aboutsummaryrefslogtreecommitdiff
path: root/libX11/src
diff options
context:
space:
mode:
Diffstat (limited to 'libX11/src')
-rw-r--r--libX11/src/AllCells.c9
-rw-r--r--libX11/src/Cmap.h2
-rw-r--r--libX11/src/Context.c8
-rw-r--r--libX11/src/Cr.h2
-rw-r--r--libX11/src/CrGC.c2
-rw-r--r--libX11/src/Depths.c2
-rw-r--r--libX11/src/FSWrap.c6
-rw-r--r--libX11/src/Font.c90
-rw-r--r--libX11/src/FontInfo.c111
-rw-r--r--libX11/src/FontNames.c35
-rw-r--r--libX11/src/GetAtomNm.c12
-rw-r--r--libX11/src/GetDflt.c25
-rw-r--r--libX11/src/GetFPath.c36
-rw-r--r--libX11/src/GetHints.c9
-rw-r--r--libX11/src/GetImage.c12
-rw-r--r--libX11/src/GetMoEv.c26
-rw-r--r--libX11/src/GetPntMap.c31
-rw-r--r--libX11/src/GetProp.c33
-rw-r--r--libX11/src/GetRGBCMap.c3
-rw-r--r--libX11/src/ImUtil.c6
-rw-r--r--libX11/src/InitExt.c4
-rw-r--r--libX11/src/IntAtom.c6
-rw-r--r--libX11/src/Key.h3
-rw-r--r--libX11/src/KeyBind.c8
-rw-r--r--libX11/src/LiHosts.c22
-rw-r--r--libX11/src/LiICmaps.c8
-rw-r--r--libX11/src/LiProps.c8
-rw-r--r--libX11/src/ListExt.c36
-rw-r--r--libX11/src/Makefile.am1
-rw-r--r--libX11/src/ModMap.c17
-rw-r--r--libX11/src/OpenDis.c23
-rw-r--r--libX11/src/PixFormats.c4
-rw-r--r--libX11/src/PolyReg.c13
-rw-r--r--libX11/src/PropAlloc.c9
-rw-r--r--libX11/src/PutBEvent.c2
-rw-r--r--libX11/src/PutImage.c13
-rw-r--r--libX11/src/QuColors.c10
-rw-r--r--libX11/src/QuTree.c8
-rw-r--r--libX11/src/Quarks.c9
-rw-r--r--libX11/src/RdBitF.c2
-rw-r--r--libX11/src/Region.c19
-rw-r--r--libX11/src/RegstFlt.c4
-rw-r--r--libX11/src/SetFPath.c2
-rw-r--r--libX11/src/SetHints.c6
-rw-r--r--libX11/src/StrToText.c2
-rw-r--r--libX11/src/TextToStr.c4
-rw-r--r--libX11/src/VisUtil.c8
-rw-r--r--libX11/src/WrBitF.c2
-rw-r--r--libX11/src/Xintatom.h1
-rw-r--r--libX11/src/Xintconn.h1
-rw-r--r--libX11/src/XlibInt.c20
-rw-r--r--libX11/src/Xprivate.h2
-rw-r--r--libX11/src/Xresinternal.h2
-rw-r--r--libX11/src/Xrm.c50
-rw-r--r--libX11/src/locking.c8
-rw-r--r--libX11/src/locking.h2
-rw-r--r--libX11/src/pathmax.h81
-rw-r--r--libX11/src/udcInf.c9
-rw-r--r--libX11/src/xcb_io.c17
-rw-r--r--libX11/src/xcms/cmsColNm.c27
-rw-r--r--libX11/src/xcms/cmsMath.c4
-rw-r--r--libX11/src/xkb/XKBExtDev.c6
-rw-r--r--libX11/src/xkb/XKBGeom.c15
-rw-r--r--libX11/src/xkb/XKBGetMap.c33
-rw-r--r--libX11/src/xkb/XKBNames.c2
-rw-r--r--libX11/src/xlibi18n/lcFile.c24
66 files changed, 604 insertions, 413 deletions
diff --git a/libX11/src/AllCells.c b/libX11/src/AllCells.c
index ddd9c22ef..6e97e1181 100644
--- a/libX11/src/AllCells.c
+++ b/libX11/src/AllCells.c
@@ -53,8 +53,13 @@ Status XAllocColorCells(
status = _XReply(dpy, (xReply *)&rep, 0, xFalse);
if (status) {
- _XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels));
- _XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks));
+ if ((rep.nPixels > ncolors) || (rep.nMasks > nplanes)) {
+ _XEatDataWords(dpy, rep.length);
+ status = 0; /* Failure */
+ } else {
+ _XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels));
+ _XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks));
+ }
}
UnlockDisplay(dpy);
diff --git a/libX11/src/Cmap.h b/libX11/src/Cmap.h
index 062b5383b..78cc3ea67 100644
--- a/libX11/src/Cmap.h
+++ b/libX11/src/Cmap.h
@@ -2,6 +2,8 @@
#ifndef _CMAP_H_
#define _CMAP_H_
+#include <X11/Xlib.h>
+
extern void
_XcmsDeleteCmapRec(
Display *dpy,
diff --git a/libX11/src/Context.c b/libX11/src/Context.c
index 79ae7d66c..4bb465b1a 100644
--- a/libX11/src/Context.c
+++ b/libX11/src/Context.c
@@ -111,7 +111,7 @@ static void ResizeTable(DB db)
otable = db->table;
for (i = INITHASHMASK+1; (i + i) < db->numentries; )
i += i;
- db->table = (TableEntry *) Xcalloc((unsigned)i, sizeof(TableEntry));
+ db->table = Xcalloc(i, sizeof(TableEntry));
if (!db->table) {
db->table = otable;
return;
@@ -180,11 +180,11 @@ int XSaveContext(
UnlockDisplay(display);
}
if (!db) {
- db = (DB) Xmalloc(sizeof(DBRec));
+ db = Xmalloc(sizeof(DBRec));
if (!db)
return XCNOMEM;
db->mask = INITHASHMASK;
- db->table = (TableEntry *)Xcalloc(db->mask + 1, sizeof(TableEntry));
+ db->table = Xcalloc(db->mask + 1, sizeof(TableEntry));
if (!db->table) {
Xfree((char *)db);
return XCNOMEM;
@@ -210,7 +210,7 @@ int XSaveContext(
return 0;
}
}
- entry = (TableEntry) Xmalloc(sizeof(TableEntryRec));
+ entry = Xmalloc(sizeof(TableEntryRec));
if (!entry)
return XCNOMEM;
entry->rid = rid;
diff --git a/libX11/src/Cr.h b/libX11/src/Cr.h
index 800c9ab1c..635e9e452 100644
--- a/libX11/src/Cr.h
+++ b/libX11/src/Cr.h
@@ -2,6 +2,8 @@
#ifndef _CR_H_
#define _CR_H_
+#include <X11/Xlib.h>
+
extern int _XUpdateGCCache(
register GC gc,
register unsigned long mask,
diff --git a/libX11/src/CrGC.c b/libX11/src/CrGC.c
index 11de94c1f..2d5f17c00 100644
--- a/libX11/src/CrGC.c
+++ b/libX11/src/CrGC.c
@@ -72,7 +72,7 @@ GC XCreateGC (
register _XExtension *ext;
LockDisplay(dpy);
- if ((gc = (GC)Xmalloc (sizeof(struct _XGC))) == NULL) {
+ if ((gc = Xmalloc (sizeof(struct _XGC))) == NULL) {
UnlockDisplay(dpy);
SyncHandle();
return (NULL);
diff --git a/libX11/src/Depths.c b/libX11/src/Depths.c
index f49655cb2..a8b719d00 100644
--- a/libX11/src/Depths.c
+++ b/libX11/src/Depths.c
@@ -49,7 +49,7 @@ int *XListDepths (
register Depth *dp;
register int i;
- depths = (int *) Xmalloc (count * sizeof(int));
+ depths = Xmalloc (count * sizeof(int));
if (!depths) return NULL;
for (i = 0, dp = scr->depths; i < count; i++, dp++)
depths[i] = dp->depth;
diff --git a/libX11/src/FSWrap.c b/libX11/src/FSWrap.c
index 63ca00e05..49ec3ff29 100644
--- a/libX11/src/FSWrap.c
+++ b/libX11/src/FSWrap.c
@@ -112,7 +112,7 @@ _XParseBaseFontNameList(
if (!*ptr)
break;
}
- if (!(list = (char **) Xmalloc((unsigned)sizeof(char *) * (*num + 1)))) {
+ if (!(list = Xmalloc(sizeof(char *) * (*num + 1)))) {
Xfree(psave);
return (char **)NULL;
}
@@ -133,7 +133,7 @@ copy_string_list(
if (string_list == NULL || list_count <= 0)
return (char **) NULL;
- string_list_ret = (char **) Xmalloc(sizeof(char *) * list_count);
+ string_list_ret = Xmalloc(sizeof(char *) * list_count);
if (string_list_ret == NULL)
return (char **) NULL;
@@ -142,7 +142,7 @@ copy_string_list(
for (length = 0; count-- > 0; list_src++)
length += strlen(*list_src) + 1;
- dst = (char *) Xmalloc(length);
+ dst = Xmalloc(length);
if (dst == NULL) {
Xfree(string_list_ret);
return (char **) NULL;
diff --git a/libX11/src/Font.c b/libX11/src/Font.c
index 25e1790c8..a32f740bd 100644
--- a/libX11/src/Font.c
+++ b/libX11/src/Font.c
@@ -31,6 +31,7 @@ authorization from the X Consortium and the XFree86 Project.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
#if defined(XF86BIGFONT)
#define USE_XF86BIGFONT
@@ -183,7 +184,8 @@ _XQueryFont (
unsigned long seq)
{
register XFontStruct *fs;
- register long nbytes;
+ unsigned long nbytes;
+ unsigned long reply_left; /* unused data words left in reply buffer */
xQueryFontReply reply;
register xResourceReq *req;
register _XExtension *ext;
@@ -211,9 +213,10 @@ _XQueryFont (
}
if (seq)
DeqAsyncHandler(dpy, &async);
- if (! (fs = (XFontStruct *) Xmalloc (sizeof (XFontStruct)))) {
- _XEatData(dpy, (unsigned long)(reply.nFontProps * SIZEOF(xFontProp) +
- reply.nCharInfos * SIZEOF(xCharInfo)));
+ reply_left = reply.length -
+ ((SIZEOF(xQueryFontReply) - SIZEOF(xReply)) >> 2);
+ if (! (fs = Xmalloc (sizeof (XFontStruct)))) {
+ _XEatDataWords(dpy, reply_left);
return (XFontStruct *)NULL;
}
fs->ext_data = NULL;
@@ -239,16 +242,19 @@ _XQueryFont (
*/
fs->properties = NULL;
if (fs->n_properties > 0) {
- nbytes = reply.nFontProps * sizeof(XFontProp);
- fs->properties = (XFontProp *) Xmalloc ((unsigned) nbytes);
+ /* nFontProps is a CARD16 */
nbytes = reply.nFontProps * SIZEOF(xFontProp);
+ if ((nbytes >> 2) <= reply_left) {
+ size_t pbytes = reply.nFontProps * sizeof(XFontProp);
+ fs->properties = Xmalloc (pbytes);
+ }
if (! fs->properties) {
Xfree((char *) fs);
- _XEatData(dpy, (unsigned long)
- (nbytes + reply.nCharInfos * SIZEOF(xCharInfo)));
+ _XEatDataWords(dpy, reply_left);
return (XFontStruct *)NULL;
}
_XRead32 (dpy, (long *)fs->properties, nbytes);
+ reply_left -= (nbytes >> 2);
}
/*
* If no characters in font, then it is a bad font, but
@@ -256,16 +262,21 @@ _XQueryFont (
*/
fs->per_char = NULL;
if (reply.nCharInfos > 0){
- nbytes = reply.nCharInfos * sizeof(XCharStruct);
- if (! (fs->per_char = (XCharStruct *) Xmalloc ((unsigned) nbytes))) {
+ /* nCharInfos is a CARD32 */
+ if (reply.nCharInfos < (INT_MAX / sizeof(XCharStruct))) {
+ nbytes = reply.nCharInfos * SIZEOF(xCharInfo);
+ if ((nbytes >> 2) <= reply_left) {
+ size_t cibytes = reply.nCharInfos * sizeof(XCharStruct);
+ fs->per_char = Xmalloc (cibytes);
+ }
+ }
+ if (! fs->per_char) {
if (fs->properties) Xfree((char *) fs->properties);
Xfree((char *) fs);
- _XEatData(dpy, (unsigned long)
- (reply.nCharInfos * SIZEOF(xCharInfo)));
+ _XEatDataWords(dpy, reply_left);
return (XFontStruct *)NULL;
}
- nbytes = reply.nCharInfos * SIZEOF(xCharInfo);
_XRead16 (dpy, (char *)fs->per_char, nbytes);
}
@@ -312,7 +323,7 @@ _XF86BigfontCodes (
if (pData)
return (XF86BigfontCodes *) pData->private_data;
- pData = (XExtData *) Xmalloc(sizeof(XExtData) + sizeof(XF86BigfontCodes));
+ pData = Xmalloc(sizeof(XExtData) + sizeof(XF86BigfontCodes));
if (!pData) {
/* Out of luck. */
return (XF86BigfontCodes *) NULL;
@@ -392,7 +403,8 @@ _XF86BigfontQueryFont (
unsigned long seq)
{
register XFontStruct *fs;
- register long nbytes;
+ unsigned long nbytes;
+ unsigned long reply_left; /* unused data left in reply buffer */
xXF86BigfontQueryFontReply reply;
register xXF86BigfontQueryFontReq *req;
register _XExtension *ext;
@@ -445,13 +457,10 @@ _XF86BigfontQueryFont (
DeqAsyncHandler(dpy, &async2);
if (seq)
DeqAsyncHandler(dpy, &async1);
- if (! (fs = (XFontStruct *) Xmalloc (sizeof (XFontStruct)))) {
- _XEatData(dpy,
- reply.nFontProps * SIZEOF(xFontProp)
- + (reply.nCharInfos > 0 && reply.shmid == (CARD32)(-1)
- ? reply.nUniqCharInfos * SIZEOF(xCharInfo)
- + (reply.nCharInfos+1)/2 * 2 * sizeof(CARD16)
- : 0));
+ reply_left = reply.length -
+ ((SIZEOF(xXF86BigfontQueryFontReply) - SIZEOF(xReply)) >> 2);
+ if (! (fs = Xmalloc (sizeof (XFontStruct)))) {
+ _XEatDataWords(dpy, reply_left);
return (XFontStruct *)NULL;
}
fs->ext_data = NULL;
@@ -477,23 +486,33 @@ _XF86BigfontQueryFont (
*/
fs->properties = NULL;
if (fs->n_properties > 0) {
- nbytes = reply.nFontProps * sizeof(XFontProp);
- fs->properties = (XFontProp *) Xmalloc ((unsigned) nbytes);
+ /* nFontProps is a CARD16 */
nbytes = reply.nFontProps * SIZEOF(xFontProp);
+ if ((nbytes >> 2) <= reply_left) {
+ size_t pbytes = reply.nFontProps * sizeof(XFontProp);
+ fs->properties = Xmalloc (pbytes);
+ }
if (! fs->properties) {
Xfree((char *) fs);
- _XEatData(dpy,
- nbytes
- + (reply.nCharInfos > 0 && reply.shmid == (CARD32)(-1)
- ? reply.nUniqCharInfos * SIZEOF(xCharInfo)
- + (reply.nCharInfos+1)/2 * 2 * sizeof(CARD16)
- : 0));
+ _XEatDataWords(dpy, reply_left);
return (XFontStruct *)NULL;
}
_XRead32 (dpy, (long *)fs->properties, nbytes);
+ reply_left -= (nbytes >> 2);
}
fs->per_char = NULL;
+#ifndef LONG64
+ /* compares each part to half the maximum, which should be far more than
+ any real font needs, so the combined total doesn't overflow either */
+ if (reply.nUniqCharInfos > ((ULONG_MAX / 2) / SIZEOF(xCharInfo)) ||
+ reply.nCharInfos > ((ULONG_MAX / 2) / sizeof(CARD16))) {
+ Xfree((char *) fs->properties);
+ Xfree((char *) fs);
+ _XEatDataWords(dpy, reply_left);
+ return (XFontStruct *)NULL;
+ }
+#endif
if (reply.nCharInfos > 0) {
/* fprintf(stderr, "received font metrics, nCharInfos = %d, nUniqCharInfos = %d, shmid = %d\n", reply.nCharInfos, reply.nUniqCharInfos, reply.shmid); */
if (reply.shmid == (CARD32)(-1)) {
@@ -503,18 +522,18 @@ _XF86BigfontQueryFont (
nbytes = reply.nUniqCharInfos * SIZEOF(xCharInfo)
+ (reply.nCharInfos+1)/2 * 2 * sizeof(CARD16);
- pUniqCI = (xCharInfo *) Xmalloc (nbytes);
+ pUniqCI = Xmalloc (nbytes);
if (!pUniqCI) {
if (fs->properties) Xfree((char *) fs->properties);
Xfree((char *) fs);
- _XEatData(dpy, nbytes);
+ _XEatDataWords(dpy, reply_left);
return (XFontStruct *)NULL;
}
- if (! (fs->per_char = (XCharStruct *) Xmalloc (reply.nCharInfos * sizeof(XCharStruct)))) {
+ if (! (fs->per_char = Xmalloc (reply.nCharInfos * sizeof(XCharStruct)))) {
Xfree((char *) pUniqCI);
if (fs->properties) Xfree((char *) fs->properties);
Xfree((char *) fs);
- _XEatData(dpy, nbytes);
+ _XEatDataWords(dpy, reply_left);
return (XFontStruct *)NULL;
}
_XRead16 (dpy, (char *) pUniqCI, nbytes);
@@ -537,7 +556,7 @@ _XF86BigfontQueryFont (
XEDataObject fs_union;
char *addr;
- pData = (XExtData *) Xmalloc(sizeof(XExtData));
+ pData = Xmalloc(sizeof(XExtData));
if (!pData) {
if (fs->properties) Xfree((char *) fs->properties);
Xfree((char *) fs);
@@ -569,6 +588,7 @@ _XF86BigfontQueryFont (
if (!(extcodes->serverCapabilities & CAP_VerifiedLocal)) {
struct shmid_ds buf;
if (!(shmctl(reply.shmid, IPC_STAT, &buf) >= 0
+ && reply.nCharInfos < (LONG_MAX / sizeof(XCharStruct))
&& buf.shm_segsz >= reply.shmsegoffset + reply.nCharInfos * sizeof(XCharStruct) + sizeof(CARD32)
&& *(CARD32 *)(addr + reply.shmsegoffset + reply.nCharInfos * sizeof(XCharStruct)) == extcodes->serverSignature)) {
shmdt(addr);
diff --git a/libX11/src/FontInfo.c b/libX11/src/FontInfo.c
index fb296b8a8..0cb5b1910 100644
--- a/libX11/src/FontInfo.c
+++ b/libX11/src/FontInfo.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
#if defined(XF86BIGFONT)
#define USE_XF86BIGFONT
@@ -45,10 +46,11 @@ int maxNames,
int *actualCount, /* RETURN */
XFontStruct **info) /* RETURN */
{
- register long nbytes;
+ unsigned long nbytes;
+ unsigned long reply_left; /* unused data left in reply buffer */
register int i;
register XFontStruct *fs;
- register int size = 0;
+ unsigned int size = 0;
XFontStruct *finfo = NULL;
char **flist = NULL;
xListFontsWithInfoReply reply;
@@ -67,52 +69,44 @@ XFontStruct **info) /* RETURN */
if (!_XReply (dpy, (xReply *) &reply,
((SIZEOF(xListFontsWithInfoReply) -
SIZEOF(xGenericReply)) >> 2), xFalse)) {
- for (j=(i-1); (j >= 0); j--) {
- Xfree(flist[j]);
- if (finfo[j].properties) Xfree((char *) finfo[j].properties);
- }
- if (flist) Xfree((char *) flist);
- if (finfo) Xfree((char *) finfo);
- UnlockDisplay(dpy);
- SyncHandle();
- return ((char **) NULL);
+ reply.nameLength = 0; /* avoid trying to read more replies */
+ reply_left = 0;
+ goto badmem;
}
- if (reply.nameLength == 0)
+ reply_left = reply.length -
+ ((SIZEOF(xListFontsWithInfoReply) - SIZEOF(xGenericReply)) >> 2);
+ if (reply.nameLength == 0) {
+ _XEatDataWords(dpy, reply_left);
break;
+ }
+ if (reply.nReplies >= (INT_MAX - i)) /* avoid overflowing size */
+ goto badmem;
if ((i + reply.nReplies) >= size) {
size = i + reply.nReplies + 1;
+ if (size >= (INT_MAX / sizeof(XFontStruct)))
+ goto badmem;
+
if (finfo) {
- XFontStruct * tmp_finfo = (XFontStruct *)
- Xrealloc ((char *) finfo,
- (unsigned) (sizeof(XFontStruct) * size));
- char ** tmp_flist = (char **)
- Xrealloc ((char *) flist,
- (unsigned) (sizeof(char *) * (size+1)));
+ XFontStruct * tmp_finfo;
+ char ** tmp_flist;
+ tmp_finfo = Xrealloc (finfo, sizeof(XFontStruct) * size);
if (tmp_finfo)
finfo = tmp_finfo;
+ else
+ goto badmem;
+
+ tmp_flist = Xrealloc (flist, sizeof(char *) * (size+1));
if (tmp_flist)
flist = tmp_flist;
-
- if ((! tmp_finfo) || (! tmp_flist)) {
- /* free all the memory that we allocated */
- for (j=(i-1); (j >= 0); j--) {
- Xfree(flist[j]);
- if (finfo[j].properties)
- Xfree((char *) finfo[j].properties);
- }
- Xfree((char *) flist);
- Xfree((char *) finfo);
- goto clearwire;
- }
+ else
+ goto badmem;
}
else {
- if (! (finfo = (XFontStruct *)
- Xmalloc((unsigned) (sizeof(XFontStruct) * size))))
+ if (! (finfo = Xmalloc(sizeof(XFontStruct) * size)))
goto clearwire;
- if (! (flist = (char **)
- Xmalloc((unsigned) (sizeof(char *) * (size+1))))) {
+ if (! (flist = Xmalloc(sizeof(char *) * (size+1)))) {
Xfree((char *) finfo);
goto clearwire;
}
@@ -138,24 +132,27 @@ XFontStruct **info) /* RETURN */
fs->max_bounds = * (XCharStruct *) &reply.maxBounds;
fs->n_properties = reply.nFontProps;
+ fs->properties = NULL;
if (fs->n_properties > 0) {
- nbytes = reply.nFontProps * sizeof(XFontProp);
- if (! (fs->properties = (XFontProp *) Xmalloc((unsigned) nbytes)))
- goto badmem;
+ /* nFontProps is a CARD16 */
nbytes = reply.nFontProps * SIZEOF(xFontProp);
+ if ((nbytes >> 2) <= reply_left) {
+ size_t pbytes = reply.nFontProps * sizeof(XFontProp);
+ fs->properties = Xmalloc (pbytes);
+ }
+ if (! fs->properties)
+ goto badmem;
_XRead32 (dpy, (long *)fs->properties, nbytes);
+ reply_left -= (nbytes >> 2);
+ }
- } else
- fs->properties = NULL;
-
- j = reply.nameLength + 1;
+ /* nameLength is a CARD8 */
+ nbytes = reply.nameLength + 1;
if (!i)
- j++; /* make first string 1 byte longer, to match XListFonts */
- flist[i] = (char *) Xmalloc ((unsigned int) j);
+ nbytes++; /* make first string 1 byte longer, to match XListFonts */
+ flist[i] = Xmalloc (nbytes);
if (! flist[i]) {
if (finfo[i].properties) Xfree((char *) finfo[i].properties);
- nbytes = (reply.nameLength + 3) & ~3;
- _XEatData(dpy, (unsigned long) nbytes);
goto badmem;
}
if (!i) {
@@ -177,27 +174,25 @@ XFontStruct **info) /* RETURN */
badmem:
/* Free all memory allocated by this function. */
for (j=(i-1); (j >= 0); j--) {
- Xfree(flist[j]);
- if (finfo[j].properties) Xfree((char *) finfo[j].properties);
+ if (j == 0)
+ flist[j]--; /* was incremented above */
+ Xfree(flist[j]);
+ if (finfo[j].properties) Xfree((char *) finfo[j].properties);
}
if (flist) Xfree((char *) flist);
if (finfo) Xfree((char *) finfo);
clearwire:
/* Clear the wire. */
- do {
- if (reply.nFontProps)
- _XEatData(dpy, (unsigned long)
- (reply.nFontProps * SIZEOF(xFontProp)));
- nbytes = (reply.nameLength + 3) & ~3;
- _XEatData(dpy, (unsigned long) nbytes);
- }
- while (_XReply(dpy,(xReply *) &reply, ((SIZEOF(xListFontsWithInfoReply) -
- SIZEOF(xGenericReply)) >> 2),
- xFalse) && (reply.nameLength != 0));
-
+ _XEatDataWords(dpy, reply_left);
+ while ((reply.nameLength != 0) &&
+ _XReply(dpy, (xReply *) &reply,
+ ((SIZEOF(xListFontsWithInfoReply) - SIZEOF(xGenericReply))
+ >> 2), xTrue));
UnlockDisplay(dpy);
SyncHandle();
+ *info = NULL;
+ *actualCount = 0;
return (char **) NULL;
}
diff --git a/libX11/src/FontNames.c b/libX11/src/FontNames.c
index 3018cf2cf..b5bc7b4ba 100644
--- a/libX11/src/FontNames.c
+++ b/libX11/src/FontNames.c
@@ -29,6 +29,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
char **
XListFonts(
@@ -40,11 +41,13 @@ int *actualCount) /* RETURN */
register long nbytes;
register unsigned i;
register int length;
- char **flist;
- char *ch;
+ char **flist = NULL;
+ char *ch = NULL;
+ char *chend;
+ int count = 0;
xListFontsReply rep;
register xListFontsReq *req;
- register long rlen;
+ unsigned long rlen;
LockDisplay(dpy);
GetReq(ListFonts, req);
@@ -62,15 +65,17 @@ int *actualCount) /* RETURN */
}
if (rep.nFonts) {
- flist = (char **)Xmalloc ((unsigned)rep.nFonts * sizeof(char *));
- rlen = rep.length << 2;
- ch = (char *) Xmalloc((unsigned) (rlen + 1));
+ flist = Xmalloc (rep.nFonts * sizeof(char *));
+ if (rep.length < (LONG_MAX >> 2)) {
+ rlen = rep.length << 2;
+ ch = Xmalloc(rlen + 1);
/* +1 to leave room for last null-terminator */
+ }
if ((! flist) || (! ch)) {
if (flist) Xfree((char *) flist);
if (ch) Xfree(ch);
- _XEatData(dpy, (unsigned long) rlen);
+ _XEatDataWords(dpy, rep.length);
*actualCount = 0;
UnlockDisplay(dpy);
SyncHandle();
@@ -81,17 +86,21 @@ int *actualCount) /* RETURN */
/*
* unpack into null terminated strings.
*/
+ chend = ch + (rlen + 1);
length = *(unsigned char *)ch;
*ch = 1; /* make sure it is non-zero for XFreeFontNames */
for (i = 0; i < rep.nFonts; i++) {
- flist[i] = ch + 1; /* skip over length */
- ch += length + 1; /* find next length ... */
- length = *(unsigned char *)ch;
- *ch = '\0'; /* and replace with null-termination */
+ if (ch + length < chend) {
+ flist[i] = ch + 1; /* skip over length */
+ ch += length + 1; /* find next length ... */
+ length = *(unsigned char *)ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
+ } else
+ flist[i] = NULL;
}
}
- else flist = (char **) NULL;
- *actualCount = rep.nFonts;
+ *actualCount = count;
UnlockDisplay(dpy);
SyncHandle();
return (flist);
diff --git a/libX11/src/GetAtomNm.c b/libX11/src/GetAtomNm.c
index 9823c690c..32de50d23 100644
--- a/libX11/src/GetAtomNm.c
+++ b/libX11/src/GetAtomNm.c
@@ -46,7 +46,7 @@ char *_XGetAtomName(
for (idx = TABLESIZE; --idx >= 0; ) {
if ((e = *table++) && (e->atom == atom)) {
idx = strlen(EntryName(e)) + 1;
- if ((name = (char *)Xmalloc(idx)))
+ if ((name = Xmalloc(idx)))
strcpy(name, EntryName(e));
return name;
}
@@ -73,12 +73,12 @@ char *XGetAtomName(
SyncHandle();
return(NULL);
}
- if ((name = (char *) Xmalloc(rep.nameLength+1))) {
+ if ((name = Xmalloc(rep.nameLength + 1))) {
_XReadPad(dpy, name, (long)rep.nameLength);
name[rep.nameLength] = '\0';
_XUpdateAtomCache(dpy, name, atom, 0, -1, 0);
} else {
- _XEatData(dpy, (unsigned long) (rep.nameLength + 3) & ~3);
+ _XEatDataWords(dpy, rep.length);
name = (char *) NULL;
}
UnlockDisplay(dpy);
@@ -124,7 +124,7 @@ Bool _XGetAtomNameHandler(
_XGetAsyncReply(dpy, (char *)&replbuf, rep, buf, len,
(SIZEOF(xGetAtomNameReply) - SIZEOF(xReply)) >> 2,
False);
- state->names[state->idx] = (char *) Xmalloc(repl->nameLength+1);
+ state->names[state->idx] = Xmalloc(repl->nameLength + 1);
_XGetAsyncData(dpy, state->names[state->idx], buf, len,
SIZEOF(xGetAtomNameReply), repl->nameLength,
repl->length << 2);
@@ -170,13 +170,13 @@ XGetAtomNames (
}
if (missed >= 0) {
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
- if ((names_return[missed] = (char *) Xmalloc(rep.nameLength+1))) {
+ if ((names_return[missed] = Xmalloc(rep.nameLength + 1))) {
_XReadPad(dpy, names_return[missed], (long)rep.nameLength);
names_return[missed][rep.nameLength] = '\0';
_XUpdateAtomCache(dpy, names_return[missed], atoms[missed],
0, -1, 0);
} else {
- _XEatData(dpy, (unsigned long) (rep.nameLength + 3) & ~3);
+ _XEatDataWords(dpy, rep.length);
async_state.status = 0;
}
}
diff --git a/libX11/src/GetDflt.c b/libX11/src/GetDflt.c
index d32b3c65a..68ab4c918 100644
--- a/libX11/src/GetDflt.c
+++ b/libX11/src/GetDflt.c
@@ -52,30 +52,7 @@ SOFTWARE.
#include "Xlibint.h"
#include <X11/Xos.h>
#include <X11/Xresource.h>
-
-#ifndef X_NOT_POSIX
-#ifdef _POSIX_SOURCE
-#include <limits.h>
-#else
-#define _POSIX_SOURCE
-#include <limits.h>
-#undef _POSIX_SOURCE
-#endif
-#endif
-#ifndef PATH_MAX
-#ifdef WIN32
-#define PATH_MAX 512
-#else
-#include <sys/param.h>
-#endif
-#ifndef PATH_MAX
-#ifdef MAXPATHLEN
-#define PATH_MAX MAXPATHLEN
-#else
-#define PATH_MAX 1024
-#endif
-#endif
-#endif
+#include "pathmax.h"
#ifdef XTHREADS
#include <X11/Xthreads.h>
diff --git a/libX11/src/GetFPath.c b/libX11/src/GetFPath.c
index 7d497c92e..abd4a5dbd 100644
--- a/libX11/src/GetFPath.c
+++ b/libX11/src/GetFPath.c
@@ -28,15 +28,18 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
char **XGetFontPath(
register Display *dpy,
int *npaths) /* RETURN */
{
xGetFontPathReply rep;
- register long nbytes;
- char **flist;
- char *ch;
+ unsigned long nbytes;
+ char **flist = NULL;
+ char *ch = NULL;
+ char *chend;
+ int count = 0;
register unsigned i;
register int length;
register xReq *req;
@@ -46,16 +49,17 @@ char **XGetFontPath(
(void) _XReply (dpy, (xReply *) &rep, 0, xFalse);
if (rep.nPaths) {
- flist = (char **)
- Xmalloc((unsigned) rep.nPaths * sizeof (char *));
- nbytes = (long)rep.length << 2;
- ch = (char *) Xmalloc ((unsigned) (nbytes + 1));
+ flist = Xmalloc(rep.nPaths * sizeof (char *));
+ if (rep.length < (LONG_MAX >> 2)) {
+ nbytes = (unsigned long) rep.length << 2;
+ ch = Xmalloc (nbytes + 1);
/* +1 to leave room for last null-terminator */
+ }
if ((! flist) || (! ch)) {
if (flist) Xfree((char *) flist);
if (ch) Xfree(ch);
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (char **) NULL;
@@ -65,16 +69,20 @@ char **XGetFontPath(
/*
* unpack into null terminated strings.
*/
+ chend = ch + (nbytes + 1);
length = *ch;
for (i = 0; i < rep.nPaths; i++) {
- flist[i] = ch+1; /* skip over length */
- ch += length + 1; /* find next length ... */
- length = *ch;
- *ch = '\0'; /* and replace with null-termination */
+ if (ch + length < chend) {
+ flist[i] = ch+1; /* skip over length */
+ ch += length + 1; /* find next length ... */
+ length = *ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
+ } else
+ flist[i] = NULL;
}
}
- else flist = NULL;
- *npaths = rep.nPaths;
+ *npaths = count;
UnlockDisplay(dpy);
SyncHandle();
return (flist);
diff --git a/libX11/src/GetHints.c b/libX11/src/GetHints.c
index 4800fe793..3c410d33d 100644
--- a/libX11/src/GetHints.c
+++ b/libX11/src/GetHints.c
@@ -128,7 +128,7 @@ XWMHints *XGetWMHints (
return(NULL);
}
/* static copies not allowed in library, due to reentrancy constraint*/
- if ((hints = (XWMHints *) Xcalloc (1, (unsigned) sizeof(XWMHints)))) {
+ if ((hints = Xcalloc (1, sizeof(XWMHints)))) {
hints->flags = prop->flags;
hints->input = (prop->input ? True : False);
hints->initial_state = cvtINT32toInt (prop->initialState);
@@ -203,8 +203,7 @@ Status XGetIconSizes (
/* static copies not allowed in library, due to reentrancy constraint*/
nitems /= NumPropIconSizeElements;
- if (! (hp = hints = (XIconSize *)
- Xcalloc ((unsigned) nitems, (unsigned) sizeof(XIconSize)))) {
+ if (! (hp = hints = Xcalloc (nitems, sizeof(XIconSize)))) {
if (prop) Xfree ((char *) prop);
return 0;
}
@@ -317,14 +316,14 @@ XGetClassHint(
if ( (actual_type == XA_STRING) && (actual_format == 8) ) {
len_name = strlen((char *) data);
- if (! (classhint->res_name = Xmalloc((unsigned) (len_name+1)))) {
+ if (! (classhint->res_name = Xmalloc(len_name + 1))) {
Xfree((char *) data);
return (0);
}
strcpy(classhint->res_name, (char *) data);
if (len_name == nitems) len_name--;
len_class = strlen((char *) (data+len_name+1));
- if (! (classhint->res_class = Xmalloc((unsigned) (len_class+1)))) {
+ if (! (classhint->res_class = Xmalloc(len_class + 1))) {
Xfree(classhint->res_name);
classhint->res_name = (char *) NULL;
Xfree((char *) data);
diff --git a/libX11/src/GetImage.c b/libX11/src/GetImage.c
index e8f1b0309..c461abc09 100644
--- a/libX11/src/GetImage.c
+++ b/libX11/src/GetImage.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
#include "Xlibint.h"
#include <X11/Xutil.h> /* for XDestroyImage */
#include "ImUtil.h"
+#include <limits.h>
#define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad))
@@ -56,7 +57,7 @@ XImage *XGetImage (
xGetImageReply rep;
register xGetImageReq *req;
char *data;
- long nbytes;
+ unsigned long nbytes;
XImage *image;
LockDisplay(dpy);
GetReq (GetImage, req);
@@ -78,10 +79,13 @@ XImage *XGetImage (
return (XImage *)NULL;
}
- nbytes = (long)rep.length << 2;
- data = (char *) Xmalloc((unsigned) nbytes);
+ if (rep.length < (INT_MAX >> 2)) {
+ nbytes = (unsigned long)rep.length << 2;
+ data = Xmalloc(nbytes);
+ } else
+ data = NULL;
if (! data) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (XImage *) NULL;
diff --git a/libX11/src/GetMoEv.c b/libX11/src/GetMoEv.c
index 3db176feb..ad9c77277 100644
--- a/libX11/src/GetMoEv.c
+++ b/libX11/src/GetMoEv.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
XTimeCoord *XGetMotionEvents(
register Display *dpy,
@@ -39,7 +40,6 @@ XTimeCoord *XGetMotionEvents(
xGetMotionEventsReply rep;
register xGetMotionEventsReq *req;
XTimeCoord *tc = NULL;
- long nbytes;
LockDisplay(dpy);
GetReq(GetMotionEvents, req);
req->window = w;
@@ -52,26 +52,22 @@ XTimeCoord *XGetMotionEvents(
return (NULL);
}
- if (rep.nEvents) {
- if (! (tc = (XTimeCoord *)
- Xmalloc( (unsigned)
- (nbytes = (long) rep.nEvents * sizeof(XTimeCoord))))) {
- _XEatData (dpy, (unsigned long) nbytes);
- UnlockDisplay(dpy);
- SyncHandle();
- return (NULL);
- }
+ if (rep.nEvents && (rep.nEvents < (INT_MAX / sizeof(XTimeCoord))))
+ tc = Xmalloc(rep.nEvents * sizeof(XTimeCoord));
+ if (tc == NULL) {
+ /* server returned either no events or a bad event count */
+ *nEvents = 0;
+ _XEatDataWords (dpy, rep.length);
}
-
- *nEvents = rep.nEvents;
- nbytes = SIZEOF (xTimecoord);
+ else
{
register XTimeCoord *tcptr;
- register int i;
+ unsigned int i;
xTimecoord xtc;
+ *nEvents = (int) rep.nEvents;
for (i = rep.nEvents, tcptr = tc; i > 0; i--, tcptr++) {
- _XRead (dpy, (char *) &xtc, nbytes);
+ _XRead (dpy, (char *) &xtc, SIZEOF (xTimecoord));
tcptr->time = xtc.time;
tcptr->x = cvtINT16toShort (xtc.x);
tcptr->y = cvtINT16toShort (xtc.y);
diff --git a/libX11/src/GetPntMap.c b/libX11/src/GetPntMap.c
index 0fcdb6696..29fdf21f0 100644
--- a/libX11/src/GetPntMap.c
+++ b/libX11/src/GetPntMap.c
@@ -29,6 +29,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
#ifdef MIN /* some systems define this in <sys/param.h> */
#undef MIN
@@ -42,7 +43,7 @@ int XGetPointerMapping (
{
unsigned char mapping[256]; /* known fixed size */
- long nbytes, remainder = 0;
+ unsigned long nbytes, remainder = 0;
xGetPointerMappingReply rep;
register xReq *req;
@@ -54,9 +55,15 @@ int XGetPointerMapping (
return 0;
}
- nbytes = (long)rep.length << 2;
-
/* Don't count on the server returning a valid value */
+ if (rep.length >= (INT_MAX >> 2)) {
+ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return 0;
+ }
+
+ nbytes = (unsigned long) rep.length << 2;
if (nbytes > sizeof mapping) {
remainder = nbytes - sizeof mapping;
nbytes = sizeof mapping;
@@ -69,7 +76,7 @@ int XGetPointerMapping (
}
if (remainder)
- _XEatData(dpy, (unsigned long)remainder);
+ _XEatData(dpy, remainder);
UnlockDisplay(dpy);
SyncHandle();
@@ -86,8 +93,8 @@ XGetKeyboardMapping (Display *dpy,
int count,
int *keysyms_per_keycode)
{
- long nbytes;
- unsigned long nkeysyms;
+ unsigned long nbytes;
+ CARD32 nkeysyms;
register KeySym *mapping = NULL;
xGetKeyboardMappingReply rep;
register xGetKeyboardMappingReq *req;
@@ -102,17 +109,19 @@ XGetKeyboardMapping (Display *dpy,
return (KeySym *) NULL;
}
- nkeysyms = (unsigned long) rep.length;
+ nkeysyms = rep.length;
if (nkeysyms > 0) {
- nbytes = nkeysyms * sizeof (KeySym);
- mapping = (KeySym *) Xmalloc ((unsigned) nbytes);
- nbytes = nkeysyms << 2;
+ if (nkeysyms < (INT_MAX / sizeof (KeySym))) {
+ nbytes = nkeysyms * sizeof (KeySym);
+ mapping = Xmalloc (nbytes);
+ }
if (! mapping) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (KeySym *) NULL;
}
+ nbytes = nkeysyms << 2;
_XRead32 (dpy, (long *) mapping, nbytes);
}
*keysyms_per_keycode = rep.keySymsPerKeyCode;
diff --git a/libX11/src/GetProp.c b/libX11/src/GetProp.c
index 5d6e0b8c4..9eb422ee3 100644
--- a/libX11/src/GetProp.c
+++ b/libX11/src/GetProp.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
int
XGetWindowProperty(
@@ -48,6 +49,13 @@ XGetWindowProperty(
register xGetPropertyReq *req;
xError error = {0};
+ /* Always initialize return values, in case callers fail to initialize
+ them and fail to check the return code for an error. */
+ *actual_type = None;
+ *actual_format = 0;
+ *nitems = *bytesafter = 0L;
+ *prop = (unsigned char *) NULL;
+
LockDisplay(dpy);
GetReq (GetProperty, req);
req->window = w;
@@ -64,10 +72,18 @@ XGetWindowProperty(
return (1); /* not Success */
}
- *prop = (unsigned char *) NULL;
if (reply.propertyType != None) {
- long nbytes, netbytes;
- switch (reply.format) {
+ unsigned long nbytes, netbytes;
+ int format = reply.format;
+
+ /*
+ * Protect against both integer overflow and just plain oversized
+ * memory allocation - no server should ever return this many props.
+ */
+ if (reply.nItems >= (INT_MAX >> 4))
+ format = -1; /* fall through to default error case */
+
+ switch (format) {
/*
* One extra byte is malloced than is needed to contain the property
* data, but this last byte is null terminated and convenient for
@@ -76,24 +92,21 @@ XGetWindowProperty(
*/
case 8:
nbytes = netbytes = reply.nItems;
- if (nbytes + 1 > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1)))
+ if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1)))
_XReadPad (dpy, (char *) *prop, netbytes);
break;
case 16:
nbytes = reply.nItems * sizeof (short);
netbytes = reply.nItems << 1;
- if (nbytes + 1 > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1)))
+ if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1)))
_XRead16Pad (dpy, (short *) *prop, netbytes);
break;
case 32:
nbytes = reply.nItems * sizeof (long);
netbytes = reply.nItems << 2;
- if (nbytes + 1 > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1)))
+ if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1)))
_XRead32 (dpy, (long *) *prop, netbytes);
break;
@@ -115,7 +128,7 @@ XGetWindowProperty(
break;
}
if (! *prop) {
- _XEatData(dpy, (unsigned long) netbytes);
+ _XEatDataWords(dpy, reply.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadAlloc); /* not Success */
diff --git a/libX11/src/GetRGBCMap.c b/libX11/src/GetRGBCMap.c
index 9e227a263..2f0b752a8 100644
--- a/libX11/src/GetRGBCMap.c
+++ b/libX11/src/GetRGBCMap.c
@@ -99,8 +99,7 @@ Status XGetRGBColormaps (
/*
* allocate array
*/
- cmaps = (XStandardColormap *) Xmalloc (ncmaps *
- sizeof (XStandardColormap));
+ cmaps = Xmalloc (ncmaps * sizeof (XStandardColormap));
if (!cmaps) {
if (data) Xfree ((char *) data);
return False;
diff --git a/libX11/src/ImUtil.c b/libX11/src/ImUtil.c
index fa8d464aa..240a26181 100644
--- a/libX11/src/ImUtil.c
+++ b/libX11/src/ImUtil.c
@@ -332,7 +332,7 @@ XImage *XCreateImage (
(xpad != 8 && xpad != 16 && xpad != 32) ||
offset < 0)
return (XImage *) NULL;
- if ((image = (XImage *) Xcalloc(1, (unsigned) sizeof(XImage))) == NULL)
+ if ((image = Xcalloc(1, sizeof(XImage))) == NULL)
return (XImage *) NULL;
image->width = width;
@@ -842,7 +842,7 @@ static XImage *_XSubImage (
register unsigned long pixel;
char *data;
- if ((subimage = (XImage *) Xcalloc (1, sizeof (XImage))) == NULL)
+ if ((subimage = Xcalloc (1, sizeof (XImage))) == NULL)
return (XImage *) NULL;
subimage->width = width;
subimage->height = height;
@@ -868,7 +868,7 @@ static XImage *_XSubImage (
_XInitImageFuncPtrs (subimage);
dsize = subimage->bytes_per_line * height;
if (subimage->format == XYPixmap) dsize = dsize * subimage->depth;
- if (((data = Xcalloc (1, (unsigned) dsize)) == NULL) && (dsize > 0)) {
+ if (((data = Xcalloc (1, dsize)) == NULL) && (dsize > 0)) {
Xfree((char *) subimage);
return (XImage *) NULL;
}
diff --git a/libX11/src/InitExt.c b/libX11/src/InitExt.c
index 53c2dbe90..f50b54984 100644
--- a/libX11/src/InitExt.c
+++ b/libX11/src/InitExt.c
@@ -50,7 +50,7 @@ XExtCodes *XInitExtension (
&codes.first_error)) return (NULL);
LockDisplay (dpy);
- if (! (ext = (_XExtension *) Xcalloc (1, sizeof (_XExtension))) ||
+ if (! (ext = Xcalloc (1, sizeof (_XExtension))) ||
! (ext->name = strdup(name))) {
if (ext) Xfree((char *) ext);
UnlockDisplay(dpy);
@@ -72,7 +72,7 @@ XExtCodes *XAddExtension (Display *dpy)
register _XExtension *ext;
LockDisplay (dpy);
- if (! (ext = (_XExtension *) Xcalloc (1, sizeof (_XExtension)))) {
+ if (! (ext = Xcalloc (1, sizeof (_XExtension)))) {
UnlockDisplay(dpy);
return (XExtCodes *) NULL;
}
diff --git a/libX11/src/IntAtom.c b/libX11/src/IntAtom.c
index 7a5625840..25466ca20 100644
--- a/libX11/src/IntAtom.c
+++ b/libX11/src/IntAtom.c
@@ -72,7 +72,7 @@ Atom _XInternAtom(
/* look in the cache first */
if (!(atoms = dpy->atoms)) {
- dpy->atoms = atoms = (AtomTable *)Xcalloc(1, sizeof(AtomTable));
+ dpy->atoms = atoms = Xcalloc(1, sizeof(AtomTable));
dpy->free_funcs->atoms = _XFreeAtomTable;
}
sig = 0;
@@ -127,7 +127,7 @@ _XUpdateAtomCache(
if (!dpy->atoms) {
if (idx < 0) {
- dpy->atoms = (AtomTable *)Xcalloc(1, sizeof(AtomTable));
+ dpy->atoms = Xcalloc(1, sizeof(AtomTable));
dpy->free_funcs->atoms = _XFreeAtomTable;
}
if (!dpy->atoms)
@@ -147,7 +147,7 @@ _XUpdateAtomCache(
}
}
}
- e = (Entry)Xmalloc(sizeof(EntryRec) + n + 1);
+ e = Xmalloc(sizeof(EntryRec) + n + 1);
if (e) {
e->sig = sig;
e->atom = atom;
diff --git a/libX11/src/Key.h b/libX11/src/Key.h
index 0fe89ba37..bb254393c 100644
--- a/libX11/src/Key.h
+++ b/libX11/src/Key.h
@@ -2,6 +2,9 @@
#ifndef _KEY_H_
#define _KEY_H_
+#include <X11/Xlib.h>
+#include <X11/Xresource.h>
+
#ifndef NEEDKTABLE
extern const unsigned char _XkeyTable[];
#endif
diff --git a/libX11/src/KeyBind.c b/libX11/src/KeyBind.c
index f22feca59..2110772ce 100644
--- a/libX11/src/KeyBind.c
+++ b/libX11/src/KeyBind.c
@@ -997,11 +997,9 @@ XRebindKeysym (
tmp = dpy->key_bindings;
nb = sizeof(KeySym) * nm;
- if ((! (p = (struct _XKeytrans *) Xcalloc( 1, sizeof(struct _XKeytrans)))) ||
- ((! (p->string = (char *) Xmalloc( (unsigned) nbytes))) &&
- (nbytes > 0)) ||
- ((! (p->modifiers = (KeySym *) Xmalloc( (unsigned) nb))) &&
- (nb > 0))) {
+ if ((! (p = Xcalloc( 1, sizeof(struct _XKeytrans)))) ||
+ ((! (p->string = Xmalloc(nbytes))) && (nbytes > 0)) ||
+ ((! (p->modifiers = Xmalloc(nb))) && (nb > 0))) {
if (p) {
if (p->string) Xfree(p->string);
if (p->modifiers) Xfree((char *) p->modifiers);
diff --git a/libX11/src/LiHosts.c b/libX11/src/LiHosts.c
index 0f5e837d1..83cf3c791 100644
--- a/libX11/src/LiHosts.c
+++ b/libX11/src/LiHosts.c
@@ -62,6 +62,8 @@ X Window System is a trademark of The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
+
/*
* can be freed using XFree.
*/
@@ -73,7 +75,6 @@ XHostAddress *XListHosts (
{
register XHostAddress *outbuf = NULL, *op;
xListHostsReply reply;
- long nbytes;
unsigned char *buf, *bp;
register unsigned i;
register xListHostsReq *req;
@@ -90,19 +91,26 @@ XHostAddress *XListHosts (
}
if (reply.nHosts) {
- nbytes = reply.length << 2; /* compute number of bytes in reply */
+ unsigned long nbytes = reply.length << 2; /* number of bytes in reply */
+ const unsigned long max_hosts = INT_MAX /
+ (sizeof(XHostAddress) + sizeof(XServerInterpretedAddress));
+
+ if (reply.nHosts < max_hosts) {
+ unsigned long hostbytes = reply.nHosts *
+ (sizeof(XHostAddress) + sizeof(XServerInterpretedAddress));
- op = outbuf = (XHostAddress *)
- Xmalloc((unsigned) (nbytes +
- (reply.nHosts * sizeof(XHostAddress)) +
- (reply.nHosts * sizeof(XServerInterpretedAddress))));
+ if (reply.length < (INT_MAX >> 2) &&
+ (hostbytes >> 2) < ((INT_MAX >> 2) - reply.length))
+ outbuf = Xmalloc(nbytes + hostbytes);
+ }
if (! outbuf) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, reply.length);
UnlockDisplay(dpy);
SyncHandle();
return (XHostAddress *) NULL;
}
+ op = outbuf;
sip = (XServerInterpretedAddress *)
(((unsigned char *) outbuf) + (reply.nHosts * sizeof(XHostAddress)));
bp = buf = ((unsigned char *) sip)
diff --git a/libX11/src/LiICmaps.c b/libX11/src/LiICmaps.c
index e98161916..45a2f2fd3 100644
--- a/libX11/src/LiICmaps.c
+++ b/libX11/src/LiICmaps.c
@@ -34,7 +34,7 @@ Colormap *XListInstalledColormaps(
Window win,
int *n) /* RETURN */
{
- long nbytes;
+ unsigned long nbytes;
Colormap *cmaps;
xListInstalledColormapsReply rep;
register xResourceReq *req;
@@ -51,14 +51,14 @@ Colormap *XListInstalledColormaps(
if (rep.nColormaps) {
nbytes = rep.nColormaps * sizeof(Colormap);
- cmaps = (Colormap *) Xmalloc((unsigned) nbytes);
- nbytes = rep.nColormaps << 2;
+ cmaps = Xmalloc(nbytes);
if (! cmaps) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return((Colormap *) NULL);
}
+ nbytes = rep.nColormaps << 2;
_XRead32 (dpy, (long *) cmaps, nbytes);
}
else cmaps = (Colormap *) NULL;
diff --git a/libX11/src/LiProps.c b/libX11/src/LiProps.c
index 72560aba7..d9c746563 100644
--- a/libX11/src/LiProps.c
+++ b/libX11/src/LiProps.c
@@ -34,7 +34,7 @@ Atom *XListProperties(
Window window,
int *n_props) /* RETURN */
{
- long nbytes;
+ unsigned long nbytes;
xListPropertiesReply rep;
Atom *properties;
register xResourceReq *req;
@@ -50,14 +50,14 @@ Atom *XListProperties(
if (rep.nProperties) {
nbytes = rep.nProperties * sizeof(Atom);
- properties = (Atom *) Xmalloc ((unsigned) nbytes);
- nbytes = rep.nProperties << 2;
+ properties = Xmalloc (nbytes);
if (! properties) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (Atom *) NULL;
}
+ nbytes = rep.nProperties << 2;
_XRead32 (dpy, (long *) properties, nbytes);
}
else properties = (Atom *) NULL;
diff --git a/libX11/src/ListExt.c b/libX11/src/ListExt.c
index 16b522e88..e925c4773 100644
--- a/libX11/src/ListExt.c
+++ b/libX11/src/ListExt.c
@@ -28,18 +28,21 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
char **XListExtensions(
register Display *dpy,
int *nextensions) /* RETURN */
{
xListExtensionsReply rep;
- char **list;
- char *ch;
+ char **list = NULL;
+ char *ch = NULL;
+ char *chend;
+ int count = 0;
register unsigned i;
register int length;
register xReq *req;
- register long rlen;
+ unsigned long rlen;
LockDisplay(dpy);
GetEmptyReq (ListExtensions, req);
@@ -51,16 +54,17 @@ char **XListExtensions(
}
if (rep.nExtensions) {
- list = (char **) Xmalloc (
- (unsigned)(rep.nExtensions * sizeof (char *)));
- rlen = rep.length << 2;
- ch = (char *) Xmalloc ((unsigned) rlen + 1);
+ list = Xmalloc (rep.nExtensions * sizeof (char *));
+ if (rep.length < (LONG_MAX >> 2)) {
+ rlen = rep.length << 2;
+ ch = Xmalloc (rlen + 1);
/* +1 to leave room for last null-terminator */
+ }
if ((!list) || (!ch)) {
if (list) Xfree((char *) list);
if (ch) Xfree((char *) ch);
- _XEatData(dpy, (unsigned long) rlen);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (char **) NULL;
@@ -70,17 +74,21 @@ char **XListExtensions(
/*
* unpack into null terminated strings.
*/
+ chend = ch + (rlen + 1);
length = *ch;
for (i = 0; i < rep.nExtensions; i++) {
- list[i] = ch+1; /* skip over length */
- ch += length + 1; /* find next length ... */
- length = *ch;
- *ch = '\0'; /* and replace with null-termination */
+ if (ch + length < chend) {
+ list[i] = ch+1; /* skip over length */
+ ch += length + 1; /* find next length ... */
+ length = *ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
+ } else
+ list[i] = NULL;
}
}
- else list = (char **) NULL;
- *nextensions = rep.nExtensions;
+ *nextensions = count;
UnlockDisplay(dpy);
SyncHandle();
return (list);
diff --git a/libX11/src/Makefile.am b/libX11/src/Makefile.am
index 71e02e71b..27b74b014 100644
--- a/libX11/src/Makefile.am
+++ b/libX11/src/Makefile.am
@@ -210,6 +210,7 @@ libX11_la_SOURCES = \
ParseCmd.c \
ParseCol.c \
ParseGeom.c \
+ pathmax.h \
PeekEvent.c \
PeekIfEv.c \
Pending.c \
diff --git a/libX11/src/ModMap.c b/libX11/src/ModMap.c
index c99bfdd5f..5c5b42612 100644
--- a/libX11/src/ModMap.c
+++ b/libX11/src/ModMap.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
XModifierKeymap *
XGetModifierMapping(register Display *dpy)
@@ -41,13 +42,17 @@ XGetModifierMapping(register Display *dpy)
GetEmptyReq(GetModifierMapping, req);
(void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
- nbytes = (unsigned long)rep.length << 2;
- res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap));
- if (res) res->modifiermap = (KeyCode *) Xmalloc ((unsigned) nbytes);
+ if (rep.length < (LONG_MAX >> 2)) {
+ nbytes = (unsigned long)rep.length << 2;
+ res = Xmalloc(sizeof (XModifierKeymap));
+ if (res)
+ res->modifiermap = Xmalloc (nbytes);
+ } else
+ res = NULL;
if ((! res) || (! res->modifiermap)) {
if (res) Xfree((char *) res);
res = (XModifierKeymap *) NULL;
- _XEatData(dpy, nbytes);
+ _XEatDataWords(dpy, rep.length);
} else {
_XReadPad(dpy, (char *) res->modifiermap, (long) nbytes);
res->max_keypermod = rep.numKeyPerModifier;
@@ -92,11 +97,11 @@ XSetModifierMapping(
XModifierKeymap *
XNewModifiermap(int keyspermodifier)
{
- XModifierKeymap *res = (XModifierKeymap *) Xmalloc((sizeof (XModifierKeymap)));
+ XModifierKeymap *res = Xmalloc((sizeof (XModifierKeymap)));
if (res) {
res->max_keypermod = keyspermodifier;
res->modifiermap = (keyspermodifier > 0 ?
- (KeyCode *) Xmalloc((unsigned) (8 * keyspermodifier))
+ Xmalloc(8 * keyspermodifier)
: (KeyCode *) NULL);
if (keyspermodifier && (res->modifiermap == NULL)) {
Xfree((char *) res);
diff --git a/libX11/src/OpenDis.c b/libX11/src/OpenDis.c
index 87a3fc430..90ac8b36c 100644
--- a/libX11/src/OpenDis.c
+++ b/libX11/src/OpenDis.c
@@ -113,7 +113,7 @@ XOpenDisplay (
/*
* Attempt to allocate a display structure. Return NULL if allocation fails.
*/
- if ((dpy = (Display *)Xcalloc(1, sizeof(Display))) == NULL) {
+ if ((dpy = Xcalloc(1, sizeof(Display))) == NULL) {
return(NULL);
}
@@ -247,9 +247,7 @@ XOpenDisplay (
dpy->qlen = 0;
/* Set up free-function record */
- if ((dpy->free_funcs = (_XFreeFuncRec *)Xcalloc(1,
- sizeof(_XFreeFuncRec)))
- == NULL) {
+ if ((dpy->free_funcs = Xcalloc(1, sizeof(_XFreeFuncRec))) == NULL) {
OutOfMemory (dpy);
return(NULL);
}
@@ -317,7 +315,7 @@ XOpenDisplay (
return (NULL);
}
- dpy->vendor = (char *) Xmalloc((unsigned) (u.setup->nbytesVendor + 1));
+ dpy->vendor = Xmalloc(u.setup->nbytesVendor + 1);
if (dpy->vendor == NULL) {
OutOfMemory(dpy);
return (NULL);
@@ -343,9 +341,7 @@ XOpenDisplay (
/*
* Now iterate down setup information.....
*/
- dpy->pixmap_format =
- (ScreenFormat *)Xmalloc(
- (unsigned) (dpy->nformats *sizeof(ScreenFormat)));
+ dpy->pixmap_format = Xcalloc(dpy->nformats, sizeof(ScreenFormat));
if (dpy->pixmap_format == NULL) {
OutOfMemory (dpy);
return(NULL);
@@ -373,8 +369,7 @@ XOpenDisplay (
/*
* next the Screen structures.
*/
- dpy->screens =
- (Screen *)Xmalloc((unsigned) dpy->nscreens*sizeof(Screen));
+ dpy->screens = Xcalloc(dpy->nscreens, sizeof(Screen));
if (dpy->screens == NULL) {
OutOfMemory (dpy);
return(NULL);
@@ -416,8 +411,7 @@ XOpenDisplay (
/*
* lets set up the depth structures.
*/
- sp->depths = (Depth *)Xmalloc(
- (unsigned)sp->ndepths*sizeof(Depth));
+ sp->depths = Xcalloc(sp->ndepths, sizeof(Depth));
if (sp->depths == NULL) {
OutOfMemory (dpy);
return(NULL);
@@ -439,8 +433,7 @@ XOpenDisplay (
dp->nvisuals = u.dp->nVisuals;
u.dp = (xDepth *) (((char *) u.dp) + sz_xDepth);
if (dp->nvisuals > 0) {
- dp->visuals =
- (Visual *)Xmalloc((unsigned)dp->nvisuals*sizeof(Visual));
+ dp->visuals = Xcalloc(dp->nvisuals, sizeof(Visual));
if (dp->visuals == NULL) {
OutOfMemory (dpy);
return(NULL);
@@ -553,7 +546,7 @@ XOpenDisplay (
dpy->xdefaults[reply.nItems] = '\0';
}
else if (reply.propertyType != None)
- _XEatData(dpy, reply.nItems * (reply.format >> 3));
+ _XEatDataWords(dpy, reply.length);
}
}
UnlockDisplay(dpy);
diff --git a/libX11/src/PixFormats.c b/libX11/src/PixFormats.c
index 8e4a10027..6d9f64d2c 100644
--- a/libX11/src/PixFormats.c
+++ b/libX11/src/PixFormats.c
@@ -38,8 +38,8 @@ XPixmapFormatValues *XListPixmapFormats (
Display *dpy,
int *count) /* RETURN */
{
- XPixmapFormatValues *formats = (XPixmapFormatValues *)
- Xmalloc((unsigned) (dpy->nformats * sizeof (XPixmapFormatValues)));
+ XPixmapFormatValues *formats =
+ Xmalloc(dpy->nformats * sizeof (XPixmapFormatValues));
if (formats) {
register int i;
diff --git a/libX11/src/PolyReg.c b/libX11/src/PolyReg.c
index 74c8765fe..6d0277332 100644
--- a/libX11/src/PolyReg.c
+++ b/libX11/src/PolyReg.c
@@ -95,8 +95,7 @@ InsertEdgeInET(
{
if (*iSLLBlock > SLLSPERBLOCK-1)
{
- tmpSLLBlock =
- (ScanLineListBlock *)Xmalloc(sizeof(ScanLineListBlock));
+ tmpSLLBlock = Xmalloc(sizeof(ScanLineListBlock));
(*SLLBlock)->next = tmpSLLBlock;
tmpSLLBlock->next = (ScanLineListBlock *)NULL;
*SLLBlock = tmpSLLBlock;
@@ -410,8 +409,7 @@ static int PtsToRegion(
numRects = ((numFullPtBlocks * NUMPTSTOBUFFER) + iCurPtBlock) >> 1;
- if (!(reg->rects = (BOX *)Xrealloc((char *)reg->rects,
- (unsigned) (sizeof(BOX) * numRects)))) {
+ if (!(reg->rects = Xrealloc(reg->rects, sizeof(BOX) * numRects))) {
Xfree(prevRects);
return(0);
}
@@ -521,8 +519,7 @@ XPolygonRegion(
if (Count < 2) return region;
- if (! (pETEs = (EdgeTableEntry *)
- Xmalloc((unsigned) (sizeof(EdgeTableEntry) * Count)))) {
+ if (! (pETEs = Xmalloc(sizeof(EdgeTableEntry) * Count))) {
XDestroyRegion(region);
return (Region) NULL;
}
@@ -559,7 +556,7 @@ XPolygonRegion(
* send out the buffer
*/
if (iPts == NUMPTSTOBUFFER) {
- tmpPtBlock = (POINTBLOCK *)Xmalloc(sizeof(POINTBLOCK));
+ tmpPtBlock = Xmalloc(sizeof(POINTBLOCK));
curPtBlock->next = tmpPtBlock;
curPtBlock = tmpPtBlock;
pts = curPtBlock->pts;
@@ -605,7 +602,7 @@ XPolygonRegion(
* send out the buffer
*/
if (iPts == NUMPTSTOBUFFER) {
- tmpPtBlock = (POINTBLOCK *)Xmalloc(sizeof(POINTBLOCK));
+ tmpPtBlock = Xmalloc(sizeof(POINTBLOCK));
curPtBlock->next = tmpPtBlock;
curPtBlock = tmpPtBlock;
pts = curPtBlock->pts;
diff --git a/libX11/src/PropAlloc.c b/libX11/src/PropAlloc.c
index 516283080..87817d88a 100644
--- a/libX11/src/PropAlloc.c
+++ b/libX11/src/PropAlloc.c
@@ -39,20 +39,19 @@ in this Software without prior written authorization from The Open Group.
XSizeHints *XAllocSizeHints (void)
{
- return ((XSizeHints *) Xcalloc (1, (unsigned) sizeof (XSizeHints)));
+ return Xcalloc (1, sizeof (XSizeHints));
}
XStandardColormap *XAllocStandardColormap (void)
{
- return ((XStandardColormap *)
- Xcalloc (1, (unsigned) sizeof (XStandardColormap)));
+ return Xcalloc (1, sizeof (XStandardColormap));
}
XWMHints *XAllocWMHints (void)
{
- return ((XWMHints *) Xcalloc (1, (unsigned) sizeof (XWMHints)));
+ return Xcalloc (1, sizeof (XWMHints));
}
@@ -64,7 +63,7 @@ XClassHint *XAllocClassHint (void)
XIconSize *XAllocIconSize (void)
{
- return ((XIconSize *) Xcalloc (1, (unsigned) sizeof (XIconSize)));
+ return Xcalloc (1, sizeof (XIconSize));
}
diff --git a/libX11/src/PutBEvent.c b/libX11/src/PutBEvent.c
index f9d4c29bd..1768e032c 100644
--- a/libX11/src/PutBEvent.c
+++ b/libX11/src/PutBEvent.c
@@ -41,7 +41,7 @@ _XPutBackEvent (
XEvent store = *event;
if (!dpy->qfree) {
- if ((dpy->qfree = (_XQEvent *) Xmalloc (sizeof (_XQEvent))) == NULL) {
+ if ((dpy->qfree = Xmalloc (sizeof (_XQEvent))) == NULL) {
return 0;
}
dpy->qfree->next = NULL;
diff --git a/libX11/src/PutImage.c b/libX11/src/PutImage.c
index 6dad4f13a..2a694f099 100644
--- a/libX11/src/PutImage.c
+++ b/libX11/src/PutImage.c
@@ -680,7 +680,7 @@ SendXYImage(
length = ROUNDUP(length, 4);
if ((dpy->bufptr + length) > dpy->bufmax) {
- if ((buf = _XAllocScratch(dpy, (unsigned long) (length))) == NULL) {
+ if ((buf = _XAllocScratch(dpy, length)) == NULL) {
UnGetReq(PutImage);
return;
}
@@ -703,13 +703,13 @@ SendXYImage(
bytes_per_temp_plane = bytes_per_line * req->height;
temp_length = ROUNDUP(bytes_per_temp_plane * image->depth, 4);
if (buf == dpy->bufptr) {
- if (! (temp = _XAllocScratch(dpy, (unsigned long) temp_length))) {
+ if (! (temp = _XAllocScratch(dpy, temp_length))) {
UnGetReq(PutImage);
return;
}
}
else
- if ((extra = temp = Xmalloc((unsigned) temp_length)) == NULL) {
+ if ((extra = temp = Xmalloc(temp_length)) == NULL) {
UnGetReq(PutImage);
return;
}
@@ -778,8 +778,7 @@ SendZImage(
(req_yoffset * image->bytes_per_line) +
((req_xoffset * image->bits_per_pixel) >> 3);
if ((image->bits_per_pixel == 4) && ((unsigned int) req_xoffset & 0x01)) {
- if (! (shifted_src = (unsigned char *)
- Xmalloc((unsigned) (req->height * image->bytes_per_line)))) {
+ if (! (shifted_src = Xmalloc(req->height * image->bytes_per_line))) {
UnGetReq(PutImage);
return;
}
@@ -810,7 +809,7 @@ SendZImage(
dest = (unsigned char *)dpy->bufptr;
else
if ((dest = (unsigned char *)
- _XAllocScratch(dpy, (unsigned long)(length))) == NULL) {
+ _XAllocScratch(dpy, length)) == NULL) {
if (shifted_src) Xfree((char *) shifted_src);
UnGetReq(PutImage);
return;
@@ -1001,7 +1000,7 @@ XPutImage (
img.bits_per_pixel = dest_bits_per_pixel;
img.bytes_per_line = ROUNDUP((dest_bits_per_pixel * width),
dest_scanline_pad) >> 3;
- img.data = Xmalloc((unsigned) (img.bytes_per_line * height));
+ img.data = Xmalloc(img.bytes_per_line * height);
if (img.data == NULL)
return 0;
_XInitImageFuncPtrs(&img);
diff --git a/libX11/src/QuColors.c b/libX11/src/QuColors.c
index d02958eca..af7102297 100644
--- a/libX11/src/QuColors.c
+++ b/libX11/src/QuColors.c
@@ -37,9 +37,7 @@ _XQueryColors(
int ncolors)
{
register int i;
- xrgb *color;
xQueryColorsReply rep;
- long nbytes;
register xQueryColorsReq *req;
GetReq(QueryColors, req);
@@ -52,8 +50,9 @@ _XQueryColors(
/* XXX this isn't very efficient */
if (_XReply(dpy, (xReply *) &rep, 0, xFalse) != 0) {
- if ((color = (xrgb *)
- Xmalloc((unsigned) (nbytes = (long) ncolors * SIZEOF(xrgb))))) {
+ unsigned long nbytes = (long) ncolors * SIZEOF(xrgb);
+ xrgb *color = Xmalloc(nbytes);
+ if (color != NULL) {
_XRead(dpy, (char *) color, nbytes);
@@ -67,7 +66,8 @@ _XQueryColors(
}
Xfree((char *)color);
}
- else _XEatData(dpy, (unsigned long) nbytes);
+ else
+ _XEatDataWords(dpy, rep.length);
}
}
diff --git a/libX11/src/QuTree.c b/libX11/src/QuTree.c
index 3cea282fa..8da2ae261 100644
--- a/libX11/src/QuTree.c
+++ b/libX11/src/QuTree.c
@@ -37,7 +37,7 @@ Status XQueryTree (
Window **children, /* RETURN */
unsigned int *nchildren) /* RETURN */
{
- long nbytes;
+ unsigned long nbytes;
xQueryTreeReply rep;
register xResourceReq *req;
@@ -52,14 +52,14 @@ Status XQueryTree (
*children = (Window *) NULL;
if (rep.nChildren != 0) {
nbytes = rep.nChildren * sizeof(Window);
- *children = (Window *) Xmalloc((unsigned) nbytes);
- nbytes = rep.nChildren << 2;
+ *children = Xmalloc(nbytes);
if (! *children) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (0);
}
+ nbytes = rep.nChildren << 2;
_XRead32 (dpy, (long *) *children, nbytes);
}
*parent = rep.parent;
diff --git a/libX11/src/Quarks.c b/libX11/src/Quarks.c
index 4eb90c51d..60fe127bd 100644
--- a/libX11/src/Quarks.c
+++ b/libX11/src/Quarks.c
@@ -186,15 +186,14 @@ ExpandQuarkTable(void)
newmask = (oldmask << 1) + 1;
else {
if (!stringTable) {
- stringTable = (XrmString **)Xmalloc(sizeof(XrmString *) *
- CHUNKPER);
+ stringTable = Xmalloc(sizeof(XrmString *) * CHUNKPER);
if (!stringTable)
return False;
stringTable[0] = (XrmString *)NULL;
}
#ifdef PERMQ
if (!permTable)
- permTable = (Bits **)Xmalloc(sizeof(Bits *) * CHUNKPER);
+ permTable = Xmalloc(sizeof(Bits *) * CHUNKPER);
if (!permTable)
return False;
#endif
@@ -289,13 +288,13 @@ nomatch: if (!rehash)
q = nextQuark;
if (!(q & QUANTUMMASK)) {
if (!(q & CHUNKMASK)) {
- if (!(new = Xrealloc((char *)stringTable,
+ if (!(new = Xrealloc(stringTable,
sizeof(XrmString *) *
((q >> QUANTUMSHIFT) + CHUNKPER))))
goto fail;
stringTable = (XrmString **)new;
#ifdef PERMQ
- if (!(new = Xrealloc((char *)permTable,
+ if (!(new = Xrealloc(permTable,
sizeof(Bits *) *
((q >> QUANTUMSHIFT) + CHUNKPER))))
goto fail;
diff --git a/libX11/src/RdBitF.c b/libX11/src/RdBitF.c
index afdaee7fc..d20731215 100644
--- a/libX11/src/RdBitF.c
+++ b/libX11/src/RdBitF.c
@@ -192,7 +192,7 @@ XReadBitmapFileData (
bytes_per_line = (ww+7)/8 + padding;
size = bytes_per_line * hh;
- bits = (unsigned char *) Xmalloc ((unsigned int) size);
+ bits = Xmalloc (size);
if (!bits)
RETURN (BitmapNoMemory);
diff --git a/libX11/src/Region.c b/libX11/src/Region.c
index 41047b242..d3d431a64 100644
--- a/libX11/src/Region.c
+++ b/libX11/src/Region.c
@@ -139,9 +139,9 @@ XCreateRegion(void)
{
Region temp;
- if (! (temp = ( Region )Xmalloc( (unsigned) sizeof( REGION ))))
+ if (! (temp = Xmalloc(sizeof( REGION ))))
return (Region) NULL;
- if (! (temp->rects = ( BOX * )Xmalloc( (unsigned) sizeof( BOX )))) {
+ if (! (temp->rects = Xmalloc(sizeof( BOX )))) {
Xfree((char *) temp);
return (Region) NULL;
}
@@ -521,9 +521,9 @@ miRegionCopy(
{
BOX *prevRects = dstrgn->rects;
- if (! (dstrgn->rects = (BOX *)
- Xrealloc((char *) dstrgn->rects,
- (unsigned) rgn->numRects * (sizeof(BOX))))) {
+ dstrgn->rects = Xrealloc(dstrgn->rects,
+ rgn->numRects * (sizeof(BOX)));
+ if (! dstrgn->rects) {
Xfree(prevRects);
return;
}
@@ -788,8 +788,7 @@ miRegionOp(
*/
newReg->size = max(reg1->numRects,reg2->numRects) * 2;
- if (! (newReg->rects = (BoxPtr)
- Xmalloc ((unsigned) (sizeof(BoxRec) * newReg->size)))) {
+ if (! (newReg->rects = Xmalloc (sizeof(BoxRec) * newReg->size))) {
newReg->size = 0;
return;
}
@@ -980,8 +979,8 @@ miRegionOp(
{
BoxPtr prev_rects = newReg->rects;
newReg->size = newReg->numRects;
- newReg->rects = (BoxPtr) Xrealloc ((char *) newReg->rects,
- (unsigned) (sizeof(BoxRec) * newReg->size));
+ newReg->rects = Xrealloc (newReg->rects,
+ sizeof(BoxRec) * newReg->size);
if (! newReg->rects)
newReg->rects = prev_rects;
}
@@ -993,7 +992,7 @@ miRegionOp(
*/
newReg->size = 1;
Xfree((char *) newReg->rects);
- newReg->rects = (BoxPtr) Xmalloc(sizeof(BoxRec));
+ newReg->rects = Xmalloc(sizeof(BoxRec));
}
}
Xfree ((char *) oldRects);
diff --git a/libX11/src/RegstFlt.c b/libX11/src/RegstFlt.c
index 9a560e794..5a1faa7e9 100644
--- a/libX11/src/RegstFlt.c
+++ b/libX11/src/RegstFlt.c
@@ -85,7 +85,7 @@ _XRegisterFilterByMask(
{
XFilterEventRec *rec;
- rec = (XFilterEventList)Xmalloc(sizeof(XFilterEventRec));
+ rec = Xmalloc(sizeof(XFilterEventRec));
if (!rec)
return;
rec->window = window;
@@ -117,7 +117,7 @@ _XRegisterFilterByType(
{
XFilterEventRec *rec;
- rec = (XFilterEventList)Xmalloc(sizeof(XFilterEventRec));
+ rec = Xmalloc(sizeof(XFilterEventRec));
if (!rec)
return;
rec->window = window;
diff --git a/libX11/src/SetFPath.c b/libX11/src/SetFPath.c
index 89955c23e..b1afd8201 100644
--- a/libX11/src/SetFPath.c
+++ b/libX11/src/SetFPath.c
@@ -52,7 +52,7 @@ XSetFontPath (
}
nbytes = (n + 3) & ~3;
req->length += nbytes >> 2;
- if ((p = (char *) Xmalloc ((unsigned) nbytes))) {
+ if ((p = Xmalloc (nbytes))) {
/*
* pack into counted strings.
*/
diff --git a/libX11/src/SetHints.c b/libX11/src/SetHints.c
index 1cde48f85..0ae076438 100644
--- a/libX11/src/SetHints.c
+++ b/libX11/src/SetHints.c
@@ -184,7 +184,7 @@ XSetIconSizes (
#define size_of_the_real_thing sizeof /* avoid grepping screwups */
unsigned nbytes = count * size_of_the_real_thing(xPropIconSize);
#undef size_of_the_real_thing
- if ((prop = pp = (xPropIconSize *) Xmalloc (nbytes))) {
+ if ((prop = pp = Xmalloc (nbytes))) {
for (i = 0; i < count; i++) {
pp->minWidth = list->min_width;
pp->minHeight = list->min_height;
@@ -216,7 +216,7 @@ XSetCommand (
for (i = 0, nbytes = 0; i < argc; i++) {
nbytes += safestrlen(argv[i]) + 1;
}
- if ((bp = buf = Xmalloc((unsigned) nbytes))) {
+ if ((bp = buf = Xmalloc(nbytes))) {
/* copy arguments into single buffer */
for (i = 0; i < argc; i++) {
if (argv[i]) {
@@ -299,7 +299,7 @@ XSetClassHint(
len_nm = safestrlen(classhint->res_name);
len_cl = safestrlen(classhint->res_class);
- if ((class_string = s = Xmalloc((unsigned) (len_nm + len_cl + 2)))) {
+ if ((class_string = s = Xmalloc(len_nm + len_cl + 2))) {
if (len_nm) {
strcpy(s, classhint->res_name);
s += len_nm + 1;
diff --git a/libX11/src/StrToText.c b/libX11/src/StrToText.c
index b5327e8fc..ef927f3d9 100644
--- a/libX11/src/StrToText.c
+++ b/libX11/src/StrToText.c
@@ -78,7 +78,7 @@ Status XStringListToTextProperty (
}
}
} else {
- proto.value = (unsigned char *) Xmalloc (1); /* easier for client */
+ proto.value = Xmalloc (1); /* easier for client */
if (!proto.value) return False;
proto.value[0] = '\0';
diff --git a/libX11/src/TextToStr.c b/libX11/src/TextToStr.c
index 216391c2e..36d9f0706 100644
--- a/libX11/src/TextToStr.c
+++ b/libX11/src/TextToStr.c
@@ -72,10 +72,10 @@ Status XTextPropertyToStringList (
/*
* allocate list and duplicate
*/
- list = (char **) Xmalloc (nelements * sizeof (char *));
+ list = Xmalloc (nelements * sizeof (char *));
if (!list) return False;
- start = (char *) Xmalloc ((datalen + 1) * sizeof (char)); /* for <NUL> */
+ start = Xmalloc ((datalen + 1) * sizeof (char)); /* for <NUL> */
if (!start) {
Xfree ((char *) list);
return False;
diff --git a/libX11/src/VisUtil.c b/libX11/src/VisUtil.c
index 3434c0161..aa679928a 100644
--- a/libX11/src/VisUtil.c
+++ b/libX11/src/VisUtil.c
@@ -75,8 +75,7 @@ XVisualInfo *XGetVisualInfo(
count = 0;
total = 10;
- if (! (vip_base = vip = (XVisualInfo *)
- Xmalloc((unsigned) (sizeof(XVisualInfo) * total)))) {
+ if (! (vip_base = vip = Xmalloc(sizeof(XVisualInfo) * total))) {
UnlockDisplay(dpy);
return (XVisualInfo *) NULL;
}
@@ -132,9 +131,8 @@ XVisualInfo *XGetVisualInfo(
{
XVisualInfo *old_vip_base = vip_base;
total += 10;
- if (! (vip_base = (XVisualInfo *)
- Xrealloc((char *) vip_base,
- (unsigned) (sizeof(XVisualInfo) * total)))) {
+ if (! (vip_base = Xrealloc(vip_base,
+ sizeof(XVisualInfo) * total))) {
Xfree((char *) old_vip_base);
UnlockDisplay(dpy);
return (XVisualInfo *) NULL;
diff --git a/libX11/src/WrBitF.c b/libX11/src/WrBitF.c
index 1ec6280fb..75a93a79d 100644
--- a/libX11/src/WrBitF.c
+++ b/libX11/src/WrBitF.c
@@ -53,7 +53,7 @@ static char *Format_Image(
bytes_per_line = (width+7)/8;
*resultsize = bytes_per_line * height; /* Calculate size of data */
- data = (char *) Xmalloc( *resultsize ); /* Get space for data */
+ data = Xmalloc( *resultsize ); /* Get space for data */
if (!data)
return(ERR_RETURN);
diff --git a/libX11/src/Xintatom.h b/libX11/src/Xintatom.h
index 82dba36e1..516a72b1d 100644
--- a/libX11/src/Xintatom.h
+++ b/libX11/src/Xintatom.h
@@ -2,6 +2,7 @@
#ifndef _XINTATOM_H_
#define _XINTATOM_H_ 1
+#include <X11/Xlib.h>
#include <X11/Xfuncproto.h>
/* IntAtom.c */
diff --git a/libX11/src/Xintconn.h b/libX11/src/Xintconn.h
index db59061a0..cd9aee32e 100644
--- a/libX11/src/Xintconn.h
+++ b/libX11/src/Xintconn.h
@@ -3,6 +3,7 @@
#define _XINTCONN_H_ 1
#include <X11/Xfuncproto.h>
+#include <X11/Xlib.h>
_XFUNCPROTOBEGIN
diff --git a/libX11/src/XlibInt.c b/libX11/src/XlibInt.c
index 310ce31f0..8a51f49c4 100644
--- a/libX11/src/XlibInt.c
+++ b/libX11/src/XlibInt.c
@@ -167,7 +167,7 @@ Bool _XPollfdCacheInit(
#ifdef USE_POLL
struct pollfd *pfp;
- pfp = (struct pollfd *)Xmalloc(POLLFD_CACHE_SIZE * sizeof(struct pollfd));
+ pfp = Xmalloc(POLLFD_CACHE_SIZE * sizeof(struct pollfd));
if (!pfp)
return False;
pfp[0].fd = dpy->fd;
@@ -394,10 +394,10 @@ _XRegisterInternalConnection(
struct _XConnWatchInfo *watchers;
XPointer *wd;
- new_conni = (struct _XConnectionInfo*)Xmalloc(sizeof(struct _XConnectionInfo));
+ new_conni = Xmalloc(sizeof(struct _XConnectionInfo));
if (!new_conni)
return 0;
- new_conni->watch_data = (XPointer *)Xmalloc(dpy->watcher_count * sizeof(XPointer));
+ new_conni->watch_data = Xmalloc(dpy->watcher_count * sizeof(XPointer));
if (!new_conni->watch_data) {
Xfree(new_conni);
return 0;
@@ -484,7 +484,7 @@ XInternalConnectionNumbers(
count = 0;
for (info_list=dpy->im_fd_info; info_list; info_list=info_list->next)
count++;
- fd_list = (int*) Xmalloc (count * sizeof(int));
+ fd_list = Xmalloc (count * sizeof(int));
if (!fd_list) {
UnlockDisplay(dpy);
return 0;
@@ -557,9 +557,8 @@ XAddConnectionWatch(
/* allocate new watch data */
for (info_list=dpy->im_fd_info; info_list; info_list=info_list->next) {
- wd_array = (XPointer *)Xrealloc((char *)info_list->watch_data,
- (dpy->watcher_count + 1) *
- sizeof(XPointer));
+ wd_array = Xrealloc(info_list->watch_data,
+ (dpy->watcher_count + 1) * sizeof(XPointer));
if (!wd_array) {
UnlockDisplay(dpy);
return 0;
@@ -568,7 +567,7 @@ XAddConnectionWatch(
wd_array[dpy->watcher_count] = NULL; /* for cleanliness */
}
- new_watcher = (struct _XConnWatchInfo*)Xmalloc(sizeof(struct _XConnWatchInfo));
+ new_watcher = Xmalloc(sizeof(struct _XConnWatchInfo));
if (!new_watcher) {
UnlockDisplay(dpy);
return 0;
@@ -776,8 +775,7 @@ void _XEnq(
/* If dpy->qfree is non-NULL do this, else malloc a new one. */
dpy->qfree = qelt->next;
}
- else if ((qelt =
- (_XQEvent *) Xmalloc((unsigned)sizeof(_XQEvent))) == NULL) {
+ else if ((qelt = Xmalloc(sizeof(_XQEvent))) == NULL) {
/* Malloc call failed! */
ESET(ENOMEM);
_XIOError(dpy);
@@ -1538,7 +1536,7 @@ char *_XAllocScratch(
{
if (nbytes > dpy->scratch_length) {
if (dpy->scratch_buffer) Xfree (dpy->scratch_buffer);
- if ((dpy->scratch_buffer = Xmalloc((unsigned) nbytes)))
+ if ((dpy->scratch_buffer = Xmalloc(nbytes)))
dpy->scratch_length = nbytes;
else dpy->scratch_length = 0;
}
diff --git a/libX11/src/Xprivate.h b/libX11/src/Xprivate.h
index 006b1705e..6bfe70baa 100644
--- a/libX11/src/Xprivate.h
+++ b/libX11/src/Xprivate.h
@@ -8,6 +8,8 @@
#ifndef XPRIVATE_H
#define XPRIVATE_H
+#include <X11/Xlib.h>
+
extern _X_HIDDEN void _XIDHandler(Display *dpy);
extern _X_HIDDEN void _XSeqSyncFunction(Display *dpy);
extern _X_HIDDEN void _XSetPrivSyncFunction(Display *dpy);
diff --git a/libX11/src/Xresinternal.h b/libX11/src/Xresinternal.h
index c2f355fe6..b5cc7ffc4 100644
--- a/libX11/src/Xresinternal.h
+++ b/libX11/src/Xresinternal.h
@@ -2,6 +2,8 @@
#ifndef _XRESINTERNAL_H_
#define _XRESINTERNAL_H_
+#include <X11/Xlib.h>
+#include <X11/Xresource.h>
#include <inttypes.h>
/* type defines */
diff --git a/libX11/src/Xrm.c b/libX11/src/Xrm.c
index d6899d970..d8272ee78 100644
--- a/libX11/src/Xrm.c
+++ b/libX11/src/Xrm.c
@@ -62,6 +62,7 @@ from The Open Group.
#endif
#include <X11/Xos.h>
#include <sys/stat.h>
+#include <limits.h>
#include "Xresinternal.h"
#include "Xresource.h"
@@ -494,7 +495,7 @@ static XrmDatabase NewDatabase(void)
{
register XrmDatabase db;
- db = (XrmDatabase) Xmalloc(sizeof(XrmHashBucketRec));
+ db = Xmalloc(sizeof(XrmHashBucketRec));
if (db) {
_XCreateMutex(&db->linfo);
db->table = (NTable)NULL;
@@ -827,7 +828,7 @@ static void PutEntry(
NTable *nprev, *firstpprev;
#define NEWTABLE(q,i) \
- table = (NTable)Xmalloc(sizeof(LTableRec)); \
+ table = Xmalloc(sizeof(LTableRec)); \
if (!table) \
return; \
table->name = q; \
@@ -840,7 +841,7 @@ static void PutEntry(
nprev = NodeBuckets(table); \
} else { \
table->leaf = 1; \
- if (!(nprev = (NTable *)Xmalloc(sizeof(VEntry *)))) {\
+ if (!(nprev = Xmalloc(sizeof(VEntry *)))) {\
Xfree(table); \
return; \
} \
@@ -954,9 +955,8 @@ static void PutEntry(
prev = nprev;
}
/* now allocate the value entry */
- entry = (VEntry)Xmalloc(((type == XrmQString) ?
- sizeof(VEntryRec) : sizeof(DEntryRec)) +
- value->size);
+ entry = Xmalloc(((type == XrmQString) ?
+ sizeof(VEntryRec) : sizeof(DEntryRec)) + value->size);
if (!entry)
return;
entry->name = q = *quarks;
@@ -986,13 +986,12 @@ static void PutEntry(
if (resourceQuarks) {
unsigned char *prevQuarks = resourceQuarks;
- resourceQuarks = (unsigned char *)Xrealloc((char *)resourceQuarks,
- size);
+ resourceQuarks = Xrealloc(resourceQuarks, size);
if (!resourceQuarks) {
Xfree(prevQuarks);
}
} else
- resourceQuarks = (unsigned char *)Xmalloc(size);
+ resourceQuarks = Xmalloc(size);
if (resourceQuarks) {
bzero((char *)&resourceQuarks[oldsize], size - oldsize);
maxResourceQuark = (size << 3) - 1;
@@ -1087,13 +1086,15 @@ static void GetIncludeFile(
XrmDatabase db,
_Xconst char *base,
_Xconst char *fname,
- int fnamelen);
+ int fnamelen,
+ int depth);
static void GetDatabase(
XrmDatabase db,
_Xconst char *str,
_Xconst char *filename,
- Bool doall)
+ Bool doall,
+ int depth)
{
char *rhs;
char *lhs, lhs_s[DEF_BUFF_SIZE];
@@ -1135,11 +1136,11 @@ static void GetDatabase(
str_len = strlen (str);
if (DEF_BUFF_SIZE > str_len) lhs = lhs_s;
- else if ((lhs = (char*) Xmalloc (str_len)) == NULL)
+ else if ((lhs = Xmalloc (str_len)) == NULL)
return;
alloc_chars = DEF_BUFF_SIZE < str_len ? str_len : DEF_BUFF_SIZE;
- if ((rhs = (char*) Xmalloc (alloc_chars)) == NULL) {
+ if ((rhs = Xmalloc (alloc_chars)) == NULL) {
if (lhs != lhs_s) Xfree (lhs);
return;
}
@@ -1203,7 +1204,8 @@ static void GetDatabase(
} while (c != '"' && !is_EOL(bits));
/* must have an ending " */
if (c == '"')
- GetIncludeFile(db, filename, fname, str - len - fname);
+ GetIncludeFile(db, filename, fname, str - len - fname,
+ depth);
}
}
/* spin to next newline */
@@ -1544,7 +1546,7 @@ XrmPutLineResource(
{
if (!*pdb) *pdb = NewDatabase();
_XLockMutex(&(*pdb)->linfo);
- GetDatabase(*pdb, line, (char *)NULL, False);
+ GetDatabase(*pdb, line, (char *)NULL, False, 0);
_XUnlockMutex(&(*pdb)->linfo);
}
@@ -1556,7 +1558,7 @@ XrmGetStringDatabase(
db = NewDatabase();
_XLockMutex(&db->linfo);
- GetDatabase(db, data, (char *)NULL, True);
+ GetDatabase(db, data, (char *)NULL, True, 0);
_XUnlockMutex(&db->linfo);
return db;
}
@@ -1594,11 +1596,12 @@ ReadInFile(_Xconst char *filename)
*/
{
struct stat status_buffer;
- if ( (fstat(fd, &status_buffer)) == -1 ) {
+ if ( ((fstat(fd, &status_buffer)) == -1 ) ||
+ (status_buffer.st_size >= INT_MAX) ) {
close (fd);
return (char *)NULL;
} else
- size = status_buffer.st_size;
+ size = (int) status_buffer.st_size;
}
if (!(filebuf = Xmalloc(size + 1))) { /* leave room for '\0' */
@@ -1634,7 +1637,8 @@ GetIncludeFile(
XrmDatabase db,
_Xconst char *base,
_Xconst char *fname,
- int fnamelen)
+ int fnamelen,
+ int depth)
{
int len;
char *str;
@@ -1642,6 +1646,8 @@ GetIncludeFile(
if (fnamelen <= 0 || fnamelen >= BUFSIZ)
return;
+ if (depth >= MAXDBDEPTH)
+ return;
if (*fname != '/' && base && (str = strrchr(base, '/'))) {
len = str - base + 1;
if (len + fnamelen >= BUFSIZ)
@@ -1655,7 +1661,7 @@ GetIncludeFile(
}
if (!(str = ReadInFile(realfname)))
return;
- GetDatabase(db, str, realfname, True);
+ GetDatabase(db, str, realfname, True, depth + 1);
Xfree(str);
}
@@ -1671,7 +1677,7 @@ XrmGetFileDatabase(
db = NewDatabase();
_XLockMutex(&db->linfo);
- GetDatabase(db, str, filename, True);
+ GetDatabase(db, str, filename, True, 0);
_XUnlockMutex(&db->linfo);
Xfree(str);
return db;
@@ -1695,7 +1701,7 @@ XrmCombineFileDatabase(
} else
db = NewDatabase();
_XLockMutex(&db->linfo);
- GetDatabase(db, str, filename, True);
+ GetDatabase(db, str, filename, True, 0);
_XUnlockMutex(&db->linfo);
Xfree(str);
if (!override)
diff --git a/libX11/src/locking.c b/libX11/src/locking.c
index b3dfb3b01..7c09c44d2 100644
--- a/libX11/src/locking.c
+++ b/libX11/src/locking.c
@@ -82,7 +82,7 @@ _Xthread_waiter(void)
struct _xthread_waiter *me;
if (!(me = TlsGetValue(_X_TlsIndex))) {
- me = (struct _xthread_waiter *)xmalloc(sizeof(struct _xthread_waiter));
+ me = xmalloc(sizeof(struct _xthread_waiter));
me->sem = CreateSemaphore(NULL, 0, 1, NULL);
me->next = NULL;
TlsSetValue(_X_TlsIndex, me);
@@ -249,7 +249,7 @@ static struct _XCVList *_XCreateCVL(
dpy->lock->free_cvls = cvl->next;
dpy->lock->num_free_cvls--;
} else {
- cvl = (struct _XCVList *)Xmalloc(sizeof(struct _XCVList));
+ cvl = Xmalloc(sizeof(struct _XCVList));
if (!cvl)
return NULL;
cvl->cv = xcondition_malloc();
@@ -512,10 +512,10 @@ void _XUserUnlockDisplay(
static int _XInitDisplayLock(
Display *dpy)
{
- dpy->lock_fns = (struct _XLockPtrs*)Xmalloc(sizeof(struct _XLockPtrs));
+ dpy->lock_fns = Xmalloc(sizeof(struct _XLockPtrs));
if (dpy->lock_fns == NULL)
return -1;
- dpy->lock = (struct _XLockInfo *)Xmalloc(sizeof(struct _XLockInfo));
+ dpy->lock = Xmalloc(sizeof(struct _XLockInfo));
if (dpy->lock == NULL) {
_XFreeDisplayLock(dpy);
return -1;
diff --git a/libX11/src/locking.h b/libX11/src/locking.h
index 96019fc91..5251a60c1 100644
--- a/libX11/src/locking.h
+++ b/libX11/src/locking.h
@@ -36,6 +36,8 @@ in this Software without prior written authorization from The Open Group.
#define xmalloc(s) Xmalloc(s)
#define xfree(s) Xfree(s)
+#include <X11/Xlib.h>
+#include <X11/Xlibint.h>
#include <X11/Xthreads.h>
struct _XCVList {
diff --git a/libX11/src/pathmax.h b/libX11/src/pathmax.h
new file mode 100644
index 000000000..3aa3d5097
--- /dev/null
+++ b/libX11/src/pathmax.h
@@ -0,0 +1,81 @@
+
+/***********************************************************
+
+Copyright 1987, 1988, 1998 The Open Group
+
+Permission to use, copy, modify, distribute, and sell this software and its
+documentation for any purpose is hereby granted without fee, provided that
+the above copyright notice appear in all copies and that both that
+copyright notice and this permission notice appear in supporting
+documentation.
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+Except as contained in this notice, the name of The Open Group shall not be
+used in advertising or otherwise to promote the sale, use or other dealings
+in this Software without prior written authorization from The Open Group.
+
+
+Copyright 1987, 1988 by Digital Equipment Corporation, Maynard, Massachusetts.
+
+ All Rights Reserved
+
+Permission to use, copy, modify, and distribute this software and its
+documentation for any purpose and without fee is hereby granted,
+provided that the above copyright notice appear in all copies and that
+both that copyright notice and this permission notice appear in
+supporting documentation, and that the name of Digital not be
+used in advertising or publicity pertaining to distribution of the
+software without specific, written prior permission.
+
+DIGITAL DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING
+ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL
+DIGITAL BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR
+ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
+ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+SOFTWARE.
+
+******************************************************************/
+
+/*
+ * Provides a single definition of PATH_MAX instead of replicating this mess
+ * in multiple files
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+#include <X11/Xos.h>
+
+#ifndef X_NOT_POSIX
+#ifdef _POSIX_SOURCE
+#include <limits.h>
+#else
+#define _POSIX_SOURCE
+#include <limits.h>
+#undef _POSIX_SOURCE
+#endif
+#endif
+#ifndef PATH_MAX
+#ifdef WIN32
+#define PATH_MAX 512
+#else
+#include <sys/param.h>
+#endif
+#ifndef PATH_MAX
+#ifdef MAXPATHLEN
+#define PATH_MAX MAXPATHLEN
+#else
+#define PATH_MAX 1024
+#endif
+#endif
+#endif
diff --git a/libX11/src/udcInf.c b/libX11/src/udcInf.c
index b7577ac96..9ecf1566e 100644
--- a/libX11/src/udcInf.c
+++ b/libX11/src/udcInf.c
@@ -145,12 +145,11 @@ int *num_codeset;
if(!_XlcCompareISOLatin1(charset_str,buf)){
num_ret += 1;
if(num_ret == 1){
- ret = (int *)Xmalloc(sizeof(int));
+ ret = Xmalloc(sizeof(int));
} else {
int *prev_ret = ret;
- ret =
- (int *)Xrealloc(ret,num_ret*sizeof(int));
+ ret = Xrealloc(ret, num_ret * sizeof(int));
if (ret == NULL){
Xfree(prev_ret);
}
@@ -272,7 +271,7 @@ int *num_gr;
sprintf(buf, "fs%d.charset.udc_area", codeset-1);
_XlcGetLocaleDataBase(lcd, "XLC_FONTSET", buf, &value, &count);
if(count > 0){
- udc = (_XUDCGlyphRegion *)Xmalloc(count * sizeof(_XUDCGlyphRegion));
+ udc = Xmalloc(count * sizeof(_XUDCGlyphRegion));
if(udc == NULL){
_xudc_utyerrno = 0x03 ;
_xudc_utyerrno |= (0x0b<<8) ;
@@ -524,7 +523,7 @@ int *num_cr;
return(ret);
}
- crr = (_XUDCCodeRegion *)Xmalloc(num_gr*sizeof(_XUDCCodeRegion));
+ crr = Xmalloc(num_gr * sizeof(_XUDCCodeRegion));
if(crr == NULL){
Xfree(gr);
_xudc_utyerrno = 0x03 ;
diff --git a/libX11/src/xcb_io.c b/libX11/src/xcb_io.c
index fa43cfa15..26e547ee5 100644
--- a/libX11/src/xcb_io.c
+++ b/libX11/src/xcb_io.c
@@ -19,6 +19,7 @@
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h>
#endif
@@ -760,3 +761,19 @@ void _XEatData(Display *dpy, unsigned long n)
dpy->xcb->reply_consumed += n;
_XFreeReplyData(dpy, False);
}
+
+/*
+ * Read and discard "n" 32-bit words of data
+ * Matches the units of the length field in X protocol replies, and provides
+ * a single implementation of overflow checking to avoid having to replicate
+ * those checks in every caller.
+ */
+void _XEatDataWords(Display *dpy, unsigned long n)
+{
+ if (n < ((INT_MAX - dpy->xcb->reply_consumed) >> 2))
+ dpy->xcb->reply_consumed += (n << 2);
+ else
+ /* Overflow would happen, so just eat the rest of the reply */
+ dpy->xcb->reply_consumed = dpy->xcb->reply_length;
+ _XFreeReplyData(dpy, False);
+}
diff --git a/libX11/src/xcms/cmsColNm.c b/libX11/src/xcms/cmsColNm.c
index a6749c02e..8d0d4a771 100644
--- a/libX11/src/xcms/cmsColNm.c
+++ b/libX11/src/xcms/cmsColNm.c
@@ -40,6 +40,7 @@
#include <sys/stat.h>
#include <stdio.h>
#include <ctype.h>
+#include <limits.h>
#define XK_LATIN1
#include <X11/keysymdef.h>
#include "Cv.h"
@@ -542,7 +543,10 @@ stringSectionSize(
char *pBuf;
char *f1;
char *f2;
- int i;
+ size_t i;
+
+ unsigned int numEntries = 0;
+ unsigned int sectionSize = 0;
*pNumEntries = 0;
*pSectionSize = 0;
@@ -576,26 +580,37 @@ stringSectionSize(
return(XcmsFailure);
}
- (*pNumEntries)++;
+ numEntries++;
+ if (numEntries >= INT_MAX)
+ return(XcmsFailure);
- (*pSectionSize) += (i = strlen(f1)) + 1;
+ i = strlen(f1);
+ if (i >= INT_MAX - sectionSize)
+ return(XcmsFailure);
+ sectionSize += i + 1;
for (; i; i--, f1++) {
/* REMOVE SPACES FROM COUNT */
if (isspace(*f1)) {
- (*pSectionSize)--;
+ sectionSize--;
}
}
- (*pSectionSize) += (i = strlen(f2)) + 1;
+ i = strlen(f2);
+ if (i >= INT_MAX - sectionSize)
+ return(XcmsFailure);
+ sectionSize += i + 1;
for (; i; i--, f2++) {
/* REMOVE SPACES FROM COUNT */
if (isspace(*f2)) {
- (*pSectionSize)--;
+ sectionSize--;
}
}
}
+ *pNumEntries = (int) numEntries;
+ *pSectionSize = (int) sectionSize;
+
return(XcmsSuccess);
}
diff --git a/libX11/src/xcms/cmsMath.c b/libX11/src/xcms/cmsMath.c
index 70b067587..487eb3f9c 100644
--- a/libX11/src/xcms/cmsMath.c
+++ b/libX11/src/xcms/cmsMath.c
@@ -35,6 +35,10 @@ in this Software without prior written authorization from The Open Group.
#include "Xlibint.h"
#include "Xcmsint.h"
+#ifdef DEBUG
+#include <stdio.h>
+#endif
+
#include <float.h>
#ifndef DBL_EPSILON
#define DBL_EPSILON 1e-6
diff --git a/libX11/src/xkb/XKBExtDev.c b/libX11/src/xkb/XKBExtDev.c
index 353e769bf..dd383bc10 100644
--- a/libX11/src/xkb/XKBExtDev.c
+++ b/libX11/src/xkb/XKBExtDev.c
@@ -181,6 +181,9 @@ int tmp;
return tmp;
}
if (rep->nBtnsWanted>0) {
+ if (((unsigned short) rep->firstBtnWanted + rep->nBtnsWanted)
+ >= devi->num_btns)
+ goto BAILOUT;
act= &devi->btn_acts[rep->firstBtnWanted];
bzero((char *)act,(rep->nBtnsWanted*sizeof(XkbAction)));
}
@@ -190,6 +193,9 @@ int tmp;
goto BAILOUT;
if (rep->nBtnsRtrn>0) {
int size;
+ if (((unsigned short) rep->firstBtnRtrn + rep->nBtnsRtrn)
+ >= devi->num_btns)
+ goto BAILOUT;
act= &devi->btn_acts[rep->firstBtnRtrn];
size= rep->nBtnsRtrn*SIZEOF(xkbActionWireDesc);
if (!_XkbCopyFromReadBuffer(&buf,(char *)act,size))
diff --git a/libX11/src/xkb/XKBGeom.c b/libX11/src/xkb/XKBGeom.c
index 283bc6426..1116bc67f 100644
--- a/libX11/src/xkb/XKBGeom.c
+++ b/libX11/src/xkb/XKBGeom.c
@@ -360,12 +360,16 @@ Status rtrn;
}
ol->num_points= olWire->nPoints;
}
- if (shapeWire->primaryNdx!=XkbNoShape)
+ if ((shapeWire->primaryNdx!=XkbNoShape) &&
+ (shapeWire->primaryNdx < shapeWire->nOutlines))
shape->primary= &shape->outlines[shapeWire->primaryNdx];
- else shape->primary= NULL;
- if (shapeWire->approxNdx!=XkbNoShape)
+ else
+ shape->primary= NULL;
+ if ((shapeWire->approxNdx!=XkbNoShape) &&
+ (shapeWire->approxNdx < shapeWire->nOutlines))
shape->approx= &shape->outlines[shapeWire->approxNdx];
- else shape->approx= NULL;
+ else
+ shape->approx= NULL;
XkbComputeShapeBounds(shape);
}
return Success;
@@ -611,6 +615,9 @@ XkbGeometryPtr geom;
if (status==Success)
status= _XkbReadGeomKeyAliases(&buf,geom,rep);
left= _XkbFreeReadBuffer(&buf);
+ if ((rep->baseColorNdx > geom->num_colors) ||
+ (rep->labelColorNdx > geom->num_colors))
+ status = BadLength;
if ((status!=Success) || left || buf.error) {
if (status==Success)
status= BadLength;
diff --git a/libX11/src/xkb/XKBGetMap.c b/libX11/src/xkb/XKBGetMap.c
index 82ae0219e..738fbc38f 100644
--- a/libX11/src/xkb/XKBGetMap.c
+++ b/libX11/src/xkb/XKBGetMap.c
@@ -179,9 +179,12 @@ XkbClientMapPtr map;
map= xkb->map;
if (map->key_sym_map==NULL) {
register int offset;
+ int size = xkb->max_key_code + 1;
XkbSymMapPtr oldMap;
xkbSymMapWireDesc *newMap;
- map->key_sym_map= _XkbTypedCalloc((xkb->max_key_code+1),XkbSymMapRec);
+ if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size)
+ return BadLength;
+ map->key_sym_map= _XkbTypedCalloc(size,XkbSymMapRec);
if (map->key_sym_map==NULL)
return BadAlloc;
if (map->syms==NULL) {
@@ -237,6 +240,8 @@ XkbClientMapPtr map;
KeySym * newSyms;
int tmp;
+ if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms)
+ return BadLength;
oldMap = &map->key_sym_map[rep->firstKeySym];
for (i=0;i<(int)rep->nKeySyms;i++,oldMap++) {
newMap= (xkbSymMapWireDesc *)
@@ -292,6 +297,10 @@ Status ret = Success;
symMap = &info->map->key_sym_map[rep->firstKeyAct];
for (i=0;i<(int)rep->nKeyActs;i++,symMap++) {
if (numDesc[i]==0) {
+ if ((i + rep->firstKeyAct) > (info->max_key_code + 1)) {
+ ret = BadLength;
+ goto done;
+ }
info->server->key_acts[i+rep->firstKeyAct]= 0;
}
else {
@@ -324,8 +333,10 @@ register int i;
xkbBehaviorWireDesc *wire;
if ( rep->totalKeyBehaviors>0 ) {
+ int size = xkb->max_key_code + 1;
+ if ( ((int) rep->firstKeyBehavior + rep->nKeyBehaviors) > size)
+ return BadLength;
if ( xkb->server->behaviors == NULL ) {
- int size = xkb->max_key_code+1;
xkb->server->behaviors = _XkbTypedCalloc(size,XkbBehavior);
if (xkb->server->behaviors==NULL)
return BadAlloc;
@@ -337,7 +348,7 @@ xkbBehaviorWireDesc *wire;
for (i=0;i<rep->totalKeyBehaviors;i++) {
wire= (xkbBehaviorWireDesc *)_XkbGetReadBufferPtr(buf,
SIZEOF(xkbBehaviorWireDesc));
- if (wire==NULL)
+ if (wire==NULL || wire->key >= size)
return BadLength;
xkb->server->behaviors[wire->key].type= wire->type;
xkb->server->behaviors[wire->key].data= wire->data;
@@ -379,8 +390,10 @@ register int i;
unsigned char *wire;
if ( rep->totalKeyExplicit>0 ) {
+ int size = xkb->max_key_code + 1;
+ if ( ((int) rep->firstKeyExplicit + rep->nKeyExplicit) > size)
+ return BadLength;
if ( xkb->server->explicit == NULL ) {
- int size = xkb->max_key_code+1;
xkb->server->explicit = _XkbTypedCalloc(size,unsigned char);
if (xkb->server->explicit==NULL)
return BadAlloc;
@@ -394,6 +407,8 @@ unsigned char *wire;
if (!wire)
return BadLength;
for (i=0;i<rep->totalKeyExplicit;i++,wire+=2) {
+ if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code)
+ return BadLength;
xkb->server->explicit[wire[0]]= wire[1];
}
}
@@ -407,6 +422,9 @@ register int i;
unsigned char *wire;
if ( rep->totalModMapKeys>0 ) {
+ if ( ((int)rep->firstModMapKey + rep->nModMapKeys) >
+ (xkb->max_key_code + 1))
+ return BadLength;
if ((xkb->map->modmap==NULL)&&
(XkbAllocClientMap(xkb,XkbModifierMapMask,0)!=Success)) {
return BadAlloc;
@@ -419,6 +437,8 @@ unsigned char *wire;
if (!wire)
return BadLength;
for (i=0;i<rep->totalModMapKeys;i++,wire+=2) {
+ if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code)
+ return BadLength;
xkb->map->modmap[wire[0]]= wire[1];
}
}
@@ -433,6 +453,9 @@ xkbVModMapWireDesc * wire;
XkbServerMapPtr srv;
if ( rep->totalVModMapKeys>0 ) {
+ if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
+ > xkb->max_key_code + 1)
+ return BadLength;
if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&&
(XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) {
return BadAlloc;
@@ -489,6 +512,8 @@ unsigned mask;
if ( xkb->device_spec == XkbUseCoreKbd )
xkb->device_spec= rep->deviceID;
+ if ( rep->maxKeyCode < rep->minKeyCode )
+ return BadImplementation;
xkb->min_key_code = rep->minKeyCode;
xkb->max_key_code = rep->maxKeyCode;
diff --git a/libX11/src/xkb/XKBNames.c b/libX11/src/xkb/XKBNames.c
index 0276c05b3..3a8860be7 100644
--- a/libX11/src/xkb/XKBNames.c
+++ b/libX11/src/xkb/XKBNames.c
@@ -180,6 +180,8 @@ _XkbReadGetNamesReply( Display * dpy,
nKeys= xkb->max_key_code+1;
names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
}
+ if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1)
+ goto BAILOUT;
if (names->keys!=NULL) {
if (!_XkbCopyFromReadBuffer(&buf,
(char *)&names->keys[rep->firstKey],
diff --git a/libX11/src/xlibi18n/lcFile.c b/libX11/src/xlibi18n/lcFile.c
index 576a61124..51fe8bf1c 100644
--- a/libX11/src/xlibi18n/lcFile.c
+++ b/libX11/src/xlibi18n/lcFile.c
@@ -54,29 +54,7 @@
#define XLC_BUFSIZE 256
-#ifndef X_NOT_POSIX
-#ifdef _POSIX_SOURCE
-#include <limits.h>
-#else
-#define _POSIX_SOURCE
-#include <limits.h>
-#undef _POSIX_SOURCE
-#endif
-#endif
-#ifndef PATH_MAX
-#ifdef WIN32
-#define PATH_MAX 512
-#else
-#include <sys/param.h>
-#endif
-#ifndef PATH_MAX
-#ifdef MAXPATHLEN
-#define PATH_MAX MAXPATHLEN
-#else
-#define PATH_MAX 1024
-#endif
-#endif
-#endif
+#include "pathmax.h"
#define NUM_LOCALEDIR 64