aboutsummaryrefslogtreecommitdiff
path: root/libXext/src
diff options
context:
space:
mode:
Diffstat (limited to 'libXext/src')
-rw-r--r--libXext/src/Makefile.am1
-rw-r--r--libXext/src/XEVI.c29
-rw-r--r--libXext/src/XMultibuf.c3
-rw-r--r--libXext/src/XSecurity.c3
-rw-r--r--libXext/src/XShape.c27
-rw-r--r--libXext/src/XSync.c35
-rw-r--r--libXext/src/Xcup.c49
-rw-r--r--libXext/src/Xdbe.c27
-rw-r--r--libXext/src/eat.h40
9 files changed, 152 insertions, 62 deletions
diff --git a/libXext/src/Makefile.am b/libXext/src/Makefile.am
index e236c3345..b8285470a 100644
--- a/libXext/src/Makefile.am
+++ b/libXext/src/Makefile.am
@@ -12,6 +12,7 @@ libXext_la_LDFLAGS = -version-number $(XEXT_SOREV) -no-undefined
libXext_la_LIBADD = $(XEXT_LIBS)
libXext_la_SOURCES = \
+ eat.h \
DPMS.c \
MITMisc.c \
XAppgroup.c \
diff --git a/libXext/src/XEVI.c b/libXext/src/XEVI.c
index eb09daa9a..5a9558364 100644
--- a/libXext/src/XEVI.c
+++ b/libXext/src/XEVI.c
@@ -30,6 +30,9 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include <X11/Xutil.h>
+#include <limits.h>
+#include "eat.h"
+
static XExtensionInfo *xevi_info;/* needs to move to globals.c */
static const char *xevi_extension_name = EVINAME;
#define XeviCheckExtension(dpy,i,val) \
@@ -163,15 +166,22 @@ Status XeviGetVisualInfo(
return BadAccess;
}
Xfree(temp_visual);
- sz_info = rep.n_info * sizeof(ExtendedVisualInfo);
- sz_xInfo = rep.n_info * sz_xExtendedVisualInfo;
- sz_conflict = rep.n_conflicts * sizeof(VisualID);
- sz_xConflict = rep.n_conflicts * sz_VisualID32;
- infoPtr = *evi_return = (ExtendedVisualInfo *)Xmalloc(sz_info + sz_conflict);
- xInfoPtr = temp_xInfo = (xExtendedVisualInfo *)Xmalloc(sz_xInfo);
- xConflictPtr = temp_conflict = (VisualID32 *)Xmalloc(sz_xConflict);
+ if ((rep.n_info < 65536) && (rep.n_conflicts < 65536)) {
+ sz_info = rep.n_info * sizeof(ExtendedVisualInfo);
+ sz_xInfo = rep.n_info * sz_xExtendedVisualInfo;
+ sz_conflict = rep.n_conflicts * sizeof(VisualID);
+ sz_xConflict = rep.n_conflicts * sz_VisualID32;
+ *evi_return = Xmalloc(sz_info + sz_conflict);
+ temp_xInfo = Xmalloc(sz_xInfo);
+ temp_conflict = Xmalloc(sz_xConflict);
+ } else {
+ sz_xInfo = sz_xConflict = 0;
+ *evi_return = NULL;
+ temp_xInfo = NULL;
+ temp_conflict = NULL;
+ }
if (!*evi_return || !temp_xInfo || !temp_conflict) {
- _XEatData(dpy, (sz_xInfo + sz_xConflict + 3) & ~3);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
if (evi_return)
@@ -186,6 +196,9 @@ Status XeviGetVisualInfo(
_XRead(dpy, (char *)temp_conflict, sz_xConflict);
UnlockDisplay(dpy);
SyncHandle();
+ infoPtr = *evi_return;
+ xInfoPtr = temp_xInfo;
+ xConflictPtr = temp_conflict;
n_data = rep.n_info;
conflict = (VisualID *)(infoPtr + n_data);
while (n_data-- > 0) {
diff --git a/libXext/src/XMultibuf.c b/libXext/src/XMultibuf.c
index 7a746bac5..43d56d3eb 100644
--- a/libXext/src/XMultibuf.c
+++ b/libXext/src/XMultibuf.c
@@ -34,6 +34,7 @@ in this Software without prior written authorization from The Open Group.
