diff options
Diffstat (limited to 'libXext/src')
| -rw-r--r-- | libXext/src/Makefile.am | 1 | ||||
| -rw-r--r-- | libXext/src/XEVI.c | 29 | ||||
| -rw-r--r-- | libXext/src/XMultibuf.c | 3 | ||||
| -rw-r--r-- | libXext/src/XSecurity.c | 3 | ||||
| -rw-r--r-- | libXext/src/XShape.c | 27 | ||||
| -rw-r--r-- | libXext/src/XSync.c | 35 | ||||
| -rw-r--r-- | libXext/src/Xcup.c | 49 | ||||
| -rw-r--r-- | libXext/src/Xdbe.c | 27 | ||||
| -rw-r--r-- | libXext/src/eat.h | 40 |
9 files changed, 152 insertions, 62 deletions
diff --git a/libXext/src/Makefile.am b/libXext/src/Makefile.am index e236c3345..b8285470a 100644 --- a/libXext/src/Makefile.am +++ b/libXext/src/Makefile.am @@ -12,6 +12,7 @@ libXext_la_LDFLAGS = -version-number $(XEXT_SOREV) -no-undefined libXext_la_LIBADD = $(XEXT_LIBS) libXext_la_SOURCES = \ + eat.h \ DPMS.c \ MITMisc.c \ XAppgroup.c \ diff --git a/libXext/src/XEVI.c b/libXext/src/XEVI.c index eb09daa9a..5a9558364 100644 --- a/libXext/src/XEVI.c +++ b/libXext/src/XEVI.c @@ -30,6 +30,9 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. #include <X11/extensions/Xext.h> #include <X11/extensions/extutil.h> #include <X11/Xutil.h> +#include <limits.h> +#include "eat.h" + static XExtensionInfo *xevi_info;/* needs to move to globals.c */ static const char *xevi_extension_name = EVINAME; #define XeviCheckExtension(dpy,i,val) \ @@ -163,15 +166,22 @@ Status XeviGetVisualInfo( return BadAccess; } Xfree(temp_visual); - sz_info = rep.n_info * sizeof(ExtendedVisualInfo); - sz_xInfo = rep.n_info * sz_xExtendedVisualInfo; - sz_conflict = rep.n_conflicts * sizeof(VisualID); - sz_xConflict = rep.n_conflicts * sz_VisualID32; - infoPtr = *evi_return = (ExtendedVisualInfo *)Xmalloc(sz_info + sz_conflict); - xInfoPtr = temp_xInfo = (xExtendedVisualInfo *)Xmalloc(sz_xInfo); - xConflictPtr = temp_conflict = (VisualID32 *)Xmalloc(sz_xConflict); + if ((rep.n_info < 65536) && (rep.n_conflicts < 65536)) { + sz_info = rep.n_info * sizeof(ExtendedVisualInfo); + sz_xInfo = rep.n_info * sz_xExtendedVisualInfo; + sz_conflict = rep.n_conflicts * sizeof(VisualID); + sz_xConflict = rep.n_conflicts * sz_VisualID32; + *evi_return = Xmalloc(sz_info + sz_conflict); + temp_xInfo = Xmalloc(sz_xInfo); + temp_conflict = Xmalloc(sz_xConflict); + } else { + sz_xInfo = sz_xConflict = 0; + *evi_return = NULL; + temp_xInfo = NULL; + temp_conflict = NULL; + } if (!*evi_return || !temp_xInfo || !temp_conflict) { - _XEatData(dpy, (sz_xInfo + sz_xConflict + 3) & ~3); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); if (evi_return) @@ -186,6 +196,9 @@ Status XeviGetVisualInfo( _XRead(dpy, (char *)temp_conflict, sz_xConflict); UnlockDisplay(dpy); SyncHandle(); + infoPtr = *evi_return; + xInfoPtr = temp_xInfo; + xConflictPtr = temp_conflict; n_data = rep.n_info; conflict = (VisualID *)(infoPtr + n_data); while (n_data-- > 0) { diff --git a/libXext/src/XMultibuf.c b/libXext/src/XMultibuf.c index 7a746bac5..43d56d3eb 100644 --- a/libXext/src/XMultibuf.c +++ b/libXext/src/XMultibuf.c @@ -34,6 +34,7 @@ in this Software without prior written authorization from The Open Group. #include <X11/extensions/extutil.h> #include <X11/extensions/multibufproto.h> #include <X11/extensions/multibuf.h> +#include "eat.h" static XExtensionInfo _multibuf_info_data; static XExtensionInfo *multibuf_info = &_multibuf_info_data; @@ -408,7 +409,7 @@ Status XmbufGetWindowAttributes ( attr->buffers = (Multibuffer *) Xmalloc((unsigned) nbytes); nbytes = rep.length << 2; if (! attr->buffers) { - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (0); diff --git a/libXext/src/XSecurity.c b/libXext/src/XSecurity.c index f8c7da13b..ab17755c8 100644 --- a/libXext/src/XSecurity.c +++ b/libXext/src/XSecurity.c @@ -33,6 +33,7 @@ in this Software without prior written authorization from The Open Group. #include <X11/extensions/extutil.h> #include <X11/extensions/securproto.h> #include <X11/extensions/security.h> +#include "eat.h" static XExtensionInfo _Security_info_data; static XExtensionInfo *Security_info = &_Security_info_data; @@ -282,7 +283,7 @@ XSecurityGenerateAuthorization( } else { - _XEatData(dpy, (unsigned long) (rep.dataLength + 3) & ~3); + _XEatDataWords(dpy, rep.length); } UnlockDisplay (dpy); diff --git a/libXext/src/XShape.c b/libXext/src/XShape.c index 6e8fbae9f..d02502004 100644 --- a/libXext/src/XShape.c +++ b/libXext/src/XShape.c @@ -35,6 +35,8 @@ in this Software without prior written authorization from The Open Group. #include <X11/extensions/extutil.h> #include <X11/extensions/shape.h> #include <X11/extensions/shapeproto.h> +#include <limits.h> +#include "eat.h" static XExtensionInfo _shape_info_data; static XExtensionInfo *shape_info = &_shape_info_data; @@ -442,7 +444,7 @@ XRectangle *XShapeGetRectangles ( xShapeGetRectanglesReply rep; XRectangle *rects; xRectangle *xrects; - int i; + unsigned int i; ShapeCheckExtension (dpy, info, (XRectangle *)NULL); @@ -460,20 +462,23 @@ XRectangle *XShapeGetRectangles ( *count = rep.nrects; *ordering = rep.ordering; rects = NULL; - if (*count) { - xrects = (xRectangle *) Xmalloc (*count * sizeof (xRectangle)); - rects = (XRectangle *) Xmalloc (*count * sizeof (XRectangle)); + if (rep.nrects) { + if (rep.nrects < (INT_MAX / sizeof (XRectangle))) { + xrects = Xmalloc (rep.nrects * sizeof (xRectangle)); + rects = Xmalloc (rep.nrects * sizeof (XRectangle)); + } else { + xrects = NULL; + rects = NULL; + } if (!xrects || !rects) { - if (xrects) - Xfree (xrects); - if (rects) - Xfree (rects); - _XEatData (dpy, *count * sizeof (xRectangle)); + Xfree (xrects); + Xfree (rects); + _XEatDataWords (dpy, rep.length); rects = NULL; *count = 0; } else { - _XRead (dpy, (char *) xrects, *count * sizeof (xRectangle)); - for (i = 0; i < *count; i++) { + _XRead (dpy, (char *) xrects, rep.nrects * sizeof (xRectangle)); + for (i = 0; i < rep.nrects; i++) { rects[i].x = (short) cvtINT16toInt (xrects[i].x); rects[i].y = (short) cvtINT16toInt (xrects[i].y); rects[i].width = xrects[i].width; diff --git a/libXext/src/XSync.c b/libXext/src/XSync.c index 577529388..ce4ab44d9 100644 --- a/libXext/src/XSync.c +++ b/libXext/src/XSync.c @@ -59,6 +59,8 @@ PERFORMANCE OF THIS SOFTWARE. #include <X11/extensions/extutil.h> #include <X11/extensions/sync.h> #include <X11/extensions/syncproto.h> +#include <limits.h> +#include "eat.h" static XExtensionInfo _sync_info_data; static XExtensionInfo *sync_info = &_sync_info_data; @@ -351,20 +353,29 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return) if (rep.nCounters > 0) { xSyncSystemCounter *pWireSysCounter, *pNextWireSysCounter; + xSyncSystemCounter *pLastWireSysCounter; XSyncCounter counter; - int replylen; + unsigned int replylen; int i; - list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter)); - replylen = rep.length << 2; - pWireSysCounter = Xmalloc ((unsigned) replylen + sizeof(XSyncCounter)); - /* +1 to leave room for last counter read-ahead */ + if (rep.nCounters < (INT_MAX / sizeof(XSyncSystemCounter))) + list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter)); + if (rep.length < (INT_MAX >> 2)) { + replylen = rep.length << 2; + pWireSysCounter = Xmalloc (replylen + sizeof(XSyncCounter)); + /* +1 to leave room for last counter read-ahead */ + pLastWireSysCounter = (xSyncSystemCounter *) + ((char *)pWireSysCounter) + replylen; + } else { + replylen = 0; + pWireSysCounter = NULL; + } if ((!list) || (!pWireSysCounter)) { - if (list) Xfree((char *) list); - if (pWireSysCounter) Xfree((char *) pWireSysCounter); - _XEatData(dpy, (unsigned long) replylen); + Xfree(list); + Xfree(pWireSysCounter); + _XEatDataWords(dpy, rep.length); list = NULL; goto bail; } @@ -387,6 +398,14 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return) pNextWireSysCounter = (xSyncSystemCounter *) (((char *)pWireSysCounter) + ((SIZEOF(xSyncSystemCounter) + pWireSysCounter->name_length + 3) & ~3)); + /* Make sure we haven't gone too far */ + if (pNextWireSysCounter > pLastWireSysCounter) { + Xfree(list); + Xfree(pWireSysCounter); + list = NULL; + goto bail; + } + counter = pNextWireSysCounter->counter; list[i].name = ((char *)pWireSysCounter) + diff --git a/libXext/src/Xcup.c b/libXext/src/Xcup.c index bb9e90f7e..cdc64c2a3 100644 --- a/libXext/src/Xcup.c +++ b/libXext/src/Xcup.c @@ -36,6 +36,8 @@ in this Software without prior written authorization from The Open Group. #include <X11/extensions/cupproto.h> #include <X11/extensions/Xext.h> #include <X11/extensions/extutil.h> +#include <limits.h> +#include "eat.h" static XExtensionInfo _xcup_info_data; static XExtensionInfo *xcup_info = &_xcup_info_data; @@ -133,18 +135,22 @@ XcupGetReservedColormapEntries( req->xcupReqType = X_XcupGetReservedColormapEntries; req->screen = screen; if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { - long nbytes; + unsigned long nbytes; xColorItem* rbufp; - int nentries = rep.length / 3; + unsigned int nentries = rep.length / 3; - nbytes = nentries * SIZEOF (xColorItem); - if (nentries > TYP_RESERVED_ENTRIES) - rbufp = (xColorItem*) Xmalloc (nbytes); - else - rbufp = rbuf; + if (nentries < (INT_MAX / SIZEOF (xColorItem))) { + nbytes = nentries * SIZEOF (xColorItem); + + if (nentries > TYP_RESERVED_ENTRIES) + rbufp = Xmalloc (nbytes); + else + rbufp = rbuf; + } else + rbufp = NULL; if (rbufp == NULL) { - _XEatData (dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return False; @@ -213,27 +219,24 @@ XcupStoreColors( } if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { - long nbytes; + unsigned long nbytes; xColorItem* rbufp; xColorItem* cs; - int nentries = rep.length / 3; - - nbytes = nentries * SIZEOF (xColorItem); + unsigned int nentries = rep.length / 3; - if (nentries != ncolors) { - _XEatData (dpy, (unsigned long) nbytes); - UnlockDisplay (dpy); - SyncHandle (); - return False; - } + if ((nentries == ncolors) && + (nentries < (INT_MAX / SIZEOF (xColorItem)))) { + nbytes = nentries * SIZEOF (xColorItem); - if (ncolors > 256) - rbufp = (xColorItem*) Xmalloc (nbytes); - else - rbufp = rbuf; + if (ncolors > 256) + rbufp = Xmalloc (nbytes); + else + rbufp = rbuf; + } else + rbufp = NULL; if (rbufp == NULL) { - _XEatData (dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return False; diff --git a/libXext/src/Xdbe.c b/libXext/src/Xdbe.c index 4b5fa186c..016886c58 100644 --- a/libXext/src/Xdbe.c +++ b/libXext/src/Xdbe.c @@ -39,6 +39,8 @@ #include <X11/extensions/extutil.h> #include <X11/extensions/Xdbe.h> #include <X11/extensions/dbeproto.h> +#include <limits.h> +#include "eat.h" static XExtensionInfo _dbe_info_data; static XExtensionInfo *dbe_info = &_dbe_info_data; @@ -352,9 +354,12 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo ( *num_screens = rep.m; /* allocate list of visual information to be returned */ - if (!(scrVisInfo = - (XdbeScreenVisualInfo *)Xmalloc( - (unsigned)(*num_screens * sizeof(XdbeScreenVisualInfo))))) { + if ((*num_screens > 0) && (*num_screens < 65536)) + scrVisInfo = Xmalloc(*num_screens * sizeof(XdbeScreenVisualInfo)); + else + scrVisInfo = NULL; + if (scrVisInfo == NULL) { + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return NULL; @@ -362,25 +367,27 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo ( for (i = 0; i < *num_screens; i++) { - int nbytes; int j; - long c; + unsigned long c; - _XRead32 (dpy, &c, sizeof(CARD32)); - scrVisInfo[i].count = c; + _XRead32 (dpy, (long *) &c, sizeof(CARD32)); - nbytes = scrVisInfo[i].count * sizeof(XdbeVisualInfo); + if (c < 65536) { + scrVisInfo[i].count = c; + scrVisInfo[i].visinfo = Xmalloc(c * sizeof(XdbeVisualInfo)); + } else + scrVisInfo[i].visinfo = NULL; /* if we can not allocate the list of visual/depth info * then free the lists that we already allocate as well * as the visual info list itself */ - if (!(scrVisInfo[i].visinfo = (XdbeVisualInfo *)Xmalloc( - (unsigned)nbytes))) { + if (scrVisInfo[i].visinfo == NULL) { for (j = 0; j < i; j++) { Xfree ((char *)scrVisInfo[j].visinfo); } Xfree ((char *)scrVisInfo); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return NULL; diff --git a/libXext/src/eat.h b/libXext/src/eat.h new file mode 100644 index 000000000..239532b6d --- /dev/null +++ b/libXext/src/eat.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#ifndef HAVE__XEATDATAWORDS +#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */ +#include <limits.h> + +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif |