xserver randrproto libxtrans fontconfig libxcb xcb-proto mesa git update 26 Jan 2014

xserver          commit c1ce807d9f18f215332d7eeb844e8c640f71c53c
libxcb           commit e7263931aff3e3450dc938ad465a7577f943549f
libxcb/xcb-proto commit d898fd39ad6c82207eb78666b2daad982dd757b5
randrproto       commit a4a6694c059d74247c16527eef4a0ec9f56bbef6
libxtrans        commit e1e6121a1638d43d9929589b4723da2b38cb6b44
fontconfig       commit e2b406053c2937799da8636c56b72a77998bcab0
mesa             commit 07149f0252c52b4ac58b6df4e307fd786b49b490

1 files changed, 27 insertions, 0 deletions

diff --git a/xorg-server/os/utils.c b/xorg-server/os/utils.c
index 6f83a089b..dc18a67b1 100644
--- a/xorg-server/os/utils.c
+++ b/xorg-server/os/utils.c
@@ -600,6 +600,10 @@ UseMsg(void)
 static int
 VerifyDisplayName(const char *d)
 {
+    int i;
+    int period_found = FALSE;
+    int after_period = 0;
+
     if (d == (char *) 0)
         return 0;               /*  null  */
     if (*d == '\0')
@@ -610,6 +614,29 @@ VerifyDisplayName(const char *d)
         return 0;               /*  must not equal "." or ".."  */
     if (strchr(d, '/') != (char *) 0)
         return 0;               /*  very important!!!  */
+
+    /* Since we run atoi() on the display later, only allow
+       for digits, or exception of :0.0 and similar (two decimal points max)
+       */
+    for (i = 0; i < strlen(d); i++) {
+        if (!isdigit(d[i])) {
+            if (d[i] != '.' || period_found)
+                return 0;
+            period_found = TRUE;
+        } else if (period_found)
+            after_period++;
+
+        if (after_period > 2)
+            return 0;
+    }
+
+    /* don't allow for :0. */
+    if (period_found && after_period == 0)
+        return 0;
+
+    if (atol(d) > INT_MAX)
+        return 0;
+
     return 1;
 }