IceGetHeaderExtra: only include extra space in outbufptr if there's room

If there's not room for it in the buffer, we already set pData to
NULL, but still set the outbufptr to include the space, which could
lead to IceFlush() reading past the end of the buffer.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

1 files changed, 5 insertions, 4 deletions

diff --git a/include/X11/ICE/ICEmsg.h b/include/X11/ICE/ICEmsg.h
index 17e36a6..9688e3c 100644
--- a/include/X11/ICE/ICEmsg.h
+++ b/include/X11/ICE/ICEmsg.h
@@ -137,15 +137,16 @@ extern IcePaAuthStatus _IcePaMagicCookie1Proc (
 	_headerSize + ((_extra) << 3)) > _iceConn->outbufmax) \
         IceFlush (_iceConn); \
     _pMsg = (_msgType *) _iceConn->outbufptr; \
-    if ((_iceConn->outbufptr + \
-	_headerSize + ((_extra) << 3)) <= _iceConn->outbufmax) \
-        _pData = (char *) _pMsg + _headerSize; \
+    _iceConn->outbufptr += _headerSize; \
+    if ((_iceConn->outbufptr + ((_extra) << 3)) <= _iceConn->outbufmax) { \
+        _pData = _iceConn->outbufptr; \
+        _iceConn->outbufptr += ((_extra) << 3); \
+    } \
     else \
         _pData = NULL; \
     _pMsg->majorOpcode = _major; \
     _pMsg->minorOpcode = _minor; \
     _pMsg->length = ((_headerSize - SIZEOF (iceMsg)) >> 3) + (_extra); \
-    _iceConn->outbufptr += (_headerSize + ((_extra) << 3)); \
     _iceConn->send_sequence++
 
 #define IceSimpleMessage(_iceConn, _major, _minor) \