aboutsummaryrefslogtreecommitdiff
path: root/libXrender/src/Filter.c
diff options
context:
space:
mode:
Diffstat (limited to 'libXrender/src/Filter.c')
-rw-r--r--libXrender/src/Filter.c53
1 files changed, 32 insertions, 21 deletions
diff --git a/libXrender/src/Filter.c b/libXrender/src/Filter.c
index 3ac660a40..edfa57231 100644
--- a/libXrender/src/Filter.c
+++ b/libXrender/src/Filter.c
@@ -25,7 +25,8 @@
#include <config.h>
#endif
#include "Xrenderint.h"
-
+#include <limits.h>
+
XFilters *
XRenderQueryFilters (Display *dpy, Drawable drawable)
{
@@ -37,8 +38,8 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
char *name;
char len;
int i;
- long nbytes, nbytesAlias, nbytesName;
-
+ unsigned long nbytes, nbytesAlias, nbytesName;
+
if (!RenderHasExtension (info))
return NULL;
@@ -48,7 +49,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
xri = info->info;
if (xri->minor_version < 6)
return NULL;
-
+
LockDisplay (dpy);
GetReq (RenderQueryFilters, req);
req->reqType = info->codes->major_opcode;
@@ -60,26 +61,36 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
SyncHandle ();
return NULL;
}
+
/*
- * Compute total number of bytes for filter names
- */
- nbytes = (long)rep.length << 2;
- nbytesAlias = rep.numAliases * 2;
- if (rep.numAliases & 1)
- nbytesAlias += 2;
- nbytesName = nbytes - nbytesAlias;
-
- /*
- * Allocate one giant block for the whole data structure
+ * Limit each component of combined size to 1/4 the max, which is far
+ * more than they should ever possibly need.
*/
- filters = Xmalloc (sizeof (XFilters) +
- rep.numFilters * sizeof (char *) +
- rep.numAliases * sizeof (short) +
- nbytesName);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) &&
+ (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) {
+ /*
+ * Compute total number of bytes for filter names
+ */
+ nbytes = (unsigned long)rep.length << 2;
+ nbytesAlias = rep.numAliases * 2;
+ if (rep.numAliases & 1)
+ nbytesAlias += 2;
+ nbytesName = nbytes - nbytesAlias;
+
+ /*
+ * Allocate one giant block for the whole data structure
+ */
+ filters = Xmalloc (sizeof (XFilters) +
+ (rep.numFilters * sizeof (char *)) +
+ (rep.numAliases * sizeof (short)) +
+ nbytesName);
+ } else
+ filters = NULL;
if (!filters)
{
- _XEatData (dpy, (unsigned long) rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
@@ -92,7 +103,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
* numAliases short alias values
* nbytesName char strings
*/
-
+
filters->nfilter = rep.numFilters;
filters->nalias = rep.numAliases;
filters->filter = (char **) (filters + 1);
@@ -121,7 +132,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
if (i & 3)
_XEatData (dpy, 4 - (i & 3));
-
+
UnlockDisplay (dpy);
SyncHandle ();
return filters;
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-08 15:58:08 +0000