aboutsummaryrefslogtreecommitdiff
path: root/libX11
diff options
context:
space:
mode:
authormarha <marha@users.sourceforge.net>2013-07-23 09:22:39 +0200
committermarha <marha@users.sourceforge.net>2013-07-23 09:22:39 +0200
commita7c19a157eb0ba6a7789fe31f5bf7a2066d7966c (patch)
treed00e9cb782f34582f722e3da544b9c42b16ac850 /libX11
parent81d811ac780a2524fff09a516b6f0212c3f209a2 (diff)
parent5c340ceb9356ea029dea53b73440268d4769d5a5 (diff)
downloadvcxsrv-a7c19a157eb0ba6a7789fe31f5bf7a2066d7966c.tar.gz
vcxsrv-a7c19a157eb0ba6a7789fe31f5bf7a2066d7966c.tar.bz2
vcxsrv-a7c19a157eb0ba6a7789fe31f5bf7a2066d7966c.zip
Merge remote-tracking branch 'origin/released'
* origin/released: libX11 libXmu mesa xserver git update 23 July 2013
Diffstat (limited to 'libX11')
-rw-r--r--libX11/specs/libX11/AppC.xml4
-rw-r--r--libX11/src/Host.c8
-rw-r--r--libX11/src/ModMap.c10
-rw-r--r--libX11/src/XlibInt.c8
4 files changed, 26 insertions, 4 deletions
diff --git a/libX11/specs/libX11/AppC.xml b/libX11/specs/libX11/AppC.xml
index df250275e..0b37048f1 100644
--- a/libX11/specs/libX11/AppC.xml
+++ b/libX11/specs/libX11/AppC.xml
@@ -2468,7 +2468,9 @@ which is the same as
<function>GetReq</function>
except that it takes an additional argument (the number of
extra bytes to allocate in the output buffer after the request structure).
-This number should always be a multiple of four.
+This number should always be a multiple of four. Note that it is possible
+for req to be set to NULL as a defensive measure if the requested length
+exceeds the Xlib's buffer size (normally 16K).
</para>
</sect2>
<sect2 id="Variable_Length_Arguments">
diff --git a/libX11/src/Host.c b/libX11/src/Host.c
index da9923a9e..da5e2f7d3 100644
--- a/libX11/src/Host.c
+++ b/libX11/src/Host.c
@@ -83,6 +83,10 @@ XAddHost (
LockDisplay(dpy);
GetReqExtra (ChangeHosts, length, req);
+ if (!req) {
+ UnlockDisplay(dpy);
+ return 0;
+ }
req->mode = HostInsert;
req->hostFamily = host->family;
req->hostLength = addrlen;
@@ -118,6 +122,10 @@ XRemoveHost (
LockDisplay(dpy);
GetReqExtra (ChangeHosts, length, req);
+ if (!req) {
+ UnlockDisplay(dpy);
+ return 0;
+ }
req->mode = HostDelete;
req->hostFamily = host->family;
req->hostLength = addrlen;
diff --git a/libX11/src/ModMap.c b/libX11/src/ModMap.c
index 04cd676eb..836a67621 100644
--- a/libX11/src/ModMap.c
+++ b/libX11/src/ModMap.c
@@ -65,9 +65,9 @@ XGetModifierMapping(register Display *dpy)
/*
* Returns:
- * 0 Success
- * 1 Busy - one or more old or new modifiers are down
- * 2 Failed - one or more new modifiers unacceptable
+ * MappingSuccess (0) Success
+ * MappingBusy (1) Busy - one or more old or new modifiers are down
+ * MappingFailed (2) Failed - one or more new modifiers unacceptable
*/
int
XSetModifierMapping(
@@ -80,6 +80,10 @@ XSetModifierMapping(
LockDisplay(dpy);
GetReqExtra(SetModifierMapping, mapSize, req);
+ if (!req) {
+ UnlockDisplay(dpy);
+ return MappingFailed;
+ }
req->numKeyPerModifier = modifier_map->max_keypermod;
diff --git a/libX11/src/XlibInt.c b/libX11/src/XlibInt.c
index 8a51f49c4..5d8b0eb4b 100644
--- a/libX11/src/XlibInt.c
+++ b/libX11/src/XlibInt.c
@@ -1753,6 +1753,14 @@ void *_XGetRequest(Display *dpy, CARD8 type, size_t len)
if (dpy->bufptr + len > dpy->bufmax)
_XFlush(dpy);
+ /* Request still too large, so do not allow it to overflow. */
+ if (dpy->bufptr + len > dpy->bufmax) {
+ fprintf(stderr,
+ "Xlib: request %d length %zd would exceed buffer size.\n",
+ type, len);
+ /* Changes failure condition from overflow to NULL dereference. */
+ return NULL;
+ }
if (len % 4)
fprintf(stderr,