Commit 0e6561ef authored by Todd Carson's avatar Todd Carson Committed by Matthieu Herrb

Fix signed length values in _XimGetAttributeID()

The lengths are unsigned according to the specification. Passing
negative values can lead to data corruption.
Signed-off-by: Matthieu Herrb's avatarMatthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Matthieu Herrb's avatarMatthieu Herrb <matthieu@herrb.eu>
parent 2b759822
......@@ -1378,13 +1378,13 @@ _XimEncodeSavedICATTRIBUTE(
static unsigned int
_XimCountNumberOfAttr(
INT16 total,
CARD16 *attr,
int *names_len)
CARD16 total,
CARD16 *attr,
unsigned int *names_len)
{
unsigned int n;
INT16 len;
INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */
CARD16 len;
CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */
+ sizeof(CARD16) /* sizeof type of value */
+ sizeof(INT16); /* sizeof length of attribute */
......@@ -1392,6 +1392,9 @@ _XimCountNumberOfAttr(
*names_len = 0;
while (total > min_len) {
len = attr[2];
if (len >= (total - min_len)) {
return 0;
}
*names_len += (len + 1);
len += (min_len + XIM_PAD(len + 2));
total -= len;
......@@ -1406,17 +1409,15 @@ _XimGetAttributeID(
Xim im,
CARD16 *buf)
{
unsigned int n;
unsigned int n, names_len, values_len;
XIMResourceList res;
char *names;
int names_len;
XPointer tmp;
XIMValuesList *values_list;
char **values;
int values_len;
register int i;
INT16 len;
INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */
CARD16 len;
CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */
+ sizeof(CARD16) /* sizeof type of value */
+ sizeof(INT16); /* sizeof length of attr */
/*
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment