| Age | Commit message (Collapse) | Author |
|---|
|
By validating length fields from server responses, out of boundary
accesses and endless loops can be mitigated.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
Several functions were returning NoSuchExtension casted to a pointer in case of
an error. Often in parallel with returning NULL in case of another error. It is
undocumented and certainly wrong.
Signed-off-by: Michal Srb <msrb@suse.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If the number of events or axes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Gaetan Nadon <memsize@videotron.ca>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
|
|
Thre are still two remaining compiler warnings, because of non matching
function prototypes and function pointer arguments prototypes:
src/XSndExEv.c:XSendExtensionEvent()
variable register Status(**fp) (Display *, XEvent*, xEvent **, int *)
doesn't match struct _XDisplay's:
Status (*wire_vec[128])( /* vector for event to wire */
Display * /* dpy */,
XEvent * /* re */,
xEvent * /* event */
);
and
src/XExtInt.c:xinput_extension_hooks field event_to_wire of type
XExtensionHooks that has the prototype Status (*event_to_wire)(
Display* /* display */,
XEvent* /* re */,
xEvent* /* event */
);
does not match Status
_XiEventToWire(
register Display *dpy, /* pointer to display structure */
register XEvent *re, /* pointer to client event */
register xEvent **event, /* wire protocol event */
register int *count);
Signed-off-by: Peter Hutterer <peter@cs.unisa.edu.au>
|
|
If either bufp or savp failed to malloc, we returned without freeing the other.
|
|
held.
All callers of _XiCheckExtInit have already called XInput_find_display
first outside the lock, so just pass their copy of the XExtDisplayInfo
structure down. Besides being more correct, this should be slightly
faster. :-)
Thanks to Magnus Kessler <Magnus.Kessler@gmx.net> for identifying
the bug and proposing a workaround.
|
|
Another brief run with indent.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
