diff options
| author | marha <marha@users.sourceforge.net> | 2015-01-04 16:25:32 +0100 |
|---|---|---|
| committer | marha <marha@users.sourceforge.net> | 2015-01-04 16:25:32 +0100 |
| commit | 5e5a48ff8cd08f123601cd0625ca62a86675aac9 (patch) | |
| tree | ea1c2cee139e8e1ce389a7f956e9874db1e0a650 /xorg-server/Xi/xichangehierarchy.c | |
| parent | a1011d63ffb5cc4f41bf0f4622ee3f1493d419d9 (diff) | |
| download | vcxsrv-5e5a48ff8cd08f123601cd0625ca62a86675aac9.tar.gz vcxsrv-5e5a48ff8cd08f123601cd0625ca62a86675aac9.tar.bz2 vcxsrv-5e5a48ff8cd08f123601cd0625ca62a86675aac9.zip | |
fontconfig libX11 mesa xserver git update 4 Jan 2015
xserver commit dc777c346d5d452a53b13b917c45f6a1bad2f20b
libX11 commit 446f5f7f41317a85a0cd0efa5e6a1b37bc99fba2
fontconfig commit 4420b27c074821a1d1f9d6ebe822a610176a417d
mesa commit 48094d0e6554a9df36bf00fc2793ade46cf92406
Diffstat (limited to 'xorg-server/Xi/xichangehierarchy.c')
| -rw-r--r-- | xorg-server/Xi/xichangehierarchy.c | 35 |
1 files changed, 32 insertions, 3 deletions
diff --git a/xorg-server/Xi/xichangehierarchy.c b/xorg-server/Xi/xichangehierarchy.c index 9e36354d1..27324452d 100644 --- a/xorg-server/Xi/xichangehierarchy.c +++ b/xorg-server/Xi/xichangehierarchy.c @@ -411,7 +411,7 @@ int ProcXIChangeHierarchy(ClientPtr client) { xXIAnyHierarchyChangeInfo *any; - int required_len = sizeof(xXIChangeHierarchyReq); + size_t len; /* length of data remaining in request */ int rc = Success; int flags[MAXDEVICES] = { 0 }; @@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client) if (!stuff->num_changes) return rc; + if (stuff->length > (INT_MAX >> 2)) + return BadAlloc; + len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo); + any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; while (stuff->num_changes--) { + if (len < sizeof(xXIAnyHierarchyChangeInfo)) { + rc = BadLength; + goto unwind; + } + SWAPIF(swaps(&any->type)); SWAPIF(swaps(&any->length)); - required_len += any->length; - if ((stuff->length * 4) < required_len) + if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2))) return BadLength; +#define CHANGE_SIZE_MATCH(type) \ + do { \ + if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \ + rc = BadLength; \ + goto unwind; \ + } \ + } while(0) + switch (any->type) { case XIAddMaster: { xXIAddMasterInfo *c = (xXIAddMasterInfo *) any; + /* Variable length, due to appended name string */ + if (len < sizeof(xXIAddMasterInfo)) { + rc = BadLength; + goto unwind; + } SWAPIF(swaps(&c->name_len)); + if (c->name_len > (len - sizeof(xXIAddMasterInfo))) { + rc = BadLength; + goto unwind; + } rc = add_master(client, c, flags); if (rc != Success) @@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client) { xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; + CHANGE_SIZE_MATCH(xXIRemoveMasterInfo); rc = remove_master(client, r, flags); if (rc != Success) goto unwind; @@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client) { xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; + CHANGE_SIZE_MATCH(xXIDetachSlaveInfo); rc = detach_slave(client, c, flags); if (rc != Success) goto unwind; @@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client) { xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; + CHANGE_SIZE_MATCH(xXIAttachSlaveInfo); rc = attach_slave(client, c, flags); if (rc != Success) goto unwind; @@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client) break; } + len -= any->length * 4; any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); } |