aboutsummaryrefslogtreecommitdiff
path: root/xorg-server/hw/kdrive
diff options
context:
space:
mode:
Diffstat (limited to 'xorg-server/hw/kdrive')
-rw-r--r--xorg-server/hw/kdrive/ephyr/XF86dri.c23
-rw-r--r--xorg-server/hw/kdrive/ephyr/ephyrhostglx.c47
-rw-r--r--xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c2
3 files changed, 46 insertions, 26 deletions
diff --git a/xorg-server/hw/kdrive/ephyr/XF86dri.c b/xorg-server/hw/kdrive/ephyr/XF86dri.c
index 9d742f394..15b62191f 100644
--- a/xorg-server/hw/kdrive/ephyr/XF86dri.c
+++ b/xorg-server/hw/kdrive/ephyr/XF86dri.c
@@ -64,6 +64,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#include <GL/glx.h>
#include "xf86dri.h"
#include <X11/dri/xf86driproto.h>
+#include <limits.h>
static XExtensionInfo _xf86dri_info_data;
static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -225,8 +226,12 @@ XF86DRIOpenConnection(Display * dpy, int screen,
}
if (rep.length) {
- if (!(*busIdString = (char *) calloc(rep.busIdStringLength + 1, 1))) {
- _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
+ if (rep.busIdStringLength < INT_MAX)
+ *busIdString = calloc(rep.busIdStringLength + 1, 1);
+ else
+ *busIdString = NULL;
+ if (*busIdString == NULL) {
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
TRACE("OpenConnection... return False");
@@ -323,10 +328,12 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
if (rep.length) {
- if (!
- (*clientDriverName =
- (char *) calloc(rep.clientDriverNameLength + 1, 1))) {
- _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
+ if (rep.clientDriverNameLength < INT_MAX)
+ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
+ else
+ *clientDriverName = NULL;
+ if (*clientDriverName == NULL) {
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
TRACE("GetClientDriverName... return False");
@@ -532,7 +539,7 @@ XF86DRIGetDrawableInfo(Display * dpy, int screen, Drawable drawable,
SIZEOF(xGenericReply) +
total_rects * sizeof(drm_clip_rect_t)) +
3) & ~3) >> 2)) {
- _XEatData(dpy, rep.length);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
TRACE("GetDrawableInfo... return False");
@@ -606,7 +613,7 @@ XF86DRIGetDeviceInfo(Display * dpy, int screen, drm_handle_t * hFrameBuffer,
if (rep.length) {
if (!(*pDevPrivate = (void *) calloc(rep.devPrivateSize, 1))) {
- _XEatData(dpy, ((rep.devPrivateSize + 3) & ~3));
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
TRACE("GetDeviceInfo... return False");
diff --git a/xorg-server/hw/kdrive/ephyr/ephyrhostglx.c b/xorg-server/hw/kdrive/ephyr/ephyrhostglx.c
index 5c6c40f0b..6a4392fee 100644
--- a/xorg-server/hw/kdrive/ephyr/ephyrhostglx.c
+++ b/xorg-server/hw/kdrive/ephyr/ephyrhostglx.c
@@ -137,7 +137,7 @@ ephyrHostGLXQueryVersion(int *a_major, int *a_minor)
}
/**
- * GLX protocol structure for the ficticious "GXLGenericGetString" request.
+ * GLX protocol structure for the ficticious "GLXGenericGetString" request.
*
* This is a non-existant protocol packet. It just so happens that all of
* the real protocol packets used to request a string from the server have
@@ -169,7 +169,8 @@ ephyrHostGLXGetStringFromServer(int a_screen_number,
int default_screen = DefaultScreen(dpy);
xGLXGenericGetStringReq *req = NULL;
xGLXSingleReply reply;
- int length = 0, numbytes = 0, major_opcode = 0, get_string_op = 0;
+ unsigned long length = 0, numbytes = 0;
+ int major_opcode = 0, get_string_op = 0;
EPHYR_RETURN_VAL_IF_FAIL(dpy && a_string, FALSE);
@@ -209,36 +210,48 @@ ephyrHostGLXGetStringFromServer(int a_screen_number,
_XReply(dpy, (xReply *) &reply, 0, False);
- length = reply.length * 4;
- if (!length) {
- numbytes = 0;
+#if UINT32_MAX >= (ULONG_MAX / 4)
+ if (reply.length >= (ULONG_MAX / 4)) {
+ _XEatDataWords(dpy, reply.length);
+ goto eat_out;
}
- else {
+#endif
+ if (reply.length > 0) {
+ length = (unsigned long) reply.length * 4;
numbytes = reply.size;
+ if (numbytes > length) {
+ EPHYR_LOG_ERROR("string length %d longer than reply length %d\n",
+ numbytes, length);
+ goto eat_out;
+ }
}
EPHYR_LOG("going to get a string of size:%d\n", numbytes);
- *a_string = (char *) Xmalloc(numbytes + 1);
- if (!a_string) {
+ if (numbytes < INT_MAX)
+ *a_string = Xcalloc(numbytes + 1, 1);
+ else
+ *a_string = NULL;
+ if (*a_string == NULL) {
EPHYR_LOG_ERROR("allocation failed\n");
- goto out;
+ goto eat_out;
}
- memset(*a_string, 0, numbytes + 1);
if (_XRead(dpy, *a_string, numbytes)) {
- UnlockDisplay(dpy);
- SyncHandle();
EPHYR_LOG_ERROR("read failed\n");
- goto out;
+ length = 0; /* if read failed, no idea how much to eat */
+ }
+ else {
+ length -= numbytes;
+ EPHYR_LOG("strname:%#x, strvalue:'%s', strlen:%d\n",
+ a_string_name, *a_string, numbytes);
+ is_ok = TRUE;
}
- length -= numbytes;
+
+ eat_out:
_XEatData(dpy, length);
UnlockDisplay(dpy);
SyncHandle();
- EPHYR_LOG("strname:%#x, strvalue:'%s', strlen:%d\n",
- a_string_name, *a_string, numbytes);
- is_ok = TRUE;
out:
EPHYR_LOG("leave\n");
return is_ok;
diff --git a/xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c b/xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c
index 362aa055e..05e9ad9f5 100644
--- a/xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c
+++ b/xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c
@@ -677,7 +677,7 @@ ephyrHostXVQueryImageAttributes(int a_port_id,
_XRead(dpy, (char *) a_offsets, rep.num_planes << 2);
}
else {
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
*a_width = rep.width;
*a_height = rep.height;