diff options
-rw-r--r-- | src/Cursor.c | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/src/Cursor.c b/src/Cursor.c index 641b747..33590b7 100644 --- a/src/Cursor.c +++ b/src/Cursor.c @@ -47,6 +47,7 @@ #include <config.h> #endif #include "Xfixesint.h" +#include <limits.h> void XFixesSelectCursorInput (Display *dpy, @@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy) XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy); xXFixesGetCursorImageAndNameReq *req; xXFixesGetCursorImageAndNameReply rep; - int npixels; - int nbytes_name; - int nbytes, nread, rlength; + size_t npixels; + size_t nbytes_name; + size_t nbytes, nread, rlength; XFixesCursorImage *image; char *name; @@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy) } npixels = rep.width * rep.height; nbytes_name = rep.nbytes; - /* reply data length */ - nbytes = (long) rep.length << 2; - /* bytes of actual data in the reply */ - nread = (npixels << 2) + nbytes_name; - /* size of data returned to application */ - rlength = (sizeof (XFixesCursorImage) + - npixels * sizeof (unsigned long) + - nbytes_name + 1); + if ((rep.length < (INT_MAX >> 2)) && + npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1) + - nbytes_name)) { + /* reply data length */ + nbytes = (size_t) rep.length << 2; + /* bytes of actual data in the reply */ + nread = (npixels << 2) + nbytes_name; + /* size of data returned to application */ + rlength = (sizeof (XFixesCursorImage) + + npixels * sizeof (unsigned long) + + nbytes_name + 1); - image = (XFixesCursorImage *) Xmalloc (rlength); + image = Xmalloc (rlength); + } else + image = NULL; if (!image) { _XEatDataWords(dpy, rep.length); |