#include <X11/extensions/extutil.h>
#include <X11/extensions/multibufproto.h>
#include <X11/extensions/multibuf.h>
+#include "eat.h"
static XExtensionInfo _multibuf_info_data;
static XExtensionInfo *multibuf_info = &_multibuf_info_data;
@@ -408,7 +409,7 @@ Status XmbufGetWindowAttributes (
attr->buffers = (Multibuffer *) Xmalloc((unsigned) nbytes);
nbytes = rep.length << 2;
if (! attr->buffers) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (0);
diff --git a/libXext/src/XSecurity.c b/libXext/src/XSecurity.c
index f8c7da13b..ab17755c8 100644
--- a/libXext/src/XSecurity.c
+++ b/libXext/src/XSecurity.c
@@ -33,6 +33,7 @@ in this Software without prior written authorization from The Open Group.
#include <X11/extensions/extutil.h>
#include <X11/extensions/securproto.h>
#include <X11/extensions/security.h>
+#include "eat.h"
static XExtensionInfo _Security_info_data;
static XExtensionInfo *Security_info = &_Security_info_data;
@@ -282,7 +283,7 @@ XSecurityGenerateAuthorization(
}
else
{
- _XEatData(dpy, (unsigned long) (rep.dataLength + 3) & ~3);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
diff --git a/libXext/src/XShape.c b/libXext/src/XShape.c
index 6e8fbae9f..d02502004 100644
--- a/libXext/src/XShape.c
+++ b/libXext/src/XShape.c
@@ -35,6 +35,8 @@ in this Software without prior written authorization from The Open Group.
#include <X11/extensions/extutil.h>
#include <X11/extensions/shape.h>
#include <X11/extensions/shapeproto.h>
+#include <limits.h>
+#include "eat.h"
static XExtensionInfo _shape_info_data;
static XExtensionInfo *shape_info = &_shape_info_data;
@@ -442,7 +444,7 @@ XRectangle *XShapeGetRectangles (
xShapeGetRectanglesReply rep;
XRectangle *rects;
xRectangle *xrects;
- int i;
+ unsigned int i;
ShapeCheckExtension (dpy, info, (XRectangle *)NULL);
@@ -460,20 +462,23 @@ XRectangle *XShapeGetRectangles (
*count = rep.nrects;
*ordering = rep.ordering;
rects = NULL;
- if (*count) {
- xrects = (xRectangle *) Xmalloc (*count * sizeof (xRectangle));
- rects = (XRectangle *) Xmalloc (*count * sizeof (XRectangle));
+ if (rep.nrects) {
+ if (rep.nrects < (INT_MAX / sizeof (XRectangle))) {
+ xrects = Xmalloc (rep.nrects * sizeof (xRectangle));
+ rects = Xmalloc (rep.nrects * sizeof (XRectangle));
+ } else {
+ xrects = NULL;
+ rects = NULL;
+ }
if (!xrects || !rects) {
- if (xrects)
- Xfree (xrects);
- if (rects)
- Xfree (rects);
- _XEatData (dpy, *count * sizeof (xRectangle));
+ Xfree (xrects);
+ Xfree (rects);
+ _XEatDataWords (dpy, rep.length);
rects = NULL;
*count = 0;
} else {
- _XRead (dpy, (char *) xrects, *count * sizeof (xRectangle));
- for (i = 0; i < *count; i++) {
+ _XRead (dpy, (char *) xrects, rep.nrects * sizeof (xRectangle));
+ for (i = 0; i < rep.nrects; i++) {
rects[i].x = (short) cvtINT16toInt (xrects[i].x);
rects[i].y = (short) cvtINT16toInt (xrects[i].y);
rects[i].width = xrects[i].width;
diff --git a/libXext/src/XSync.c b/libXext/src/XSync.c
index 577529388..ce4ab44d9 100644
--- a/libXext/src/XSync.c
+++ b/libXext/src/XSync.c
@@ -59,6 +59,8 @@ PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/extutil.h>
#include <X11/extensions/sync.h>
#include <X11/extensions/syncproto.h>
+#include <limits.h>
+#include "eat.h"
static XExtensionInfo _sync_info_data;
static XExtensionInfo *sync_info = &_sync_info_data;
@@ -351,20 +353,29 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return)
if (rep.nCounters > 0)
{
xSyncSystemCounter *pWireSysCounter, *pNextWireSysCounter;
+ xSyncSystemCounter *pLastWireSysCounter;
XSyncCounter counter;
- int replylen;
+ unsigned int replylen;
int i;
- list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter));
- replylen = rep.length << 2;
- pWireSysCounter = Xmalloc ((unsigned) replylen + sizeof(XSyncCounter));
- /* +1 to leave room for last counter read-ahead */
+ if (rep.nCounters < (INT_MAX / sizeof(XSyncSystemCounter)))
+ list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter));
+ if (rep.length < (INT_MAX >> 2)) {
+ replylen = rep.length << 2;
+ pWireSysCounter = Xmalloc (replylen + sizeof(XSyncCounter));
+ /* +1 to leave room for last counter read-ahead */
+ pLastWireSysCounter = (xSyncSystemCounter *)
+ ((char *)pWireSysCounter) + replylen;
+ } else {
+ replylen = 0;
+ pWireSysCounter = NULL;
+ }
if ((!list) || (!pWireSysCounter))
{
- if (list) Xfree((char *) list);
- if (pWireSysCounter) Xfree((char *) pWireSysCounter);
- _XEatData(dpy, (unsigned long) replylen);
+ Xfree(list);
+ Xfree(pWireSysCounter);
+ _XEatDataWords(dpy, rep.length);
list = NULL;
goto bail;
}
@@ -387,6 +398,14 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return)
pNextWireSysCounter = (xSyncSystemCounter *)
(((char *)pWireSysCounter) + ((SIZEOF(xSyncSystemCounter) +
pWireSysCounter->name_length + 3) & ~3));
+ /* Make sure we haven't gone too far */
+ if (pNextWireSysCounter > pLastWireSysCounter) {
+ Xfree(list);
+ Xfree(pWireSysCounter);
+ list = NULL;
+ goto bail;
+ }
+
counter = pNextWireSysCounter->counter;
list[i].name = ((char *)pWireSysCounter) +
diff --git a/libXext/src/Xcup.c b/libXext/src/Xcup.c
index bb9e90f7e..cdc64c2a3 100644
--- a/libXext/src/Xcup.c
+++ b/libXext/src/Xcup.c
@@ -36,6 +36,8 @@ in this Software without prior written authorization from The Open Group.
