diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-13 10:20:59 -0700 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-03 23:53:29 -0700 |
| commit | b031e3b60fa1af9e49449f23d4a84395868be3ab (patch) | |
| tree | 62d95f77e6d029fa06b9772d2d8d51421b5b5877 | |
| parent | f870dfb47da9d43d1750ea5e5fc9288c4158f7ad (diff) | |
| download | xorg-lib-libXfixes-b031e3b60fa1af9e49449f23d4a84395868be3ab.tar.gz | |
Use _XEatDataWords to avoid overflow of _XEatData calculations
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
| -rw-r--r-- | configure.ac | 7 | ||||
| -rw-r--r-- | src/Cursor.c | 4 | ||||
| -rw-r--r-- | src/Region.c | 2 | ||||
| -rw-r--r-- | src/Xfixesint.h | 14 |
4 files changed, 24 insertions, 3 deletions
diff --git a/configure.ac b/configure.ac index b942ffa..bb8e976 100644 --- a/configure.ac +++ b/configure.ac @@ -57,6 +57,13 @@ AC_SUBST(FIXESEXT_VERSION) # Obtain compiler/linker options for depedencies PKG_CHECK_MODULES(FIXESEXT, xproto [fixesproto >= $FIXESEXT_VERSION] xextproto x11) +# Check for _XEatDataWords function that may be patched into older Xlib releases +SAVE_LIBS="$LIBS" +LIBS="$FIXESEXT_LIBS" +AC_CHECK_FUNCS([_XEatDataWords]) +LIBS="$SAVE_LIBS" + + AC_CONFIG_FILES([Makefile src/Makefile man/Makefile diff --git a/src/Cursor.c b/src/Cursor.c index b3dfed1..641b747 100644 --- a/src/Cursor.c +++ b/src/Cursor.c @@ -113,7 +113,7 @@ XFixesGetCursorImage (Display *dpy) image = (XFixesCursorImage *) Xmalloc (rlength); if (!image) { - _XEatData (dpy, nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return NULL; @@ -191,7 +191,7 @@ XFixesGetCursorName (Display *dpy, Cursor cursor, Atom *atom) _XReadPad(dpy, name, (long)rep.nbytes); name[rep.nbytes] = '\0'; } else { - _XEatData(dpy, (unsigned long) (rep.nbytes + 3) & ~3); + _XEatDataWords(dpy, rep.length); name = (char *) NULL; } UnlockDisplay(dpy); diff --git a/src/Region.c b/src/Region.c index 042f966..cb0cf6e 100644 --- a/src/Region.c +++ b/src/Region.c @@ -338,7 +338,7 @@ XFixesFetchRegionAndBounds (Display *dpy, rects = Xmalloc (nrects * sizeof (XRectangle)); if (!rects) { - _XEatData (dpy, nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return NULL; diff --git a/src/Xfixesint.h b/src/Xfixesint.h index 8a4d5fd..7bf5bfd 100644 --- a/src/Xfixesint.h +++ b/src/Xfixesint.h @@ -60,4 +60,18 @@ XFixesFindDisplay (Display *dpy); #define XFixesSimpleCheckExtension(dpy,i) \ if (!XFixesHasExtension(i)) { return; } +#ifndef HAVE__XEATDATAWORDS +#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */ +#include <limits.h> + +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif + #endif /* _XFIXESINT_H_ */ |