| Age | Commit message (Collapse) | Author |
|---|
|
By validating length fields from server responses, out of boundary
accesses and endless loops can be mitigated.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
Several functions were returning NoSuchExtension casted to a pointer in case of
an error. Often in parallel with returning NULL in case of another error. It is
undocumented and certainly wrong.
Signed-off-by: Michal Srb <msrb@suse.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
If the lengths given for each class state in the reply add up to more
than the rep.length, we could read past the end of the buffer allocated
to hold the data read from the server.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Gaetan Nadon <memsize@videotron.ca>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
This reduces code duplication and fixes possible leak of data. data would
leak if allocation of state fails.
Signed-off-by: Pauli Nieminen <ext-pauli.nieminen@nokia.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
The length is suppposed to be the complete class size, not just the struct
size. Since XValuatorState is followed by multiple valuator values the
size of the class is variable and dependent on the number of valuators.
The server assembles the valuator state last. This bug is unlikely to affect
clients as they should never go past the last class anyway.
Tested-by: Thomas Jaeger
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
Thre are still two remaining compiler warnings, because of non matching
function prototypes and function pointer arguments prototypes:
src/XSndExEv.c:XSendExtensionEvent()
variable register Status(**fp) (Display *, XEvent*, xEvent **, int *)
doesn't match struct _XDisplay's:
Status (*wire_vec[128])( /* vector for event to wire */
Display * /* dpy */,
XEvent * /* re */,
xEvent * /* event */
);
and
src/XExtInt.c:xinput_extension_hooks field event_to_wire of type
XExtensionHooks that has the prototype Status (*event_to_wire)(
Display* /* display */,
XEvent* /* re */,
xEvent* /* event */
);
does not match Status
_XiEventToWire(
register Display *dpy, /* pointer to display structure */
register XEvent *re, /* pointer to client event */
register xEvent **event, /* wire protocol event */
register int *count);
Signed-off-by: Peter Hutterer <peter@cs.unisa.edu.au>
|
|
held.
All callers of _XiCheckExtInit have already called XInput_find_display
first outside the lock, so just pass their copy of the XExtDisplayInfo
structure down. Besides being more correct, this should be slightly
faster. :-)
Thanks to Magnus Kessler <Magnus.Kessler@gmx.net> for identifying
the bug and proposing a workaround.
|
|
Another brief run with indent.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