#include <X11/extensions/cupproto.h>
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
+#include <limits.h>
+#include "eat.h"
static XExtensionInfo _xcup_info_data;
static XExtensionInfo *xcup_info = &_xcup_info_data;
@@ -133,18 +135,22 @@ XcupGetReservedColormapEntries(
req->xcupReqType = X_XcupGetReservedColormapEntries;
req->screen = screen;
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
- long nbytes;
+ unsigned long nbytes;
xColorItem* rbufp;
- int nentries = rep.length / 3;
+ unsigned int nentries = rep.length / 3;
- nbytes = nentries * SIZEOF (xColorItem);
- if (nentries > TYP_RESERVED_ENTRIES)
- rbufp = (xColorItem*) Xmalloc (nbytes);
- else
- rbufp = rbuf;
+ if (nentries < (INT_MAX / SIZEOF (xColorItem))) {
+ nbytes = nentries * SIZEOF (xColorItem);
+
+ if (nentries > TYP_RESERVED_ENTRIES)
+ rbufp = Xmalloc (nbytes);
+ else
+ rbufp = rbuf;
+ } else
+ rbufp = NULL;
if (rbufp == NULL) {
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return False;
@@ -213,27 +219,24 @@ XcupStoreColors(
}
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
- long nbytes;
+ unsigned long nbytes;
xColorItem* rbufp;
xColorItem* cs;
- int nentries = rep.length / 3;
-
- nbytes = nentries * SIZEOF (xColorItem);
+ unsigned int nentries = rep.length / 3;
- if (nentries != ncolors) {
- _XEatData (dpy, (unsigned long) nbytes);
- UnlockDisplay (dpy);
- SyncHandle ();
- return False;
- }
+ if ((nentries == ncolors) &&
+ (nentries < (INT_MAX / SIZEOF (xColorItem)))) {
+ nbytes = nentries * SIZEOF (xColorItem);
- if (ncolors > 256)
- rbufp = (xColorItem*) Xmalloc (nbytes);
- else
- rbufp = rbuf;
+ if (ncolors > 256)
+ rbufp = Xmalloc (nbytes);
+ else
+ rbufp = rbuf;
+ } else
+ rbufp = NULL;
if (rbufp == NULL) {
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return False;
diff --git a/libXext/src/Xdbe.c b/libXext/src/Xdbe.c
index 4b5fa186c..016886c58 100644
--- a/libXext/src/Xdbe.c
+++ b/libXext/src/Xdbe.c
@@ -39,6 +39,8 @@
#include <X11/extensions/extutil.h>
#include <X11/extensions/Xdbe.h>
#include <X11/extensions/dbeproto.h>
+#include <limits.h>
+#include "eat.h"
static XExtensionInfo _dbe_info_data;
static XExtensionInfo *dbe_info = &_dbe_info_data;
@@ -352,9 +354,12 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo (
*num_screens = rep.m;
/* allocate list of visual information to be returned */
- if (!(scrVisInfo =
- (XdbeScreenVisualInfo *)Xmalloc(
- (unsigned)(*num_screens * sizeof(XdbeScreenVisualInfo))))) {
+ if ((*num_screens > 0) && (*num_screens < 65536))
+ scrVisInfo = Xmalloc(*num_screens * sizeof(XdbeScreenVisualInfo));
+ else
+ scrVisInfo = NULL;
+ if (scrVisInfo == NULL) {
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
@@ -362,25 +367,27 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo (
for (i = 0; i < *num_screens; i++)
{
- int nbytes;
int j;
- long c;
+ unsigned long c;
- _XRead32 (dpy, &c, sizeof(CARD32));
- scrVisInfo[i].count = c;
+ _XRead32 (dpy, (long *) &c, sizeof(CARD32));
- nbytes = scrVisInfo[i].count * sizeof(XdbeVisualInfo);
+ if (c < 65536) {
+ scrVisInfo[i].count = c;
+ scrVisInfo[i].visinfo = Xmalloc(c * sizeof(XdbeVisualInfo));
+ } else
+ scrVisInfo[i].visinfo = NULL;
/* if we can not allocate the list of visual/depth info
* then free the lists that we already allocate as well
* as the visual info list itself
*/
- if (!(scrVisInfo[i].visinfo = (XdbeVisualInfo *)Xmalloc(
- (unsigned)nbytes))) {
+ if (scrVisInfo[i].visinfo == NULL) {
for (j = 0; j < i; j++) {
Xfree ((char *)scrVisInfo[j].visinfo);
}
Xfree ((char *)scrVisInfo);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
diff --git a/libXext/src/eat.h b/libXext/src/eat.h
new file mode 100644
index 000000000..239532b6d
--- /dev/null
+++ b/libXext/src/eat.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the next
+ * paragraph) shall be included in all copies or substantial portions of the
+ * Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif