Unverified Commit 93fce3f4 authored by Yichao Yu's avatar Yichao Yu

Fix size calculation in `_XimAttributeToValue`.

The check here guards the read below.
For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers`
these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`.
(There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this
function and doesn't need to be checked.)

The old code here used the native datatype size instead of the wire protocol size causing
the check to always fail.

Also fix the size calculation for the header (size). It is 2 x CARD16 for both types
despite the unused `CARD16` for `XimType_XIMStyles`.

[1] https://www.x.org/releases/X11R7.6/doc/libX11/specs/XIM/xim.html#Input_Method_Styles

This fixes a regression caused by 388b303c in 1.6.10.

Fix #116
parent 9949364e
......@@ -265,7 +265,7 @@ _XimAttributeToValue(
if (num > (USHRT_MAX / sizeof(XIMStyle)))
return False;
if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len)
if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
return False;
alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
if (alloc_len < sizeof(XIMStyles))
......@@ -379,7 +379,7 @@ _XimAttributeToValue(
if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
return False;
if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len)
if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
return False;
alloc_len = sizeof(XIMHotKeyTriggers)
+ sizeof(XIMHotKeyTrigger) * num;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment