summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-01 23:58:39 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-23 08:13:25 -0700
commit59b8e1388a687f871831ac5a9e0ac11de75e2516 (patch)
treed2da4d43b4914089efdde02ace9613b41a937427
parent5d43d4914dcabb6de69859567061e99300e56ef4 (diff)
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-rw-r--r--configure.ac6
-rw-r--r--src/XGMotion.c2
-rw-r--r--src/XGetDCtl.c2
-rw-r--r--src/XGetDProp.c5
-rw-r--r--src/XGetFCtl.c2
-rw-r--r--src/XGetKMap.c2
-rw-r--r--src/XGetMMap.c2
-rw-r--r--src/XGetProp.c4
-rw-r--r--src/XGtSelect.c2
-rw-r--r--src/XIProperties.c7
-rw-r--r--src/XIint.h14
-rw-r--r--src/XListDProp.c2
-rw-r--r--src/XListDev.c2
-rw-r--r--src/XOpenDev.c2
-rw-r--r--src/XQueryDv.c2
15 files changed, 36 insertions, 20 deletions
diff --git a/configure.ac b/configure.ac
index 8dbca38..f5ef1e2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -31,6 +31,12 @@ PKG_CHECK_MODULES(XI, [xproto >= 7.0.13] [x11 >= 1.4.99.1] [xextproto >= 7.0.3]
# CFLAGS only for PointerBarrier typedef
PKG_CHECK_MODULES(XFIXES, [xfixes >= 5])
+# Check for _XEatDataWords function that may be patched into older Xlib releases
+SAVE_LIBS="$LIBS"
+LIBS="$XI_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
# Check for xmlto and asciidoc for man page conversion
# (only needed by people building tarballs)
if test "$have_xmlto" = yes && test "$have_asciidoc" = yes; then
diff --git a/src/XGMotion.c b/src/XGMotion.c
index 99b1c44..5feac85 100644
--- a/src/XGMotion.c
+++ b/src/XGMotion.c
@@ -112,7 +112,7 @@ XGetDeviceMotionEvents(
Xfree(bufp);
Xfree(savp);
*nEvents = 0;
- _XEatData(dpy, (unsigned long)size);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (NULL);
diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c
index c66212d..f73a4e8 100644
--- a/src/XGetDCtl.c
+++ b/src/XGetDCtl.c
@@ -95,7 +95,7 @@ XGetDeviceControl(
nbytes = (long)rep.length << 2;
d = (xDeviceState *) Xmalloc((unsigned)nbytes);
if (!d) {
- _XEatData(dpy, (unsigned long)nbytes);
+ _XEatDataWords(dpy, rep.length);
goto out;
}
sav = d;
diff --git a/src/XGetDProp.c b/src/XGetDProp.c
index 5d44f91..f9e8f0c 100644
--- a/src/XGetDProp.c
+++ b/src/XGetDProp.c
@@ -112,14 +112,13 @@ XGetDeviceProperty(Display* dpy, XDevice* dev,
* This part of the code should never be reached. If it is,
* the server sent back a property with an invalid format.
*/
- nbytes = rep.length << 2;
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadImplementation);
}
if (! *prop) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadAlloc);
diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c
index 43afa00..28fab4d 100644
--- a/src/XGetFCtl.c
+++ b/src/XGetFCtl.c
@@ -95,7 +95,7 @@ XGetFeedbackControl(
nbytes = (long)rep.length << 2;
f = (xFeedbackState *) Xmalloc((unsigned)nbytes);
if (!f) {
- _XEatData(dpy, (unsigned long)nbytes);
+ _XEatDataWords(dpy, rep.length);
goto out;
}
sav = f;
diff --git a/src/XGetKMap.c b/src/XGetKMap.c
index 9431fbb..00dde06 100644
--- a/src/XGetKMap.c
+++ b/src/XGetKMap.c
@@ -99,7 +99,7 @@ XGetDeviceKeyMapping(register Display * dpy, XDevice * dev,
if (mapping)
_XRead(dpy, (char *)mapping, nbytes);
else
- _XEatData(dpy, (unsigned long)nbytes);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay(dpy);
diff --git a/src/XGetMMap.c b/src/XGetMMap.c
index 8a1cdb2..ce10c2d 100644
--- a/src/XGetMMap.c
+++ b/src/XGetMMap.c
@@ -92,7 +92,7 @@ XGetDeviceModifierMapping(
if (res->modifiermap)
_XReadPad(dpy, (char *)res->modifiermap, nbytes);
else
- _XEatData(dpy, (unsigned long)nbytes);
+ _XEatDataWords(dpy, rep.length);
res->max_keypermod = rep.numKeyPerModifier;
}
diff --git a/src/XGetProp.c b/src/XGetProp.c
index c5d088b..34bc581 100644
--- a/src/XGetProp.c
+++ b/src/XGetProp.c
@@ -68,7 +68,6 @@ XGetDeviceDontPropagateList(
int *count)
{
XEventClass *list = NULL;
- int rlen;
xGetDeviceDontPropagateListReq *req;
xGetDeviceDontPropagateListReply rep;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -90,7 +89,6 @@ XGetDeviceDontPropagateList(
*count = rep.count;
if (*count) {
- rlen = rep.length << 2;
list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass));
if (list) {
int i;
@@ -105,7 +103,7 @@ XGetDeviceDontPropagateList(
list[i] = (XEventClass) ec;
}
} else
- _XEatData(dpy, (unsigned long)rlen);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay(dpy);
diff --git a/src/XGtSelect.c b/src/XGtSelect.c
index f890db7..5c0f812 100644
--- a/src/XGtSelect.c
+++ b/src/XGtSelect.c
@@ -104,7 +104,7 @@ XGetSelectedExtensionEvents(
(XEventClass *) Xmalloc(*this_client_count *
sizeof(XEventClass));
if (!*this_client_list) {
- _XEatData(dpy, (unsigned long)tlen + alen);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (Success);
diff --git a/src/XIProperties.c b/src/XIProperties.c
index 83a7a68..5e58fb6 100644
--- a/src/XIProperties.c
+++ b/src/XIProperties.c
@@ -64,7 +64,7 @@ XIListProperties(Display* dpy, int deviceid, int *num_props_return)
props = (Atom*)Xmalloc(rep.num_properties * sizeof(Atom));
if (!props)
{
- _XEatData(dpy, rep.num_properties << 2);
+ _XEatDataWords(dpy, rep.length);
goto cleanup;
}
@@ -203,8 +203,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset,
* This part of the code should never be reached. If it is,
* the server sent back a property with an invalid format.
*/
- nbytes = rep.length << 2;
- _XEatData(dpy, nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadImplementation);
@@ -222,7 +221,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset,
*data = Xmalloc(rbytes);
if (!(*data)) {
- _XEatData(dpy, nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadAlloc);
diff --git a/src/XIint.h b/src/XIint.h
index 571bb23..3ddc3c5 100644
--- a/src/XIint.h
+++ b/src/XIint.h
@@ -83,4 +83,18 @@ next_block(void **ptr, int size) {
return ret;
}
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
+
#endif
diff --git a/src/XListDProp.c b/src/XListDProp.c
index 8667350..bde6cb5 100644
--- a/src/XListDProp.c
+++ b/src/XListDProp.c
@@ -65,7 +65,7 @@ XListDeviceProperties(Display* dpy, XDevice* dev, int *nprops_return)
props = (Atom*)Xmalloc(rep.nAtoms * sizeof(Atom));
if (!props)
{
- _XEatData(dpy, rep.nAtoms << 2);
+ _XEatDataWords(dpy, rep.length);
goto cleanup;
}
diff --git a/src/XListDev.c b/src/XListDev.c
index bd6e70a..1fa4747 100644
--- a/src/XListDev.c
+++ b/src/XListDev.c
@@ -202,7 +202,7 @@ XListInputDevices(
list = (xDeviceInfo *) Xmalloc(rlen);
slist = list;
if (!slist) {
- _XEatData(dpy, (unsigned long)rlen);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (XDeviceInfo *) NULL;
diff --git a/src/XOpenDev.c b/src/XOpenDev.c
index 74f18ac..e784f8b 100644
--- a/src/XOpenDev.c
+++ b/src/XOpenDev.c
@@ -101,7 +101,7 @@ XOpenDevice(
if (rlen - dlen > 0)
_XEatData(dpy, (unsigned long)rlen - dlen);
} else
- _XEatData(dpy, (unsigned long)rlen);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
diff --git a/src/XQueryDv.c b/src/XQueryDv.c
index 24d4e4e..69c285b 100644
--- a/src/XQueryDv.c
+++ b/src/XQueryDv.c
@@ -91,7 +91,7 @@ XQueryDeviceState(
if (rlen > 0) {
data = Xmalloc(rlen);
if (!data) {
- _XEatData(dpy, (unsigned long)rlen);
+ _XEatDataWords(dpy, rep.length);
goto out;
}
_XRead(dpy, data, rlen);