From 6ca1ea376c7c6c9dc719d607b7684d87bcf96712 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed, 7 Sep 2022 11:33:13 -0700
Subject: IceGetHeaderExtra: only include extra space in outbufptr if there's
 room

If there's not room for it in the buffer, we already set pData to
NULL, but still set the outbufptr to include the space, which could
lead to IceFlush() reading past the end of the buffer.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 include/X11/ICE/ICEmsg.h | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'include/X11')

diff --git a/include/X11/ICE/ICEmsg.h b/include/X11/ICE/ICEmsg.h
index 17e36a6..9688e3c 100644
--- a/include/X11/ICE/ICEmsg.h
+++ b/include/X11/ICE/ICEmsg.h
@@ -137,15 +137,16 @@ extern IcePaAuthStatus _IcePaMagicCookie1Proc (
 	_headerSize + ((_extra) << 3)) > _iceConn->outbufmax) \
         IceFlush (_iceConn); \
     _pMsg = (_msgType *) _iceConn->outbufptr; \
-    if ((_iceConn->outbufptr + \
-	_headerSize + ((_extra) << 3)) <= _iceConn->outbufmax) \
-        _pData = (char *) _pMsg + _headerSize; \
+    _iceConn->outbufptr += _headerSize; \
+    if ((_iceConn->outbufptr + ((_extra) << 3)) <= _iceConn->outbufmax) { \
+        _pData = _iceConn->outbufptr; \
+        _iceConn->outbufptr += ((_extra) << 3); \
+    } \
     else \
         _pData = NULL; \
     _pMsg->majorOpcode = _major; \
     _pMsg->minorOpcode = _minor; \
     _pMsg->length = ((_headerSize - SIZEOF (iceMsg)) >> 3) + (_extra); \
-    _iceConn->outbufptr += (_headerSize + ((_extra) << 3)); \
     _iceConn->send_sequence++
 
 #define IceSimpleMessage(_iceConn, _major, _minor) \
-- 
cgit v1.2.3