Commit 1c7ad677 authored by Alan Coopersmith's avatar Alan Coopersmith

Use _XEatDataWords to avoid overflow of rep.length bit shifting

rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
parent 99a63d10
......@@ -55,6 +55,12 @@ AC_SUBST(RANDR_VERSION)
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(RANDR, x11 randrproto >= $RANDR_VERSION xext xextproto xrender renderproto)
# Check for _XEatDataWords function that may be patched into older Xlib release
SAVE_LIBS="$LIBS"
LIBS="$RANDR_LIBS"
AC_CHECK_FUNCS([_XEatDataWords])
LIBS="$SAVE_LIBS"
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
......
......@@ -42,6 +42,19 @@ extern char XRRExtensionName[];
XExtDisplayInfo *XRRFindDisplay (Display *dpy);
#ifndef HAVE__XEATDATAWORDS
#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
#include <limits.h>
static inline void _XEatDataWords(Display *dpy, unsigned long n)
{
# ifndef LONG64
if (n >= (ULONG_MAX >> 2))
_XIOError(dpy);
# endif
_XEatData (dpy, n << 2);
}
#endif
/* deliberately opaque internal data structure; can be extended,
but not reordered */
......
......@@ -74,7 +74,7 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc)
xci = (XRRCrtcInfo *) Xmalloc(rbytes);
if (xci == NULL) {
_XEatData (dpy, (unsigned long) nbytes);
_XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
......@@ -203,7 +203,7 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc)
if (!crtc_gamma)
{
_XEatData (dpy, (unsigned long) nbytes);
_XEatDataWords (dpy, rep.length);
goto out;
}
_XRead16 (dpy, crtc_gamma->red, rep.size * 2);
......@@ -397,7 +397,7 @@ XRRGetCrtcTransform (Display *dpy,
int extraBytes = rep.length * 4 - CrtcTransformExtra;
extra = Xmalloc (extraBytes);
if (!extra) {
_XEatData (dpy, extraBytes);
_XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
UnlockDisplay (dpy);
SyncHandle ();
return False;
......
......@@ -81,7 +81,7 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
xoi = (XRROutputInfo *) Xmalloc(rbytes);
if (xoi == NULL) {
_XEatData (dpy, (unsigned long) nbytes);
_XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
......
......@@ -62,7 +62,7 @@ XRRListOutputProperties (Display *dpy, RROutput output, int *nprop)
props = (Atom *) Xmalloc (rbytes);
if (props == NULL) {
_XEatData (dpy, nbytes);
_XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
*nprop = 0;
......@@ -107,7 +107,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
if (prop_info == NULL) {
_XEatData (dpy, nbytes);
_XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
......@@ -313,14 +313,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
* This part of the code should never be reached. If it is,
* the server sent back a property with an invalid format.
*/
nbytes = rep.length << 2;
_XEatData(dpy, (unsigned long) nbytes);
_XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadImplementation);
}
if (! *prop) {
_XEatData(dpy, (unsigned long) nbytes);
_XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadAlloc);
......
......@@ -67,7 +67,7 @@ XRRGetProviderResources(Display *dpy, Window window)
xrpr = (XRRProviderResources *) Xmalloc(rbytes);
if (xrpr == NULL) {
_XEatData (dpy, (unsigned long) nbytes);
_XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
......@@ -136,7 +136,7 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
xpi = (XRRProviderInfo *)Xmalloc(rbytes);
if (xpi == NULL) {
_XEatData (dpy, (unsigned long) nbytes);
_XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2));
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
......
......@@ -62,7 +62,7 @@ XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop)
props = (Atom *) Xmalloc (rbytes);
if (props == NULL) {
_XEatData (dpy, nbytes);
_XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
*nprop = 0;
......@@ -107,7 +107,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
if (prop_info == NULL) {
_XEatData (dpy, nbytes);
_XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
......@@ -313,14 +313,13 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
* This part of the code should never be reached. If it is,
* the server sent back a property with an invalid format.
*/
nbytes = rep.length << 2;
_XEatData(dpy, (unsigned long) nbytes);
_XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadImplementation);
}
if (! *prop) {
_XEatData(dpy, (unsigned long) nbytes);
_XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadAlloc);
......
......@@ -129,7 +129,7 @@ doGetScreenResources (Display *dpy, Window window, int poll)
if (xrsr == NULL || wire_names == NULL) {
if (xrsr) Xfree (xrsr);
if (wire_names) Xfree (wire_names);
_XEatData (dpy, (unsigned long) nbytes);
_XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment