From 6dd755aa923291db2501cc5c22e409c41a70e3c1 Mon Sep 17 00:00:00 2001 From: marha Date: Tue, 1 Oct 2013 12:23:16 +0200 Subject: Update following packages: libXpm-3.5.11 libXaw-1.0.12 libXfont-1.4.6 libXrender-0.9.8 xproto-7.0.24 inputproto-2.3 xclock-1.0.7 xhost-1.0.6 --- libXrender/src/Filter.c | 53 +++++++++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 21 deletions(-) (limited to 'libXrender/src/Filter.c') diff --git a/libXrender/src/Filter.c b/libXrender/src/Filter.c index 3ac660a40..edfa57231 100644 --- a/libXrender/src/Filter.c +++ b/libXrender/src/Filter.c @@ -25,7 +25,8 @@ #include #endif #include "Xrenderint.h" - +#include + XFilters * XRenderQueryFilters (Display *dpy, Drawable drawable) { @@ -37,8 +38,8 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) char *name; char len; int i; - long nbytes, nbytesAlias, nbytesName; - + unsigned long nbytes, nbytesAlias, nbytesName; + if (!RenderHasExtension (info)) return NULL; @@ -48,7 +49,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) xri = info->info; if (xri->minor_version < 6) return NULL; - + LockDisplay (dpy); GetReq (RenderQueryFilters, req); req->reqType = info->codes->major_opcode; @@ -60,26 +61,36 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) SyncHandle (); return NULL; } + /* - * Compute total number of bytes for filter names - */ - nbytes = (long)rep.length << 2; - nbytesAlias = rep.numAliases * 2; - if (rep.numAliases & 1) - nbytesAlias += 2; - nbytesName = nbytes - nbytesAlias; - - /* - * Allocate one giant block for the whole data structure + * Limit each component of combined size to 1/4 the max, which is far + * more than they should ever possibly need. */ - filters = Xmalloc (sizeof (XFilters) + - rep.numFilters * sizeof (char *) + - rep.numAliases * sizeof (short) + - nbytesName); + if ((rep.length < (INT_MAX >> 2)) && + (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) && + (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) { + /* + * Compute total number of bytes for filter names + */ + nbytes = (unsigned long)rep.length << 2; + nbytesAlias = rep.numAliases * 2; + if (rep.numAliases & 1) + nbytesAlias += 2; + nbytesName = nbytes - nbytesAlias; + + /* + * Allocate one giant block for the whole data structure + */ + filters = Xmalloc (sizeof (XFilters) + + (rep.numFilters * sizeof (char *)) + + (rep.numAliases * sizeof (short)) + + nbytesName); + } else + filters = NULL; if (!filters) { - _XEatData (dpy, (unsigned long) rep.length << 2); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return NULL; @@ -92,7 +103,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) * numAliases short alias values * nbytesName char strings */ - + filters->nfilter = rep.numFilters; filters->nalias = rep.numAliases; filters->filter = (char **) (filters + 1); @@ -121,7 +132,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) if (i & 3) _XEatData (dpy, 4 - (i & 3)); - + UnlockDisplay (dpy); SyncHandle (); return filters; -- cgit v1.2.3