diff options
Diffstat (limited to 'xorg-server/hw/kdrive')
-rw-r--r-- | xorg-server/hw/kdrive/ephyr/XF86dri.c | 23 | ||||
-rw-r--r-- | xorg-server/hw/kdrive/ephyr/ephyrhostglx.c | 47 | ||||
-rw-r--r-- | xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c | 2 |
3 files changed, 46 insertions, 26 deletions
diff --git a/xorg-server/hw/kdrive/ephyr/XF86dri.c b/xorg-server/hw/kdrive/ephyr/XF86dri.c index 9d742f394..15b62191f 100644 --- a/xorg-server/hw/kdrive/ephyr/XF86dri.c +++ b/xorg-server/hw/kdrive/ephyr/XF86dri.c @@ -64,6 +64,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #include <GL/glx.h> #include "xf86dri.h" #include <X11/dri/xf86driproto.h> +#include <limits.h> static XExtensionInfo _xf86dri_info_data; static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; @@ -225,8 +226,12 @@ XF86DRIOpenConnection(Display * dpy, int screen, } if (rep.length) { - if (!(*busIdString = (char *) calloc(rep.busIdStringLength + 1, 1))) { - _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); + if (rep.busIdStringLength < INT_MAX) + *busIdString = calloc(rep.busIdStringLength + 1, 1); + else + *busIdString = NULL; + if (*busIdString == NULL) { + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("OpenConnection... return False"); @@ -323,10 +328,12 @@ XF86DRIGetClientDriverName(Display * dpy, int screen, *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; if (rep.length) { - if (! - (*clientDriverName = - (char *) calloc(rep.clientDriverNameLength + 1, 1))) { - _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); + if (rep.clientDriverNameLength < INT_MAX) + *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1); + else + *clientDriverName = NULL; + if (*clientDriverName == NULL) { + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("GetClientDriverName... return False"); @@ -532,7 +539,7 @@ XF86DRIGetDrawableInfo(Display * dpy, int screen, Drawable drawable, SIZEOF(xGenericReply) + total_rects * sizeof(drm_clip_rect_t)) + 3) & ~3) >> 2)) { - _XEatData(dpy, rep.length); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("GetDrawableInfo... return False"); @@ -606,7 +613,7 @@ XF86DRIGetDeviceInfo(Display * dpy, int screen, drm_handle_t * hFrameBuffer, if (rep.length) { if (!(*pDevPrivate = (void *) calloc(rep.devPrivateSize, 1))) { - _XEatData(dpy, ((rep.devPrivateSize + 3) & ~3)); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("GetDeviceInfo... return False"); diff --git a/xorg-server/hw/kdrive/ephyr/ephyrhostglx.c b/xorg-server/hw/kdrive/ephyr/ephyrhostglx.c index 5c6c40f0b..6a4392fee 100644 --- a/xorg-server/hw/kdrive/ephyr/ephyrhostglx.c +++ b/xorg-server/hw/kdrive/ephyr/ephyrhostglx.c @@ -137,7 +137,7 @@ ephyrHostGLXQueryVersion(int *a_major, int *a_minor) } /** - * GLX protocol structure for the ficticious "GXLGenericGetString" request. + * GLX protocol structure for the ficticious "GLXGenericGetString" request. * * This is a non-existant protocol packet. It just so happens that all of * the real protocol packets used to request a string from the server have @@ -169,7 +169,8 @@ ephyrHostGLXGetStringFromServer(int a_screen_number, int default_screen = DefaultScreen(dpy); xGLXGenericGetStringReq *req = NULL; xGLXSingleReply reply; - int length = 0, numbytes = 0, major_opcode = 0, get_string_op = 0; + unsigned long length = 0, numbytes = 0; + int major_opcode = 0, get_string_op = 0; EPHYR_RETURN_VAL_IF_FAIL(dpy && a_string, FALSE); @@ -209,36 +210,48 @@ ephyrHostGLXGetStringFromServer(int a_screen_number, _XReply(dpy, (xReply *) &reply, 0, False); - length = reply.length * 4; - if (!length) { - numbytes = 0; +#if UINT32_MAX >= (ULONG_MAX / 4) + if (reply.length >= (ULONG_MAX / 4)) { + _XEatDataWords(dpy, reply.length); + goto eat_out; } - else { +#endif + if (reply.length > 0) { + length = (unsigned long) reply.length * 4; numbytes = reply.size; + if (numbytes > length) { + EPHYR_LOG_ERROR("string length %d longer than reply length %d\n", + numbytes, length); + goto eat_out; + } } EPHYR_LOG("going to get a string of size:%d\n", numbytes); - *a_string = (char *) Xmalloc(numbytes + 1); - if (!a_string) { + if (numbytes < INT_MAX) + *a_string = Xcalloc(numbytes + 1, 1); + else + *a_string = NULL; + if (*a_string == NULL) { EPHYR_LOG_ERROR("allocation failed\n"); - goto out; + goto eat_out; } - memset(*a_string, 0, numbytes + 1); if (_XRead(dpy, *a_string, numbytes)) { - UnlockDisplay(dpy); - SyncHandle(); EPHYR_LOG_ERROR("read failed\n"); - goto out; + length = 0; /* if read failed, no idea how much to eat */ + } + else { + length -= numbytes; + EPHYR_LOG("strname:%#x, strvalue:'%s', strlen:%d\n", + a_string_name, *a_string, numbytes); + is_ok = TRUE; } - length -= numbytes; + + eat_out: _XEatData(dpy, length); UnlockDisplay(dpy); SyncHandle(); - EPHYR_LOG("strname:%#x, strvalue:'%s', strlen:%d\n", - a_string_name, *a_string, numbytes); - is_ok = TRUE; out: EPHYR_LOG("leave\n"); return is_ok; diff --git a/xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c b/xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c index 362aa055e..05e9ad9f5 100644 --- a/xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c +++ b/xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c @@ -677,7 +677,7 @@ ephyrHostXVQueryImageAttributes(int a_port_id, _XRead(dpy, (char *) a_offsets, rep.num_planes << 2); } else { - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } *a_width = rep.width; *a_height = rep.height; |