Commit 24d3ee0d authored by Thomas Klausner's avatar Thomas Klausner Committed by Alan Coopersmith

Tighten out-of-range comparisons.

[For all of these, LONG_MAX was the correct value to prevent overflows
 for the recent CVEs.   Lowering to INT_MAX catches buggy replies from
 the server that 32-bit clients would reject but 64-bit would accept,
 so we catch bugs sooner, and really, no sane & working server should
 ever report more than 2gb of extension names, font path entries,
 key modifier maps, etc.  -alan- ]
Reviewed-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
parent 6d926088
......@@ -66,7 +66,7 @@ int *actualCount) /* RETURN */
if (rep.nFonts) {
flist = Xmalloc (rep.nFonts * sizeof(char *));
if (rep.length < (LONG_MAX >> 2)) {
if (rep.length < (INT_MAX >> 2)) {
rlen = rep.length << 2;
ch = Xmalloc(rlen + 1);
/* +1 to leave room for last null-terminator */
......
......@@ -50,7 +50,7 @@ char **XGetFontPath(
if (rep.nPaths) {
flist = Xmalloc(rep.nPaths * sizeof (char *));
if (rep.length < (LONG_MAX >> 2)) {
if (rep.length < (INT_MAX >> 2)) {
nbytes = (unsigned long) rep.length << 2;
ch = Xmalloc (nbytes + 1);
/* +1 to leave room for last null-terminator */
......
......@@ -55,7 +55,7 @@ char **XListExtensions(
if (rep.nExtensions) {
list = Xmalloc (rep.nExtensions * sizeof (char *));
if (rep.length < (LONG_MAX >> 2)) {
if (rep.length < (INT_MAX >> 2)) {
rlen = rep.length << 2;
ch = Xmalloc (rlen + 1);
/* +1 to leave room for last null-terminator */
......
......@@ -42,7 +42,7 @@ XGetModifierMapping(register Display *dpy)
GetEmptyReq(GetModifierMapping, req);
(void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
if (rep.length < (LONG_MAX >> 2)) {
if (rep.length < (INT_MAX >> 2)) {
nbytes = (unsigned long)rep.length << 2;
res = Xmalloc(sizeof (XModifierKeymap));
if (res)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment