diff options
Diffstat (limited to 'libX11')
-rw-r--r-- | libX11/specs/libX11/AppC.xml | 4 | ||||
-rw-r--r-- | libX11/src/Host.c | 8 | ||||
-rw-r--r-- | libX11/src/ModMap.c | 10 | ||||
-rw-r--r-- | libX11/src/XlibInt.c | 8 |
4 files changed, 26 insertions, 4 deletions
diff --git a/libX11/specs/libX11/AppC.xml b/libX11/specs/libX11/AppC.xml index df250275e..0b37048f1 100644 --- a/libX11/specs/libX11/AppC.xml +++ b/libX11/specs/libX11/AppC.xml @@ -2468,7 +2468,9 @@ which is the same as <function>GetReq</function> except that it takes an additional argument (the number of extra bytes to allocate in the output buffer after the request structure). -This number should always be a multiple of four. +This number should always be a multiple of four. Note that it is possible +for req to be set to NULL as a defensive measure if the requested length +exceeds the Xlib's buffer size (normally 16K). </para> </sect2> <sect2 id="Variable_Length_Arguments"> diff --git a/libX11/src/Host.c b/libX11/src/Host.c index da9923a9e..da5e2f7d3 100644 --- a/libX11/src/Host.c +++ b/libX11/src/Host.c @@ -83,6 +83,10 @@ XAddHost ( LockDisplay(dpy); GetReqExtra (ChangeHosts, length, req); + if (!req) { + UnlockDisplay(dpy); + return 0; + } req->mode = HostInsert; req->hostFamily = host->family; req->hostLength = addrlen; @@ -118,6 +122,10 @@ XRemoveHost ( LockDisplay(dpy); GetReqExtra (ChangeHosts, length, req); + if (!req) { + UnlockDisplay(dpy); + return 0; + } req->mode = HostDelete; req->hostFamily = host->family; req->hostLength = addrlen; diff --git a/libX11/src/ModMap.c b/libX11/src/ModMap.c index 04cd676eb..836a67621 100644 --- a/libX11/src/ModMap.c +++ b/libX11/src/ModMap.c @@ -65,9 +65,9 @@ XGetModifierMapping(register Display *dpy) /* * Returns: - * 0 Success - * 1 Busy - one or more old or new modifiers are down - * 2 Failed - one or more new modifiers unacceptable + * MappingSuccess (0) Success + * MappingBusy (1) Busy - one or more old or new modifiers are down + * MappingFailed (2) Failed - one or more new modifiers unacceptable */ int XSetModifierMapping( @@ -80,6 +80,10 @@ XSetModifierMapping( LockDisplay(dpy); GetReqExtra(SetModifierMapping, mapSize, req); + if (!req) { + UnlockDisplay(dpy); + return MappingFailed; + } req->numKeyPerModifier = modifier_map->max_keypermod; diff --git a/libX11/src/XlibInt.c b/libX11/src/XlibInt.c index 8a51f49c4..5d8b0eb4b 100644 --- a/libX11/src/XlibInt.c +++ b/libX11/src/XlibInt.c @@ -1753,6 +1753,14 @@ void *_XGetRequest(Display *dpy, CARD8 type, size_t len) if (dpy->bufptr + len > dpy->bufmax) _XFlush(dpy); + /* Request still too large, so do not allow it to overflow. */ + if (dpy->bufptr + len > dpy->bufmax) { + fprintf(stderr, + "Xlib: request %d length %zd would exceed buffer size.\n", + type, len); + /* Changes failure condition from overflow to NULL dereference. */ + return NULL; + } if (len % 4) fprintf(stderr, |