diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-01 23:58:39 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-23 08:13:25 -0700 |
commit | 59b8e1388a687f871831ac5a9e0ac11de75e2516 (patch) | |
tree | d2da4d43b4914089efdde02ace9613b41a937427 | |
parent | 5d43d4914dcabb6de69859567061e99300e56ef4 (diff) |
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-rw-r--r-- | configure.ac | 6 | ||||
-rw-r--r-- | src/XGMotion.c | 2 | ||||
-rw-r--r-- | src/XGetDCtl.c | 2 | ||||
-rw-r--r-- | src/XGetDProp.c | 5 | ||||
-rw-r--r-- | src/XGetFCtl.c | 2 | ||||
-rw-r--r-- | src/XGetKMap.c | 2 | ||||
-rw-r--r-- | src/XGetMMap.c | 2 | ||||
-rw-r--r-- | src/XGetProp.c | 4 | ||||
-rw-r--r-- | src/XGtSelect.c | 2 | ||||
-rw-r--r-- | src/XIProperties.c | 7 | ||||
-rw-r--r-- | src/XIint.h | 14 | ||||
-rw-r--r-- | src/XListDProp.c | 2 | ||||
-rw-r--r-- | src/XListDev.c | 2 | ||||
-rw-r--r-- | src/XOpenDev.c | 2 | ||||
-rw-r--r-- | src/XQueryDv.c | 2 |
15 files changed, 36 insertions, 20 deletions
diff --git a/configure.ac b/configure.ac index 8dbca38..f5ef1e2 100644 --- a/configure.ac +++ b/configure.ac @@ -31,6 +31,12 @@ PKG_CHECK_MODULES(XI, [xproto >= 7.0.13] [x11 >= 1.4.99.1] [xextproto >= 7.0.3] # CFLAGS only for PointerBarrier typedef PKG_CHECK_MODULES(XFIXES, [xfixes >= 5]) +# Check for _XEatDataWords function that may be patched into older Xlib releases +SAVE_LIBS="$LIBS" +LIBS="$XI_LIBS" +AC_CHECK_FUNCS([_XEatDataWords]) +LIBS="$SAVE_LIBS" + # Check for xmlto and asciidoc for man page conversion # (only needed by people building tarballs) if test "$have_xmlto" = yes && test "$have_asciidoc" = yes; then diff --git a/src/XGMotion.c b/src/XGMotion.c index 99b1c44..5feac85 100644 --- a/src/XGMotion.c +++ b/src/XGMotion.c @@ -112,7 +112,7 @@ XGetDeviceMotionEvents( Xfree(bufp); Xfree(savp); *nEvents = 0; - _XEatData(dpy, (unsigned long)size); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (NULL); diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c index c66212d..f73a4e8 100644 --- a/src/XGetDCtl.c +++ b/src/XGetDCtl.c @@ -95,7 +95,7 @@ XGetDeviceControl( nbytes = (long)rep.length << 2; d = (xDeviceState *) Xmalloc((unsigned)nbytes); if (!d) { - _XEatData(dpy, (unsigned long)nbytes); + _XEatDataWords(dpy, rep.length); goto out; } sav = d; diff --git a/src/XGetDProp.c b/src/XGetDProp.c index 5d44f91..f9e8f0c 100644 --- a/src/XGetDProp.c +++ b/src/XGetDProp.c @@ -112,14 +112,13 @@ XGetDeviceProperty(Display* dpy, XDevice* dev, * This part of the code should never be reached. If it is, * the server sent back a property with an invalid format. */ - nbytes = rep.length << 2; - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return(BadImplementation); } if (! *prop) { - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return(BadAlloc); diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c index 43afa00..28fab4d 100644 --- a/src/XGetFCtl.c +++ b/src/XGetFCtl.c @@ -95,7 +95,7 @@ XGetFeedbackControl( nbytes = (long)rep.length << 2; f = (xFeedbackState *) Xmalloc((unsigned)nbytes); if (!f) { - _XEatData(dpy, (unsigned long)nbytes); + _XEatDataWords(dpy, rep.length); goto out; } sav = f; diff --git a/src/XGetKMap.c b/src/XGetKMap.c index 9431fbb..00dde06 100644 --- a/src/XGetKMap.c +++ b/src/XGetKMap.c @@ -99,7 +99,7 @@ XGetDeviceKeyMapping(register Display * dpy, XDevice * dev, if (mapping) _XRead(dpy, (char *)mapping, nbytes); else - _XEatData(dpy, (unsigned long)nbytes); + _XEatDataWords(dpy, rep.length); } UnlockDisplay(dpy); diff --git a/src/XGetMMap.c b/src/XGetMMap.c index 8a1cdb2..ce10c2d 100644 --- a/src/XGetMMap.c +++ b/src/XGetMMap.c @@ -92,7 +92,7 @@ XGetDeviceModifierMapping( if (res->modifiermap) _XReadPad(dpy, (char *)res->modifiermap, nbytes); else - _XEatData(dpy, (unsigned long)nbytes); + _XEatDataWords(dpy, rep.length); res->max_keypermod = rep.numKeyPerModifier; } diff --git a/src/XGetProp.c b/src/XGetProp.c index c5d088b..34bc581 100644 --- a/src/XGetProp.c +++ b/src/XGetProp.c @@ -68,7 +68,6 @@ XGetDeviceDontPropagateList( int *count) { XEventClass *list = NULL; - int rlen; xGetDeviceDontPropagateListReq *req; xGetDeviceDontPropagateListReply rep; XExtDisplayInfo *info = XInput_find_display(dpy); @@ -90,7 +89,6 @@ XGetDeviceDontPropagateList( *count = rep.count; if (*count) { - rlen = rep.length << 2; list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass)); if (list) { int i; @@ -105,7 +103,7 @@ XGetDeviceDontPropagateList( list[i] = (XEventClass) ec; } } else - _XEatData(dpy, (unsigned long)rlen); + _XEatDataWords(dpy, rep.length); } UnlockDisplay(dpy); diff --git a/src/XGtSelect.c b/src/XGtSelect.c index f890db7..5c0f812 100644 --- a/src/XGtSelect.c +++ b/src/XGtSelect.c @@ -104,7 +104,7 @@ XGetSelectedExtensionEvents( (XEventClass *) Xmalloc(*this_client_count * sizeof(XEventClass)); if (!*this_client_list) { - _XEatData(dpy, (unsigned long)tlen + alen); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (Success); diff --git a/src/XIProperties.c b/src/XIProperties.c index 83a7a68..5e58fb6 100644 --- a/src/XIProperties.c +++ b/src/XIProperties.c @@ -64,7 +64,7 @@ XIListProperties(Display* dpy, int deviceid, int *num_props_return) props = (Atom*)Xmalloc(rep.num_properties * sizeof(Atom)); if (!props) { - _XEatData(dpy, rep.num_properties << 2); + _XEatDataWords(dpy, rep.length); goto cleanup; } @@ -203,8 +203,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset, * This part of the code should never be reached. If it is, * the server sent back a property with an invalid format. */ - nbytes = rep.length << 2; - _XEatData(dpy, nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return(BadImplementation); @@ -222,7 +221,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset, *data = Xmalloc(rbytes); if (!(*data)) { - _XEatData(dpy, nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return(BadAlloc); diff --git a/src/XIint.h b/src/XIint.h index 571bb23..3ddc3c5 100644 --- a/src/XIint.h +++ b/src/XIint.h @@ -83,4 +83,18 @@ next_block(void **ptr, int size) { return ret; } +#ifndef HAVE__XEATDATAWORDS +#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */ +#include <limits.h> + +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif + #endif diff --git a/src/XListDProp.c b/src/XListDProp.c index 8667350..bde6cb5 100644 --- a/src/XListDProp.c +++ b/src/XListDProp.c @@ -65,7 +65,7 @@ XListDeviceProperties(Display* dpy, XDevice* dev, int *nprops_return) props = (Atom*)Xmalloc(rep.nAtoms * sizeof(Atom)); if (!props) { - _XEatData(dpy, rep.nAtoms << 2); + _XEatDataWords(dpy, rep.length); goto cleanup; } diff --git a/src/XListDev.c b/src/XListDev.c index bd6e70a..1fa4747 100644 --- a/src/XListDev.c +++ b/src/XListDev.c @@ -202,7 +202,7 @@ XListInputDevices( list = (xDeviceInfo *) Xmalloc(rlen); slist = list; if (!slist) { - _XEatData(dpy, (unsigned long)rlen); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (XDeviceInfo *) NULL; diff --git a/src/XOpenDev.c b/src/XOpenDev.c index 74f18ac..e784f8b 100644 --- a/src/XOpenDev.c +++ b/src/XOpenDev.c @@ -101,7 +101,7 @@ XOpenDevice( if (rlen - dlen > 0) _XEatData(dpy, (unsigned long)rlen - dlen); } else - _XEatData(dpy, (unsigned long)rlen); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); diff --git a/src/XQueryDv.c b/src/XQueryDv.c index 24d4e4e..69c285b 100644 --- a/src/XQueryDv.c +++ b/src/XQueryDv.c @@ -91,7 +91,7 @@ XQueryDeviceState( if (rlen > 0) { data = Xmalloc(rlen); if (!data) { - _XEatData(dpy, (unsigned long)rlen); + _XEatDataWords(dpy, rep.length); goto out; } _XRead(dpy, data, rlen); |