From 5e5a48ff8cd08f123601cd0625ca62a86675aac9 Mon Sep 17 00:00:00 2001
From: marha <marha@users.sourceforge.net>
Date: Sun, 4 Jan 2015 16:25:32 +0100
Subject: fontconfig libX11 mesa xserver git update 4 Jan 2015

xserver          commit dc777c346d5d452a53b13b917c45f6a1bad2f20b
libX11           commit 446f5f7f41317a85a0cd0efa5e6a1b37bc99fba2
fontconfig       commit 4420b27c074821a1d1f9d6ebe822a610176a417d
mesa             commit 48094d0e6554a9df36bf00fc2793ade46cf92406
---
 xorg-server/include/dix.h       |  7 ++++++-
 xorg-server/include/regionstr.h | 10 +++++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

(limited to 'xorg-server/include')

diff --git a/xorg-server/include/dix.h b/xorg-server/include/dix.h
index 991a3ce88..921156b4c 100644
--- a/xorg-server/include/dix.h
+++ b/xorg-server/include/dix.h
@@ -74,9 +74,14 @@ SOFTWARE.
     if ((sizeof(req) >> 2) > client->req_len )\
          return(BadLength)
 
+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra)  \
+    if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
+         return(BadLength)
+
 #define REQUEST_FIXED_SIZE(req, n)\
     if (((sizeof(req) >> 2) > client->req_len) || \
-        (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
+        (((n) >> 2) >= client->req_len) ||                              \
+        ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len))  \
          return(BadLength)
 
 #define LEGAL_NEW_RESOURCE(id,client)\
diff --git a/xorg-server/include/regionstr.h b/xorg-server/include/regionstr.h
index 515e93ffa..079375d33 100644
--- a/xorg-server/include/regionstr.h
+++ b/xorg-server/include/regionstr.h
@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
 static inline size_t
 RegionSizeof(size_t n)
 {
-    return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+    if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
+        return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+    else
+        return 0;
 }
 
 static inline void
@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
         (_pReg)->data = (RegDataPtr) NULL;
     }
     else {
+        size_t rgnSize;
         (_pReg)->extents = RegionEmptyBox;
-        if (((_size) > 1) && ((_pReg)->data =
-                              (RegDataPtr) malloc(RegionSizeof(_size)))) {
+        if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
+            (((_pReg)->data = malloc(rgnSize)) != NULL)) {
             (_pReg)->data->size = (_size);
             (_pReg)->data->numRects = 0;
         }
-- 
cgit v1.2.3