From 79362c764a6df7e7fbe5247756bdbf60f3a58baf Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 00:28:34 -0700
Subject: Use _XEatDataWords to avoid overflow of rep.length shifting

rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 configure.ac |  6 ++++++
 src/Xv.c     | 22 +++++++++++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 5494b5d..6a335db 100644
--- a/configure.ac
+++ b/configure.ac
@@ -43,6 +43,12 @@ XORG_CHECK_MALLOC_ZERO
 # Obtain compiler/linker options for depedencies
 PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto)
 
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XV_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
 # Allow checking code with lint, sparse, etc.
 XORG_WITH_LINT
 XORG_LINT_LIBRARY([Xv])
diff --git a/src/Xv.c b/src/Xv.c
index b081e8a..5be1d95 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -49,11 +49,27 @@ SOFTWARE.
 **
 */
 
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
 #include <stdio.h>
 #include "Xvlibint.h"
 #include <X11/extensions/Xext.h>
 #include <X11/extensions/extutil.h>
 #include <X11/extensions/XShm.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+    if (n >= (ULONG_MAX >> 2))
+        _XIOError(dpy);
+# endif
+    _XEatData (dpy, n << 2);
+}
+#endif
 
 static XExtensionInfo _xv_info_data;
 static XExtensionInfo *xv_info = &_xv_info_data;
@@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
 	      (*num)++;
 	  }
       } else
-	_XEatData(dpy, rep.length << 2);
+	  _XEatDataWords(dpy, rep.length);
   }
 
   UnlockDisplay(dpy);
@@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats (
 	      (*num)++;
 	  }
       } else
-	_XEatData(dpy, rep.length << 2);
+	  _XEatDataWords(dpy, rep.length);
   }
 
   UnlockDisplay(dpy);
@@ -976,7 +992,7 @@ XvImage * XvCreateImage (
   	_XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2);
 	_XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2);
    } else
-	_XEatData(dpy, rep.length << 2);
+       _XEatDataWords(dpy, rep.length);
 
    UnlockDisplay(dpy);
    SyncHandle();
-- 
cgit v1.2.1