From 5c340ceb9356ea029dea53b73440268d4769d5a5 Mon Sep 17 00:00:00 2001 From: marha Date: Tue, 23 Jul 2013 09:20:51 +0200 Subject: libX11 libXmu mesa xserver git update 23 July 2013 xserver commit d5ebe20f9ba9569351c4a41449866679fd60ba45 libX11 commit feb131b18aee31c2c125dc3275b0260940245882 libXmu commit d5dac08d65c4865f311cb62c161dbb1300eecd11 mesa commit 5a7bdd4b4173958c53109517b7c95f1039623e7e --- libX11/specs/libX11/AppC.xml | 4 +++- libX11/src/Host.c | 8 ++++++++ libX11/src/ModMap.c | 10 +++++++--- libX11/src/XlibInt.c | 8 ++++++++ 4 files changed, 26 insertions(+), 4 deletions(-) (limited to 'libX11') diff --git a/libX11/specs/libX11/AppC.xml b/libX11/specs/libX11/AppC.xml index df250275e..0b37048f1 100644 --- a/libX11/specs/libX11/AppC.xml +++ b/libX11/specs/libX11/AppC.xml @@ -2468,7 +2468,9 @@ which is the same as GetReq except that it takes an additional argument (the number of extra bytes to allocate in the output buffer after the request structure). -This number should always be a multiple of four. +This number should always be a multiple of four. Note that it is possible +for req to be set to NULL as a defensive measure if the requested length +exceeds the Xlib's buffer size (normally 16K). diff --git a/libX11/src/Host.c b/libX11/src/Host.c index da9923a9e..da5e2f7d3 100644 --- a/libX11/src/Host.c +++ b/libX11/src/Host.c @@ -83,6 +83,10 @@ XAddHost ( LockDisplay(dpy); GetReqExtra (ChangeHosts, length, req); + if (!req) { + UnlockDisplay(dpy); + return 0; + } req->mode = HostInsert; req->hostFamily = host->family; req->hostLength = addrlen; @@ -118,6 +122,10 @@ XRemoveHost ( LockDisplay(dpy); GetReqExtra (ChangeHosts, length, req); + if (!req) { + UnlockDisplay(dpy); + return 0; + } req->mode = HostDelete; req->hostFamily = host->family; req->hostLength = addrlen; diff --git a/libX11/src/ModMap.c b/libX11/src/ModMap.c index 04cd676eb..836a67621 100644 --- a/libX11/src/ModMap.c +++ b/libX11/src/ModMap.c @@ -65,9 +65,9 @@ XGetModifierMapping(register Display *dpy) /* * Returns: - * 0 Success - * 1 Busy - one or more old or new modifiers are down - * 2 Failed - one or more new modifiers unacceptable + * MappingSuccess (0) Success + * MappingBusy (1) Busy - one or more old or new modifiers are down + * MappingFailed (2) Failed - one or more new modifiers unacceptable */ int XSetModifierMapping( @@ -80,6 +80,10 @@ XSetModifierMapping( LockDisplay(dpy); GetReqExtra(SetModifierMapping, mapSize, req); + if (!req) { + UnlockDisplay(dpy); + return MappingFailed; + } req->numKeyPerModifier = modifier_map->max_keypermod; diff --git a/libX11/src/XlibInt.c b/libX11/src/XlibInt.c index 92a434004..7521f12ad 100644 --- a/libX11/src/XlibInt.c +++ b/libX11/src/XlibInt.c @@ -1733,6 +1733,14 @@ void *_XGetRequest(Display *dpy, CARD8 type, size_t len) if (dpy->bufptr + len > dpy->bufmax) _XFlush(dpy); + /* Request still too large, so do not allow it to overflow. */ + if (dpy->bufptr + len > dpy->bufmax) { + fprintf(stderr, + "Xlib: request %d length %zd would exceed buffer size.\n", + type, len); + /* Changes failure condition from overflow to NULL dereference. */ + return NULL; + } if (len % 4) fprintf(stderr, -- cgit v1.2.3