Commit ca9818d1 authored by Stuart Kreitman's avatar Stuart Kreitman
Browse files

Memory overrun due to incomplete implementation of saveSetElt data

    structure
Modified Files: Tag: DAMAGE-XFIXES window.c dixutils.c
parent d7684c66
......@@ -353,7 +353,11 @@ AlterSaveSetForClient(ClientPtr client,
Bool remap)
{
int numnow;
#ifdef XFIXES
SaveSetElt *pTmp = NULL;
#else
pointer *pTmp = NULL;
#endif
int j;
numnow = client->numSaved;
......@@ -361,7 +365,7 @@ AlterSaveSetForClient(ClientPtr client,
if (numnow)
{
pTmp = client->saveSet;
while ((j < numnow) && (pTmp[j] != (pointer)pWin))
while ((j < numnow) && (SaveSetWindow(pTmp[j]) != (pointer)pWin))
j++;
}
if (mode == SetModeInsert)
......@@ -369,7 +373,11 @@ AlterSaveSetForClient(ClientPtr client,
if (j < numnow) /* duplicate */
return(Success);
numnow++;
#ifdef XFIXES
pTmp = (SaveSetElt *)xrealloc(client->saveSet, sizeof(SaveSetElt) * numnow);
#else
pTmp = (pointer *)xrealloc(client->saveSet, sizeof(pointer) * numnow);
#endif
if (!pTmp)
return(BadAlloc);
client->saveSet = pTmp;
......@@ -389,15 +397,22 @@ AlterSaveSetForClient(ClientPtr client,
numnow--;
if (numnow)
{
pTmp = (pointer *)xrealloc(client->saveSet,
sizeof(pointer) * numnow);
#ifdef XFIXES
pTmp = (SaveSetElt *)xrealloc(client->saveSet, sizeof(SaveSetElt) * numnow);
#else
pTmp = (pointer *)xrealloc(client->saveSet, sizeof(pointer) * numnow);
#endif
if (pTmp)
client->saveSet = pTmp;
}
else
{
xfree(client->saveSet);
#ifdef XFIXES
client->saveSet = (SaveSetElt *)NULL;
#else
client->saveSet = (pointer *)NULL;
#endif
}
client->numSaved = numnow;
return(Success);
......
......@@ -3179,7 +3179,11 @@ HandleSaveSet(client)
}
xfree(client->saveSet);
client->numSaved = 0;
#ifdef XFIXES
client->saveSet = (SaveSetElt *)NULL;
#else
client->saveSet = (pointer *)NULL;
#endif
}
Bool
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment