diff options
Diffstat (limited to 'xorg-server/hw')
| -rw-r--r-- | xorg-server/hw/dmx/dmx_glxvisuals.c | 25 | ||||
| -rw-r--r-- | xorg-server/hw/dmx/glxProxy/glxcmds.c | 16 | ||||
| -rw-r--r-- | xorg-server/hw/dmx/glxProxy/glxscreens.c | 9 | ||||
| -rw-r--r-- | xorg-server/hw/dmx/glxProxy/glxsingle.c | 6 | ||||
| -rw-r--r-- | xorg-server/hw/dmx/glxProxy/glxvendor.c | 4 | ||||
| -rw-r--r-- | xorg-server/hw/kdrive/ephyr/XF86dri.c | 23 | ||||
| -rw-r--r-- | xorg-server/hw/kdrive/ephyr/ephyrhostglx.c | 47 | ||||
| -rw-r--r-- | xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c | 2 | ||||
| -rw-r--r-- | xorg-server/hw/xfree86/common/xf86Module.h | 2 | ||||
| -rw-r--r-- | xorg-server/hw/xnest/Args.h | 2 | 
10 files changed, 77 insertions, 59 deletions
| diff --git a/xorg-server/hw/dmx/dmx_glxvisuals.c b/xorg-server/hw/dmx/dmx_glxvisuals.c index f903b7491..56bd67b6e 100644 --- a/xorg-server/hw/dmx/dmx_glxvisuals.c +++ b/xorg-server/hw/dmx/dmx_glxvisuals.c @@ -37,6 +37,7 @@  #include <GL/glxproto.h>  #include <X11/extensions/Xext.h>  #include <X11/extensions/extutil.h> +#include <limits.h>  #include "dmx_glxvisuals.h" @@ -84,7 +85,10 @@ GetGLXVisualConfigs(Display * dpy, int screen, int *nconfigs)          SyncHandle();          return NULL;      } -    props = (INT32 *) Xmalloc(nprops * __GLX_SIZE_CARD32); +    if (nprops < (INT_MAX / __GLX_SIZE_CARD32)) +        props = Xmalloc(nprops * __GLX_SIZE_CARD32); +    else +        props = NULL;      if (!props) {          UnlockDisplay(dpy);          SyncHandle(); @@ -92,15 +96,16 @@ GetGLXVisualConfigs(Display * dpy, int screen, int *nconfigs)      }      /* Allocate memory for our config structure */ -    config = (__GLXvisualConfig *) -        Xmalloc(nvisuals * sizeof(__GLXvisualConfig)); +    if (nvisuals < (INT_MAX / sizeof(__GLXvisualConfig))) +        config = Xcalloc(nvisuals, sizeof(__GLXvisualConfig)); +    else +        config = NULL;      if (!config) {          free(props);          UnlockDisplay(dpy);          SyncHandle();          return NULL;      } -    memset(config, 0, nvisuals * sizeof(__GLXvisualConfig));      configs = config;      num_good_visuals = 0; @@ -274,7 +279,10 @@ GetGLXFBConfigs(Display * dpy, int glxMajorOpcode, int *nconfigs)          return NULL;      } -    attrs = (INT32 *) Xmalloc(2 * numAttribs * __GLX_SIZE_CARD32); +    if (numAttribs < (INT_MAX / (2 * __GLX_SIZE_CARD32))) +        attrs = Xmalloc(2 * numAttribs * __GLX_SIZE_CARD32); +    else +        attrs = NULL;      if (!attrs) {          UnlockDisplay(dpy);          SyncHandle(); @@ -282,15 +290,16 @@ GetGLXFBConfigs(Display * dpy, int glxMajorOpcode, int *nconfigs)      }      /* Allocate memory for our config structure */ -    config = (__GLXFBConfig *) -        Xmalloc(numFBConfigs * sizeof(__GLXFBConfig)); +    if (numFBConfigs < (INT_MAX / sizeof(__GLXFBConfig))) +        config = Xcalloc(numFBConfigs, sizeof(__GLXFBConfig)); +    else +        config = NULL;      if (!config) {          free(attrs);          UnlockDisplay(dpy);          SyncHandle();          return NULL;      } -    memset(config, 0, numFBConfigs * sizeof(__GLXFBConfig));      fbconfigs = config;      /* Convert attribute list into our format */ diff --git a/xorg-server/hw/dmx/glxProxy/glxcmds.c b/xorg-server/hw/dmx/glxProxy/glxcmds.c index 45382748f..8cdb25ec6 100644 --- a/xorg-server/hw/dmx/glxProxy/glxcmds.c +++ b/xorg-server/hw/dmx/glxProxy/glxcmds.c @@ -2582,7 +2582,6 @@ __glXQueryExtensionsString(__GLXclientState * cl, GLbyte * pc)      xGLXQueryExtensionsStringReply be_reply;      DMXScreenInfo *dmxScreen;      Display *dpy; -    int slop;  #endif      screen = req->screen; @@ -2608,16 +2607,13 @@ __glXQueryExtensionsString(__GLXclientState * cl, GLbyte * pc)      _XReply(dpy, (xReply *) &be_reply, 0, False);      len = (int) be_reply.length;      numbytes = (int) be_reply.n; -    slop = numbytes * __GLX_SIZE_INT8 & 3;      be_buf = (char *) malloc(numbytes);      if (!be_buf) {          /* Throw data on the floor */ -        _XEatData(dpy, len); +        _XEatDataWords(dpy, len);      }      else { -        _XRead(dpy, (char *) be_buf, numbytes); -        if (slop) -            _XEatData(dpy, 4 - slop); +        _XReadPad(dpy, (char *) be_buf, numbytes);      }      UnlockDisplay(dpy);      SyncHandle(); @@ -2666,7 +2662,6 @@ __glXQueryServerString(__GLXclientState * cl, GLbyte * pc)      xGLXQueryServerStringReply be_reply;      DMXScreenInfo *dmxScreen;      Display *dpy; -    int slop;  #endif      name = req->name; @@ -2693,16 +2688,13 @@ __glXQueryServerString(__GLXclientState * cl, GLbyte * pc)      _XReply(dpy, (xReply *) &be_reply, 0, False);      len = (int) be_reply.length;      numbytes = (int) be_reply.n; -    slop = numbytes * __GLX_SIZE_INT8 & 3;      be_buf = (char *) malloc(numbytes);      if (!be_buf) {          /* Throw data on the floor */ -        _XEatData(dpy, len); +        _XEatDataWords(dpy, len);      }      else { -        _XRead(dpy, (char *) be_buf, numbytes); -        if (slop) -            _XEatData(dpy, 4 - slop); +        _XReadPad(dpy, (char *) be_buf, numbytes);      }      UnlockDisplay(dpy);      SyncHandle(); diff --git a/xorg-server/hw/dmx/glxProxy/glxscreens.c b/xorg-server/hw/dmx/glxProxy/glxscreens.c index 2a1909244..138afedf2 100644 --- a/xorg-server/hw/dmx/glxProxy/glxscreens.c +++ b/xorg-server/hw/dmx/glxProxy/glxscreens.c @@ -138,7 +138,7 @@ CalcServerVersionAndExtensions(void)          Display *dpy = dmxScreen->beDisplay;          xGLXQueryServerStringReq *req;          xGLXQueryServerStringReply reply; -        int length, numbytes, slop; +        int length, numbytes;          /* Send the glXQueryServerString request */          LockDisplay(dpy); @@ -151,16 +151,13 @@ CalcServerVersionAndExtensions(void)          length = (int) reply.length;          numbytes = (int) reply.n; -        slop = numbytes * __GLX_SIZE_INT8 & 3;          be_extensions[s] = (char *) malloc(numbytes);          if (!be_extensions[s]) {              /* Throw data on the floor */ -            _XEatData(dpy, length); +            _XEatDataWords(dpy, length);          }          else { -            _XRead(dpy, (char *) be_extensions[s], numbytes); -            if (slop) -                _XEatData(dpy, 4 - slop); +            _XReadPad(dpy, (char *) be_extensions[s], numbytes);          }          UnlockDisplay(dpy);          SyncHandle(); diff --git a/xorg-server/hw/dmx/glxProxy/glxsingle.c b/xorg-server/hw/dmx/glxProxy/glxsingle.c index e60cfeb70..abfb880a3 100644 --- a/xorg-server/hw/dmx/glxProxy/glxsingle.c +++ b/xorg-server/hw/dmx/glxProxy/glxsingle.c @@ -258,7 +258,7 @@ __glXForwardPipe0WithReply(__GLXclientState * cl, GLbyte * pc)          }          else {              /* Throw data on the floor */ -            _XEatData(dpy, be_buf_size); +            _XEatDataWords(dpy, be_reply.length);              return BadAlloc;          }      } @@ -357,7 +357,7 @@ __glXForwardAllWithReply(__GLXclientState * cl, GLbyte * pc)              }              else {                  /* Throw data on the floor */ -                _XEatData(dpy, be_buf_size); +                _XEatDataWords(dpy, be_reply.length);                  return BadAlloc;              }          } @@ -993,7 +993,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)                      }                      else {                          /* Throw data on the floor */ -                        _XEatData(dpy, be_buf_size); +                        _XEatDataWords(dpy, be_reply.length);                          free(buf);                          return BadAlloc;                      } diff --git a/xorg-server/hw/dmx/glxProxy/glxvendor.c b/xorg-server/hw/dmx/glxProxy/glxvendor.c index 5777c6acc..50d505c4b 100644 --- a/xorg-server/hw/dmx/glxProxy/glxvendor.c +++ b/xorg-server/hw/dmx/glxProxy/glxvendor.c @@ -246,7 +246,7 @@ __glXVForwardPipe0WithReply(__GLXclientState * cl, GLbyte * pc)          }          else {              /* Throw data on the floor */ -            _XEatData(dpy, be_buf_size); +            _XEatDataWords(dpy, be_reply.length);              return BadAlloc;          }      } @@ -340,7 +340,7 @@ __glXVForwardAllWithReply(__GLXclientState * cl, GLbyte * pc)              }              else {                  /* Throw data on the floor */ -                _XEatData(dpy, be_buf_size); +                _XEatDataWords(dpy, be_reply.length);                  return BadAlloc;              }          } diff --git a/xorg-server/hw/kdrive/ephyr/XF86dri.c b/xorg-server/hw/kdrive/ephyr/XF86dri.c index 9d742f394..15b62191f 100644 --- a/xorg-server/hw/kdrive/ephyr/XF86dri.c +++ b/xorg-server/hw/kdrive/ephyr/XF86dri.c @@ -64,6 +64,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.  #include <GL/glx.h>  #include "xf86dri.h"  #include <X11/dri/xf86driproto.h> +#include <limits.h>  static XExtensionInfo _xf86dri_info_data;  static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; @@ -225,8 +226,12 @@ XF86DRIOpenConnection(Display * dpy, int screen,      }      if (rep.length) { -        if (!(*busIdString = (char *) calloc(rep.busIdStringLength + 1, 1))) { -            _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); +        if (rep.busIdStringLength < INT_MAX) +            *busIdString = calloc(rep.busIdStringLength + 1, 1); +        else +            *busIdString = NULL; +        if (*busIdString == NULL) { +            _XEatDataWords(dpy, rep.length);              UnlockDisplay(dpy);              SyncHandle();              TRACE("OpenConnection... return False"); @@ -323,10 +328,12 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,      *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;      if (rep.length) { -        if (! -            (*clientDriverName = -             (char *) calloc(rep.clientDriverNameLength + 1, 1))) { -            _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); +        if (rep.clientDriverNameLength < INT_MAX) +            *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1); +        else +            *clientDriverName = NULL; +        if (*clientDriverName == NULL) { +            _XEatDataWords(dpy, rep.length);              UnlockDisplay(dpy);              SyncHandle();              TRACE("GetClientDriverName... return False"); @@ -532,7 +539,7 @@ XF86DRIGetDrawableInfo(Display * dpy, int screen, Drawable drawable,                            SIZEOF(xGenericReply) +                            total_rects * sizeof(drm_clip_rect_t)) +                           3) & ~3) >> 2)) { -        _XEatData(dpy, rep.length); +        _XEatDataWords(dpy, rep.length);          UnlockDisplay(dpy);          SyncHandle();          TRACE("GetDrawableInfo... return False"); @@ -606,7 +613,7 @@ XF86DRIGetDeviceInfo(Display * dpy, int screen, drm_handle_t * hFrameBuffer,      if (rep.length) {          if (!(*pDevPrivate = (void *) calloc(rep.devPrivateSize, 1))) { -            _XEatData(dpy, ((rep.devPrivateSize + 3) & ~3)); +            _XEatDataWords(dpy, rep.length);              UnlockDisplay(dpy);              SyncHandle();              TRACE("GetDeviceInfo... return False"); diff --git a/xorg-server/hw/kdrive/ephyr/ephyrhostglx.c b/xorg-server/hw/kdrive/ephyr/ephyrhostglx.c index 5c6c40f0b..6a4392fee 100644 --- a/xorg-server/hw/kdrive/ephyr/ephyrhostglx.c +++ b/xorg-server/hw/kdrive/ephyr/ephyrhostglx.c @@ -137,7 +137,7 @@ ephyrHostGLXQueryVersion(int *a_major, int *a_minor)  }  /** - * GLX protocol structure for the ficticious "GXLGenericGetString" request. + * GLX protocol structure for the ficticious "GLXGenericGetString" request.   *    * This is a non-existant protocol packet.  It just so happens that all of   * the real protocol packets used to request a string from the server have @@ -169,7 +169,8 @@ ephyrHostGLXGetStringFromServer(int a_screen_number,      int default_screen = DefaultScreen(dpy);      xGLXGenericGetStringReq *req = NULL;      xGLXSingleReply reply; -    int length = 0, numbytes = 0, major_opcode = 0, get_string_op = 0; +    unsigned long length = 0, numbytes = 0; +    int major_opcode = 0, get_string_op = 0;      EPHYR_RETURN_VAL_IF_FAIL(dpy && a_string, FALSE); @@ -209,36 +210,48 @@ ephyrHostGLXGetStringFromServer(int a_screen_number,      _XReply(dpy, (xReply *) &reply, 0, False); -    length = reply.length * 4; -    if (!length) { -        numbytes = 0; +#if UINT32_MAX >= (ULONG_MAX / 4) +    if (reply.length >= (ULONG_MAX / 4)) { +        _XEatDataWords(dpy, reply.length); +        goto eat_out;      } -    else { +#endif +    if (reply.length > 0) { +        length = (unsigned long) reply.length * 4;          numbytes = reply.size; +        if (numbytes > length) { +            EPHYR_LOG_ERROR("string length %d longer than reply length %d\n", +                            numbytes, length); +            goto eat_out; +        }      }      EPHYR_LOG("going to get a string of size:%d\n", numbytes); -    *a_string = (char *) Xmalloc(numbytes + 1); -    if (!a_string) { +    if (numbytes < INT_MAX) +        *a_string = Xcalloc(numbytes + 1, 1); +    else +        *a_string = NULL; +    if (*a_string == NULL) {          EPHYR_LOG_ERROR("allocation failed\n"); -        goto out; +        goto eat_out;      } -    memset(*a_string, 0, numbytes + 1);      if (_XRead(dpy, *a_string, numbytes)) { -        UnlockDisplay(dpy); -        SyncHandle();          EPHYR_LOG_ERROR("read failed\n"); -        goto out; +        length = 0; /* if read failed, no idea how much to eat */ +    } +    else { +        length -= numbytes; +        EPHYR_LOG("strname:%#x, strvalue:'%s', strlen:%d\n", +                  a_string_name, *a_string, numbytes); +        is_ok = TRUE;      } -    length -= numbytes; + + eat_out:      _XEatData(dpy, length);      UnlockDisplay(dpy);      SyncHandle(); -    EPHYR_LOG("strname:%#x, strvalue:'%s', strlen:%d\n", -              a_string_name, *a_string, numbytes); -    is_ok = TRUE;   out:      EPHYR_LOG("leave\n");      return is_ok; diff --git a/xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c b/xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c index 362aa055e..05e9ad9f5 100644 --- a/xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c +++ b/xorg-server/hw/kdrive/ephyr/ephyrhostvideo.c @@ -677,7 +677,7 @@ ephyrHostXVQueryImageAttributes(int a_port_id,          _XRead(dpy, (char *) a_offsets, rep.num_planes << 2);      }      else { -        _XEatData(dpy, rep.length << 2); +        _XEatDataWords(dpy, rep.length);      }      *a_width = rep.width;      *a_height = rep.height; diff --git a/xorg-server/hw/xfree86/common/xf86Module.h b/xorg-server/hw/xfree86/common/xf86Module.h index 1393427f8..e0cec05b8 100644 --- a/xorg-server/hw/xfree86/common/xf86Module.h +++ b/xorg-server/hw/xfree86/common/xf86Module.h @@ -81,7 +81,7 @@ typedef enum {   */  #define ABI_ANSIC_VERSION	SET_ABI_VERSION(0, 4)  #define ABI_VIDEODRV_VERSION	SET_ABI_VERSION(14, 1) -#define ABI_XINPUT_VERSION	SET_ABI_VERSION(19, 1) +#define ABI_XINPUT_VERSION	SET_ABI_VERSION(19, 2)  #define ABI_EXTENSION_VERSION	SET_ABI_VERSION(7, 0)  #define ABI_FONT_VERSION	SET_ABI_VERSION(0, 6) diff --git a/xorg-server/hw/xnest/Args.h b/xorg-server/hw/xnest/Args.h index 514a39513..225418d22 100644 --- a/xorg-server/hw/xnest/Args.h +++ b/xorg-server/hw/xnest/Args.h @@ -12,7 +12,7 @@ is" without express or implied warranty.  */ -#ifndef XNESTARGC_H +#ifndef XNESTARGS_H  #define XNESTARGS_H  extern char *xnestDisplayName; | 
