGetVisualInfo( count = 0; total = 10; - if (! (vip_base = vip = (XVisualInfo *) - Xmalloc((unsigned) (sizeof(XVisualInfo) * total)))) { + if (! (vip_base = vip = Xmalloc(sizeof(XVisualInfo) * total))) { UnlockDisplay(dpy); return (XVisualInfo *) NULL; } @@ -132,9 +131,8 @@ XVisualInfo *XGetVisualInfo( { XVisualInfo *old_vip_base = vip_base; total += 10; - if (! (vip_base = (XVisualInfo *) - Xrealloc((char *) vip_base, - (unsigned) (sizeof(XVisualInfo) * total)))) { + if (! (vip_base = Xrealloc(vip_base, + sizeof(XVisualInfo) * total))) { Xfree((char *) old_vip_base); UnlockDisplay(dpy); return (XVisualInfo *) NULL; diff --git a/libX11/src/WrBitF.c b/libX11/src/WrBitF.c index 1ec6280fb..75a93a79d 100644 --- a/libX11/src/WrBitF.c +++ b/libX11/src/WrBitF.c @@ -53,7 +53,7 @@ static char *Format_Image( bytes_per_line = (width+7)/8; *resultsize = bytes_per_line * height; /* Calculate size of data */ - data = (char *) Xmalloc( *resultsize ); /* Get space for data */ + data = Xmalloc( *resultsize ); /* Get space for data */ if (!data) return(ERR_RETURN); diff --git a/libX11/src/Xintatom.h b/libX11/src/Xintatom.h index 82dba36e1..516a72b1d 100644 --- a/libX11/src/Xintatom.h +++ b/libX11/src/Xintatom.h @@ -2,6 +2,7 @@ #ifndef _XINTATOM_H_ #define _XINTATOM_H_ 1 +#include <X11/Xlib.h> #include <X11/Xfuncproto.h> /* IntAtom.c */ diff --git a/libX11/src/Xintconn.h b/libX11/src/Xintconn.h index db59061a0..cd9aee32e 100644 --- a/libX11/src/Xintconn.h +++ b/libX11/src/Xintconn.h @@ -3,6 +3,7 @@ #define _XINTCONN_H_ 1 #include <X11/Xfuncproto.h> +#include <X11/Xlib.h> _XFUNCPROTOBEGIN diff --git a/libX11/src/XlibInt.c b/libX11/src/XlibInt.c index 310ce31f0..8a51f49c4 100644 --- a/libX11/src/XlibInt.c +++ b/libX11/src/XlibInt.c @@ -167,7 +167,7 @@ Bool _XPollfdCacheInit( #ifdef USE_POLL struct pollfd *pfp; - pfp = (struct pollfd *)Xmalloc(POLLFD_CACHE_SIZE * sizeof(struct pollfd)); + pfp = Xmalloc(POLLFD_CACHE_SIZE * sizeof(struct pollfd)); if (!pfp) return False; pfp[0].fd = dpy->fd; @@ -394,10 +394,10 @@ _XRegisterInternalConnection( struct _XConnWatchInfo *watchers; XPointer *wd; - new_conni = (struct _XConnectionInfo*)Xmalloc(sizeof(struct _XConnectionInfo)); + new_conni = Xmalloc(sizeof(struct _XConnectionInfo)); if (!new_conni) return 0; - new_conni->watch_data = (XPointer *)Xmalloc(dpy->watcher_count * sizeof(XPointer)); + new_conni->watch_data = Xmalloc(dpy->watcher_count * sizeof(XPointer)); if (!new_conni->watch_data) { Xfree(new_conni); return 0; @@ -484,7 +484,7 @@ XInternalConnectionNumbers( count = 0; for (info_list=dpy->im_fd_info; info_list; info_list=info_list->next) count++; - fd_list = (int*) Xmalloc (count * sizeof(int)); + fd_list = Xmalloc (count * sizeof(int)); if (!fd_list) { UnlockDisplay(dpy); return 0; @@ -557,9 +557,8 @@ XAddConnectionWatch( /* allocate new watch data */ for (info_list=dpy->im_fd_info; info_list; info_list=info_list->next) { - wd_array = (XPointer *)Xrealloc((char *)info_list->watch_data, - (dpy->watcher_count + 1) * - sizeof(XPointer)); + wd_array = Xrealloc(info_list->watch_data, + (dpy->watcher_count + 1) * sizeof(XPointer)); if (!wd_array) { UnlockDisplay(dpy); return 0; @@ -568,7 +567,7 @@ XAddConnectionWatch( wd_array[dpy->watcher_count] = NULL; /* for cleanliness */ } - new_watcher = (struct _XConnWatchInfo*)Xmalloc(sizeof(struct _XConnWatchInfo)); + new_watcher = Xmalloc(sizeof(struct _XConnWatchInfo)); if (!new_watcher) { UnlockDisplay(dpy); return 0; @@ -776,8 +775,7 @@ void _XEnq( /* If dpy->qfree is non-NULL do this, else malloc a new one. */ dpy->qfree = qelt->next; } - else if ((qelt = - (_XQEvent *) Xmalloc((unsigned)sizeof(_XQEvent))) == NULL) { + else if ((qelt = Xmalloc(sizeof(_XQEvent))) == NULL) { /* Malloc call failed! */ ESET(ENOMEM); _XIOError(dpy); @@ -1538,7 +1536,7 @@ char *_XAllocScratch( { if (nbytes > dpy->scratch_length) { if (dpy->scratch_buffer) Xfree (dpy->scratch_buffer); - if ((dpy->scratch_buffer = Xmalloc((unsigned) nbytes))) + if ((dpy->scratch_buffer = Xmalloc(nbytes))) dpy->scratch_length = nbytes; else dpy->scratch_length = 0; } diff --git a/libX11/src/Xprivate.h b/libX11/src/Xprivate.h index 006b1705e..6bfe70baa 100644 --- a/libX11/src/Xprivate.h +++ b/libX11/src/Xprivate.h @@ -8,6 +8,8 @@ #ifndef XPRIVATE_H #define XPRIVATE_H +#include <X11/Xlib.h> + extern _X_HIDDEN void _XIDHandler(Display *dpy); extern _X_HIDDEN void _XSeqSyncFunction(Display *dpy); extern _X_HIDDEN void _XSetPrivSyncFunction(Display *dpy); diff --git a/libX11/src/Xresinternal.h b/libX11/src/Xresinternal.h index c2f355fe6..b5cc7ffc4 100644 --- a/libX11/src/Xresinternal.h +++ b/libX11/src/Xresinternal.h @@ -2,6 +2,8 @@ #ifndef _XRESINTERNAL_H_ #define _XRESINTERNAL_H_ +#include <X11/Xlib.h> +#include <X11/Xresource.h> #include <inttypes.h> /* type defines */ diff --git a/libX11/src/Xrm.c b/libX11/src/Xrm.c index d6899d970..d8272ee78 100644 --- a/libX11/src/Xrm.c +++ b/libX11/src/Xrm.c @@ -62,6 +62,7 @@ from The Open Group. #endif #include <X11/Xos.h> #include <sys/stat.h> +#include <limits.h> #include "Xresinternal.h" #include "Xresource.h" @@ -494,7 +495,7 @@ static XrmDatabase NewDatabase(void) { register XrmDatabase db; - db = (XrmDatabase) Xmalloc(sizeof(XrmHashBucketRec)); + db = Xmalloc(sizeof(XrmHashBucketRec)); if (db) { _XCreateMutex(&db->linfo); db->table = (NTable)NULL; @@ -827,7 +828,7 @@ static void PutEntry( NTable *nprev, *firstpprev; #define NEWTABLE(q,i) \ - table = (NTable)Xmalloc(sizeof(LTableRec)); \ + table = Xmalloc(sizeof(LTableRec)); \ if (!table) \ return; \ table->name = q; \ @@ -840,7 +841,7 @@ static void PutEntry( nprev = NodeBuckets(table); \ } else { \ table->leaf = 1; \ - if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry *)))) {\ + if (!(nprev = Xmalloc(sizeof(VEntry *)))) {\ Xfree(table); \ return; \ } \ @@ -954,9 +955,8 @@ static void PutEntry( prev = nprev; } /* now allocate the value entry */ - entry = (VEntry)Xmalloc(((type == XrmQString) ? - sizeof(VEntryRec) : sizeof(DEntryRec)) + - value->size); + entry = Xmalloc(((type == XrmQString) ? + sizeof(VEntryRec) : sizeof(DEntryRec)) + value->size); if (!entry) return; entry->name = q = *quarks; @@ -986,13 +986,12 @@ static void PutEntry( if (resourceQuarks) { unsigned char *prevQuarks = resourceQuarks; - resourceQuarks = (unsigned char *)Xrealloc((char *)resourceQuarks, - size); + resourceQuarks = Xrealloc(resourceQuarks, size); if (!resourceQuarks) { Xfree(prevQuarks); } } else - resourceQuarks = (unsigned char *)Xmalloc(size); + resourceQuarks = Xmalloc(size); if (resourceQuarks) { bzero((char *)&resourceQuarks[oldsize], size - oldsize); maxResourceQuark = (size << 3) - 1; @@ -1087,13 +1086,15 @@ static void GetIncludeFile( XrmDatabase db, _Xconst char *base, _Xconst char *fname, - int fnamelen); + int fnamelen, + int depth); static void GetDatabase( XrmDatabase db, _Xconst char *str, _Xconst char *filename, - Bool doall) + Bool doall, + int depth) { char *rhs; char *lhs, lhs_s[DEF_BUFF_SIZE]; @@ -1135,11 +1136,11 @@ static void GetDatabase( str_len = strlen (str); if (DEF_BUFF_SIZE > str_len) lhs = lhs_s; - else if ((lhs = (char*) Xmalloc (str_len)) == NULL) + else if ((lhs = Xmalloc (str_len)) == NULL) return; alloc_chars = DEF_BUFF_SIZE < str_len ? str_len : DEF_BUFF_SIZE; - if ((rhs = (char*) Xmalloc (alloc_chars)) == NULL) { + if ((rhs = Xmalloc (alloc_chars)) == NULL) { if (lhs != lhs_s) Xfree (lhs); return; } @@ -1203,7 +1204,8 @@ static void GetDatabase( } while (c != '"' && !is_EOL(bits)); /* must have an ending " */ if (c == '"') - GetIncludeFile(db, filename, fname, str - len - fname); + GetIncludeFile(db, filename, fname, str - len - fname, + depth); } } /* spin to next newline */ @@ -1544,7 +1546,7 @@ XrmPutLineResource( { if (!*pdb) *pdb = NewDatabase(); _XLockMutex(&(*pdb)->linfo); - GetDatabase(*pdb, line, (char *)NULL, False); + GetDatabase(*pdb, line, (char *)NULL, False, 0); _XUnlockMutex(&(*pdb)->linfo); } @@ -1556,7 +1558,7 @@ XrmGetStringDatabase( db = NewDatabase(); _XLockMutex(&db->linfo); - GetDatabase(db, data, (char *)NULL, True); + GetDatabase(db, data, (char *)NULL, True, 0); _XUnlockMutex(&db->linfo); return db; } @@ -1594,11 +1596,12 @@ ReadInFile(_Xconst char *filename) */ { struct stat status_buffer; - if ( (fstat(fd, &status_buffer)) == -1 ) { + if ( ((fstat(fd, &status_buffer)) == -1 ) || + (status_buffer.st_size >= INT_MAX) ) { close (fd); return (char *)NULL; } else - size = status_buffer.st_size; + size = (int) status_buffer.st_size; } if (!(filebuf = Xmalloc(size + 1))) { /* leave room for '\0' */ @@ -1634,7 +1637,8 @@ GetIncludeFile( XrmDatabase db, _Xconst char *base, _Xconst char *fname, - int fnamelen) + int fnamelen, + int depth) { int len; char *str; @@ -1642,6 +1646,8 @@ GetIncludeFile( if (fnamelen <= 0 || fnamelen >= BUFSIZ) return; + if (depth >= MAXDBDEPTH) + return; if (*fname != '/' && base && (str = strrchr(base, '/'))) { len = str - base + 1; if (len + fnamelen >= BUFSIZ) @@ -1655,7 +1661,7 @@ GetIncludeFile( } if (!(str = ReadInFile(realfname))) return; - GetDatabase(db, str, realfname, True); + GetDatabase(db, str, realfname, True, depth + 1); Xfree(str); } @@ -1671,7 +1677,7 @@ XrmGetFileDatabase( db = NewDatabase(); _XLockMutex(&db->linfo); - GetDatabase(db, str, filename, True); + GetDatabase(db, str, filename, True, 0); _XUnlockMutex(&db->linfo); Xfree(str); return db; @@ -1695,7 +1701,7 @@ XrmCombineFileDatabase( } else db = NewDatabase(); _XLockMutex(&db->linfo); - GetDatabase(db, str, filename, True); + GetDatabase(db, str, filename, True, 0); _XUnlockMutex(&db->linfo); Xfree(str); if (!override) diff --git a/libX11/src/locking.c b/libX11/src/locking.c index b3dfb3b01..7c09c44d2 100644 --- a/libX11/src/locking.c +++ b/libX11/src/locking.c @@ -82,7 +82,7 @@ _Xthread_waiter(void) struct _xthread_waiter *me; if (!(me = TlsGetValue(_X_TlsIndex))) { - me = (struct _xthread_waiter *)xmalloc(sizeof(struct _xthread_waiter)); + me = xmalloc(sizeof(struct _xthread_waiter)); me->sem = CreateSemaphore(NULL, 0, 1, NULL); me->next = NULL; TlsSetValue(_X_TlsIndex, me); @@ -249,7 +249,7 @@ static struct _XCVList *_XCreateCVL( dpy->lock->free_cvls = cvl->next; dpy->lock->num_free_cvls--; } else { - cvl = (struct _XCVList *)Xmalloc(sizeof(struct _XCVList)); + cvl = Xmalloc(sizeof(struct _XCVList)); if (!cvl) return NULL; cvl->cv = xcondition_malloc(); @@ -512,10 +512,10 @@ void _XUserUnlockDisplay( static int _XInitDisplayLock( Display *dpy) { - dpy->lock_fns = (struct _XLockPtrs*)Xmalloc(sizeof(struct _XLockPtrs)); + dpy->lock_fns = Xmalloc(sizeof(struct _XLockPtrs)); if (dpy->lock_fns == NULL) return -1; - dpy->lock = (struct _XLockInfo *)Xmalloc(sizeof(struct _XLockInfo)); + dpy->lock = Xmalloc(sizeof(struct _XLockInfo)); if (dpy->lock == NULL) { _XFreeDisplayLock(dpy); return -1; diff --git a/libX11/src/locking.h b/libX11/src/locking.h index 96019fc91..5251a60c1 100644 --- a/libX11/src/locking.h +++ b/libX11/src/locking.h @@ -36,6 +36,8 @@ in this Software without prior written authorization from The Open Group. #define xmalloc(s) Xmalloc(s) #define xfree(s) Xfree(s) +#include <X11/Xlib.h> +#include <X11/Xlibint.h> #include <X11/Xthreads.h> struct _XCVList { diff --git a/libX11/src/pathmax.h b/libX11/src/pathmax.h new file mode 100644 index 000000000..3aa3d5097 --- /dev/null +++ b/libX11/src/pathmax.h @@ -0,0 +1,81 @@ + +/*********************************************************** + +Copyright 1987, 1988, 1998 The Open Group + +Permission to use, copy, modify, distribute, and sell this software and its +documentation for any purpose is hereby granted without fee, provided that +the above copyright notice appear in all copies and that both that +copyright notice and this permission notice appear in supporting +documentation. + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN +AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of The Open Group shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from The Open Group. + + +Copyright 1987, 1988 by Digital Equipment Corporation, Maynard, Massachusetts. + + All Rights Reserved + +Permission to use, copy, modify, and distribute this software and its +documentation for any purpose and without fee is hereby granted, +provided that the above copyright notice appear in all copies and that +both that copyright notice and this permission notice appear in +supporting documentation, and that the name of Digital not be +used in advertising or publicity pertaining to distribution of the +software without specific, written prior permission. + +DIGITAL DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING +ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL +DIGITAL BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR +ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, +WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, +ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS +SOFTWARE. + +******************************************************************/ + +/* + * Provides a single definition of PATH_MAX instead of replicating this mess + * in multiple files + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif +#include <X11/Xos.h> + +#ifndef X_NOT_POSIX +#ifdef _POSIX_SOURCE +#include <limits.h> +#else +#define _POSIX_SOURCE +#include <limits.h> +#undef _POSIX_SOURCE +#endif +#endif +#ifndef PATH_MAX +#ifdef WIN32 +#define PATH_MAX 512 +#else +#include <sys/param.h> +#endif +#ifndef PATH_MAX +#ifdef MAXPATHLEN +#define PATH_MAX MAXPATHLEN +#else +#define PATH_MAX 1024 +#endif +#endif +#endif diff --git a/libX11/src/udcInf.c b/libX11/src/udcInf.c index b7577ac96..9ecf1566e 100644 --- a/libX11/src/udcInf.c +++ b/libX11/src/udcInf.c @@ -145,12 +145,11 @@ int *num_codeset; if(!_XlcCompareISOLatin1(charset_str,buf)){ num_ret += 1; if(num_ret == 1){ - ret = (int *)Xmalloc(sizeof(int)); + ret = Xmalloc(sizeof(int)); } else { int *prev_ret = ret; - ret = - (int *)Xrealloc(ret,num_ret*sizeof(int)); + ret = Xrealloc(ret, num_ret * sizeof(int)); if (ret == NULL){ Xfree(prev_ret); } @@ -272,7 +271,7 @@ int *num_gr; sprintf(buf, "fs%d.charset.udc_area", codeset-1); _XlcGetLocaleDataBase(lcd, "XLC_FONTSET", buf, &value, &count); if(count > 0){ - udc = (_XUDCGlyphRegion *)Xmalloc(count * sizeof(_XUDCGlyphRegion)); + udc = Xmalloc(count * sizeof(_XUDCGlyphRegion)); if(udc == NULL){ _xudc_utyerrno = 0x03 ; _xudc_utyerrno |= (0x0b<<8) ; @@ -524,7 +523,7 @@ int *num_cr; return(ret); } - crr = (_XUDCCodeRegion *)Xmalloc(num_gr*sizeof(_XUDCCodeRegion)); + crr = Xmalloc(num_gr * sizeof(_XUDCCodeRegion)); if(crr == NULL){ Xfree(gr); _xudc_utyerrno = 0x03 ; diff --git a/libX11/src/xcb_io.c b/libX11/src/xcb_io.c index fa43cfa15..26e547ee5 100644 --- a/libX11/src/xcb_io.c +++ b/libX11/src/xcb_io.c @@ -19,6 +19,7 @@ #include <stdint.h> #include <stdlib.h> #include <string.h> +#include <limits.h> #ifdef HAVE_SYS_SELECT_H #include <sys/select.h> #endif @@ -760,3 +761,19 @@ void _XEatData(Display *dpy, unsigned long n) dpy->xcb->reply_consumed += n; _XFreeReplyData(dpy, False); } + +/* + * Read and discard "n" 32-bit words of data + * Matches the units of the length field in X protocol replies, and provides + * a single implementation of overflow checking to avoid having to replicate + * those checks in every caller. + */ +void _XEatDataWords(Display *dpy, unsigned long n) +{ + if (n < ((INT_MAX - dpy->xcb->reply_consumed) >> 2)) + dpy->xcb->reply_consumed += (n << 2); + else + /* Overflow would happen, so just eat the rest of the reply */ + dpy->xcb->reply_consumed = dpy->xcb->reply_length; + _XFreeReplyData(dpy, False); +} diff --git a/libX11/src/xcms/cmsColNm.c b/libX11/src/xcms/cmsColNm.c index a6749c02e..8d0d4a771 100644 --- a/libX11/src/xcms/cmsColNm.c +++ b/libX11/src/xcms/cmsColNm.c @@ -40,6 +40,7 @@ #include <sys/stat.h> #include <stdio.h> #include <ctype.h> +#include <limits.h> #define XK_LATIN1 #include <X11/keysymdef.h> #include "Cv.h" @@ -542,7 +543,10 @@ stringSectionSize( char *pBuf; char *f1; char *f2; - int i; + size_t i; + + unsigned int numEntries = 0; + unsigned int sectionSize = 0; *pNumEntries = 0; *pSectionSize = 0; @@ -576,26 +580,37 @@ stringSectionSize( return(XcmsFailure); } - (*pNumEntries)++; + numEntries++; + if (numEntries >= INT_MAX) + return(XcmsFailure); - (*pSectionSize) += (i = strlen(f1)) + 1; + i = strlen(f1); + if (i >= INT_MAX - sectionSize) + return(XcmsFailure); + sectionSize += i + 1; for (; i; i--, f1++) { /* REMOVE SPACES FROM COUNT */ if (isspace(*f1)) { - (*pSectionSize)--; + sectionSize--; } } - (*pSectionSize) += (i = strlen(f2)) + 1; + i = strlen(f2); + if (i >= INT_MAX - sectionSize) + return(XcmsFailure); + sectionSize += i + 1; for (; i; i--, f2++) { /* REMOVE SPACES FROM COUNT */ if (isspace(*f2)) { - (*pSectionSize)--; + sectionSize--; } } } + *pNumEntries = (int) numEntries; + *pSectionSize = (int) sectionSize; + return(XcmsSuccess); } diff --git a/libX11/src/xcms/cmsMath.c b/libX11/src/xcms/cmsMath.c index 70b067587..487eb3f9c 100644 --- a/libX11/src/xcms/cmsMath.c +++ b/libX11/src/xcms/cmsMath.c @@ -35,6 +35,10 @@ in this Software without prior written authorization from The Open Group. #include "Xlibint.h" #include "Xcmsint.h" +#ifdef DEBUG +#include <stdio.h> +#endif + #include <float.h> #ifndef DBL_EPSILON #define DBL_EPSILON 1e-6 diff --git a/libX11/src/xkb/XKBExtDev.c b/libX11/src/xkb/XKBExtDev.c index 353e769bf..dd383bc10 100644 --- a/libX11/src/xkb/XKBExtDev.c +++ b/libX11/src/xkb/XKBExtDev.c @@ -181,6 +181,9 @@ int tmp; return tmp; } if (rep->nBtnsWanted>0) { + if (((unsigned short) rep->firstBtnWanted + rep->nBtnsWanted) + >= devi->num_btns) + goto BAILOUT; act= &devi->btn_acts[rep->firstBtnWanted]; bzero((char *)act,(rep->nBtnsWanted*sizeof(XkbAction))); } @@ -190,6 +193,9 @@ int tmp; goto BAILOUT; if (rep->nBtnsRtrn>0) { int size; + if (((unsigned short) rep->firstBtnRtrn + rep->nBtnsRtrn) + >= devi->num_btns) + goto BAILOUT; act= &devi->btn_acts[rep->firstBtnRtrn]; size= rep->nBtnsRtrn*SIZEOF(xkbActionWireDesc); if (!_XkbCopyFromReadBuffer(&buf,(char *)act,size)) diff --git a/libX11/src/xkb/XKBGeom.c b/libX11/src/xkb/XKBGeom.c index 283bc6426..1116bc67f 100644 --- a/libX11/src/xkb/XKBGeom.c +++ b/libX11/src/xkb/XKBGeom.c @@ -360,12 +360,16 @@ Status rtrn; } ol->num_points= olWire->nPoints; } - if (shapeWire->primaryNdx!=XkbNoShape) + if ((shapeWire->primaryNdx!=XkbNoShape) && + (shapeWire->primaryNdx < shapeWire->nOutlines)) shape->primary= &shape->outlines[shapeWire->primaryNdx]; - else shape->primary= NULL; - if (shapeWire->approxNdx!=XkbNoShape) + else + shape->primary= NULL; + if ((shapeWire->approxNdx!=XkbNoShape) && + (shapeWire->approxNdx < shapeWire->nOutlines)) shape->approx= &shape->outlines[shapeWire->approxNdx]; - else shape->approx= NULL; + else + shape->approx= NULL; XkbComputeShapeBounds(shape); } return Success; @@ -611,6 +615,9 @@ XkbGeometryPtr geom; if (status==Success) status= _XkbReadGeomKeyAliases(&buf,geom,rep); left= _XkbFreeReadBuffer(&buf); + if ((rep->baseColorNdx > geom->num_colors) || + (rep->labelColorNdx > geom->num_colors)) + status = BadLength; if ((status!=Success) || left || buf.error) { if (status==Success) status= BadLength; diff --git a/libX11/src/xkb/XKBGetMap.c b/libX11/src/xkb/XKBGetMap.c index 82ae0219e..738fbc38f 100644 --- a/libX11/src/xkb/XKBGetMap.c +++ b/libX11/src/xkb/XKBGetMap.c @@ -179,9 +179,12 @@ XkbClientMapPtr map; map= xkb->map; if (map->key_sym_map==NULL) { register int offset; + int size = xkb->max_key_code + 1; XkbSymMapPtr oldMap; xkbSymMapWireDesc *newMap; - map->key_sym_map= _XkbTypedCalloc((xkb->max_key_code+1),XkbSymMapRec); + if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size) + return BadLength; + map->key_sym_map= _XkbTypedCalloc(size,XkbSymMapRec); if (map->key_sym_map==NULL) return BadAlloc; if (map->syms==NULL) { @@ -237,6 +240,8 @@ XkbClientMapPtr map; KeySym * newSyms; int tmp; + if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms) + return BadLength; oldMap = &map->key_sym_map[rep->firstKeySym]; for (i=0;i<(int)rep->nKeySyms;i++,oldMap++) { newMap= (xkbSymMapWireDesc *) @@ -292,6 +297,10 @@ Status ret = Success; symMap = &info->map->key_sym_map[rep->firstKeyAct]; for (i=0;i<(int)rep->nKeyActs;i++,symMap++) { if (numDesc[i]==0) { + if ((i + rep->firstKeyAct) > (info->max_key_code + 1)) { + ret = BadLength; + goto done; + } info->server->key_acts[i+rep->firstKeyAct]= 0; } else { @@ -324,8 +333,10 @@ register int i; xkbBehaviorWireDesc *wire; if ( rep->totalKeyBehaviors>0 ) { + int size = xkb->max_key_code + 1; + if ( ((int) rep->firstKeyBehavior + rep->nKeyBehaviors) > size) + return BadLength; if ( xkb->server->behaviors == NULL ) { - int size = xkb->max_key_code+1; xkb->server->behaviors = _XkbTypedCalloc(size,XkbBehavior); if (xkb->server->behaviors==NULL) return BadAlloc; @@ -337,7 +348,7 @@ xkbBehaviorWireDesc *wire; for (i=0;i<rep->totalKeyBehaviors;i++) { wire= (xkbBehaviorWireDesc *)_XkbGetReadBufferPtr(buf, SIZEOF(xkbBehaviorWireDesc)); - if (wire==NULL) + if (wire==NULL || wire->key >= size) return BadLength; xkb->server->behaviors[wire->key].type= wire->type; xkb->server->behaviors[wire->key].data= wire->data; @@ -379,8 +390,10 @@ register int i; unsigned char *wire; if ( rep->totalKeyExplicit>0 ) { + int size = xkb->max_key_code + 1; + if ( ((int) rep->firstKeyExplicit + rep->nKeyExplicit) > size) + return BadLength; if ( xkb->server->explicit == NULL ) { - int size = xkb->max_key_code+1; xkb->server->explicit = _XkbTypedCalloc(size,unsigned char); if (xkb->server->explicit==NULL) return BadAlloc; @@ -394,6 +407,8 @@ unsigned char *wire; if (!wire) return BadLength; for (i=0;i<rep->totalKeyExplicit;i++,wire+=2) { + if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code) + return BadLength; xkb->server->explicit[wire[0]]= wire[1]; } } @@ -407,6 +422,9 @@ register int i; unsigned char *wire; if ( rep->totalModMapKeys>0 ) { + if ( ((int)rep->firstModMapKey + rep->nModMapKeys) > + (xkb->max_key_code + 1)) + return BadLength; if ((xkb->map->modmap==NULL)&& (XkbAllocClientMap(xkb,XkbModifierMapMask,0)!=Success)) { return BadAlloc; @@ -419,6 +437,8 @@ unsigned char *wire; if (!wire) return BadLength; for (i=0;i<rep->totalModMapKeys;i++,wire+=2) { + if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code) + return BadLength; xkb->map->modmap[wire[0]]= wire[1]; } } @@ -433,6 +453,9 @@ xkbVModMapWireDesc * wire; XkbServerMapPtr srv; if ( rep->totalVModMapKeys>0 ) { + if (((int) rep->firstVModMapKey + rep->nVModMapKeys) + > xkb->max_key_code + 1) + return BadLength; if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&& (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) { return BadAlloc; @@ -489,6 +512,8 @@ unsigned mask; if ( xkb->device_spec == XkbUseCoreKbd ) xkb->device_spec= rep->deviceID; + if ( rep->maxKeyCode < rep->minKeyCode ) + return BadImplementation; xkb->min_key_code = rep->minKeyCode; xkb->max_key_code = rep->maxKeyCode; diff --git a/libX11/src/xkb/XKBNames.c b/libX11/src/xkb/XKBNames.c index 0276c05b3..3a8860be7 100644 --- a/libX11/src/xkb/XKBNames.c +++ b/libX11/src/xkb/XKBNames.c @@ -180,6 +180,8 @@ _XkbReadGetNamesReply( Display * dpy, nKeys= xkb->max_key_code+1; names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec); } + if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1) + goto BAILOUT; if (names->keys!=NULL) { if (!_XkbCopyFromReadBuffer(&buf, (char *)&names->keys[rep->firstKey], diff --git a/libX11/src/xlibi18n/lcFile.c b/libX11/src/xlibi18n/lcFile.c index 576a61124..51fe8bf1c 100644 --- a/libX11/src/xlibi18n/lcFile.c +++ b/libX11/src/xlibi18n/lcFile.c @@ -54,29 +54,7 @@ #define XLC_BUFSIZE 256 -#ifndef X_NOT_POSIX -#ifdef _POSIX_SOURCE -#include <limits.h> -#else -#define _POSIX_SOURCE -#include <limits.h> -#undef _POSIX_SOURCE -#endif -#endif -#ifndef PATH_MAX -#ifdef WIN32 -#define PATH_MAX 512 -#else -#include <sys/param.h> -#endif -#ifndef PATH_MAX -#ifdef MAXPATHLEN -#define PATH_MAX MAXPATHLEN -#else -#define PATH_MAX 1024 -#endif -#endif -#endif +#include "pathmax.h" #define NUM_LOCALEDIR 64 |