summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu@cvs.openbsd.org>2018-10-20 19:25:33 +0000
committerMatthieu Herrb <matthieu@cvs.openbsd.org>2018-10-20 19:25:33 +0000
commit25503efe878996f9c94dae5ee9f22558360c9768 (patch)
tree1550824938b30b0dd036a279c297b5561dd57d57 /lib
parent878d8c2b0f5313616f4535c32605c2b297e5187b (diff)
Update to libSM 1.2.3
Diffstat (limited to 'lib')
-rw-r--r--lib/libSM/ChangeLog136
-rw-r--r--lib/libSM/aclocal.m464
-rw-r--r--lib/libSM/compile2
-rw-r--r--lib/libSM/configure99
-rw-r--r--lib/libSM/configure.ac2
-rw-r--r--lib/libSM/doc/SMlib.xml4
-rw-r--r--lib/libSM/src/Makefile.am3
-rw-r--r--lib/libSM/src/Makefile.in5
-rw-r--r--lib/libSM/src/SMlibint.h74
-rw-r--r--lib/libSM/src/sm_genid.c1
-rw-r--r--lib/libSM/src/sm_process.c318
11 files changed, 490 insertions, 218 deletions
diff --git a/lib/libSM/ChangeLog b/lib/libSM/ChangeLog
index f9aca97b1..45b1ffb3a 100644
--- a/lib/libSM/ChangeLog
+++ b/lib/libSM/ChangeLog
@@ -1,3 +1,139 @@
+commit a52c79544fcd6b5e2242b9122dfaa34be07aebb2
+Author: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sun Sep 30 11:03:41 2018 +0200
+
+ libSM 1.2.3
+
+ Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit d86106f2369ecf81155decaa360f9162c0c3cd53
+Author: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Wed Aug 15 21:21:09 2018 +0200
+
+ Fixed out ouf boundary accesses.
+
+ Out of boundary accesses can occur while processing messages. This
+ affects clients and the session server.
+
+ Generally, the code tries to prevent out of boundary accesses. It
+ initially "skips" over the memory areas by parsing supplied lengths.
+ Then, it checks if it skipped over the memory boundary. If not, then
+ data is actually read and memory allocated, etc.
+
+ The problem is that while initially skipping over the memory,
+ subsequent lengths are already parsed, i.e. accessed. This results in
+ out of boundary reads on hostile messages.
+
+ Lengths could also overflow on 32 bit systems, leading to out of
+ boundary writes if not enough bytes have been allocated.
+
+ Authentication is handled by libICE, which is not affected, because the
+ macros for skipping already take care about memory boundaries.
+
+ Therefore, this flaw can only be used by authenticated clients or by
+ hostile servers (which could simply accept every MIT cookie). Most
+ session managers only use Unix sockets, so in many cases it takes a
+ local authenticated user.
+
+ In order to fix this, I decided to move the macros from SMlibint.h to
+ its only callers in sm_process.c, turning them into functions for much
+ easier error handling and readability.
+
+ Instead of skipping over the memory, validation happens during actual
+ read and memory allocation operations, as it's rather unlikely to
+ encounter hostile code anyway, i.e. my code has more error cleanup
+ handling in it.
+
+ Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+ Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+commit 75ffafb4e04661fb890a9e8088b743cb077050a6
+Author: Fab <netbox253@free.fr>
+Date: Sat Oct 7 14:23:52 2017 +0000
+
+ Fix callbacks signatures in libSM documentation
+
+ https://bugs.freedesktop.org/show_bug.cgi?id=103135
+
+ Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit b347e9f8ef3ae027c049741ab5c0c8dac45c9eb2
+Author: Mihail Konev <k.mvc@ya.ru>
+Date: Thu Jan 26 13:52:49 2017 +1000
+
+ autogen: add default patch prefix
+
+ Signed-off-by: Mihail Konev <k.mvc@ya.ru>
+
+commit d34f694e810d11f95cd61e4209cd6e38f70bce58
+Author: Emil Velikov <emil.l.velikov@gmail.com>
+Date: Mon Mar 9 12:00:52 2015 +0000
+
+ autogen.sh: use quoted string variables
+
+ Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent
+ fall-outs, when they contain space.
+
+ Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit e27964e499f31f48782a6db7421660a230471b2c
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue Jan 24 10:32:07 2017 +1000
+
+ autogen.sh: use exec instead of waiting for configure to finish
+
+ Syncs the invocation of configure with the one from the server.
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+ Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+
+commit b64aa0ef375f2df3ce166733fe92429ba43b6145
+Author: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue Oct 20 14:48:52 2015 -0400
+
+ Get rid of strcpy() in the HAVE_UUID_CREATE case
+
+ Even though this use was safe, some linkers produce a warning
+ when strcpy() is used, and this is the only use in libSM.
+
+ Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 0bf5d26d1d55029846514758f2ffd80e816bd9fb
+Author: Matthieu Herrb <matthieu@herrb.eu>
+Date: Tue Oct 20 14:47:50 2015 -0400
+
+ Fix uuid_to_string(3) type
+
+ It should be char *.
+
+ Reviewed-by: Adam Jackson <ajax@redhat.com>
+
+commit 29ea6247434a85934986e7d4fc60862231c5d77d
+Author: Jon TURNEY <jon.turney@dronecode.org.uk>
+Date: Sat Sep 13 19:38:12 2014 +0100
+
+ Include unistd.h for getpid()
+
+ Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
+ Reviewed-by: David Macek <david.macek.0@gmail.com>
+
+commit f2dd6934c38414bc448ee49b47604f135f5487ea
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Nov 16 19:35:15 2013 -0800
+
+ Stop compiling empty sm_auth.c stub
+
+ File exists as a placeholder in case someone someday decides to add
+ additional auth methods on top of what libICE provides, but it's been
+ two decades and no one has, so stop spending time compiling & linking
+ for now.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Adam Jackson <ajax@redhat.com>
+
commit 0fd7aa17da41779129a3acfdad28e07c0072a160
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Sep 7 23:05:16 2013 -0700
diff --git a/lib/libSM/aclocal.m4 b/lib/libSM/aclocal.m4
index fe155db4d..88e2462b6 100644
--- a/lib/libSM/aclocal.m4
+++ b/lib/libSM/aclocal.m4
@@ -9829,7 +9829,7 @@ AC_SUBST([am__untar])
dnl xorg-macros.m4. Generated from xorg-macros.m4.in xorgversion.m4 by configure.
dnl
-dnl Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+dnl Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
dnl
dnl Permission is hereby granted, free of charge, to any person obtaining a
dnl copy of this software and associated documentation files (the "Software"),
@@ -9866,7 +9866,7 @@ dnl DEALINGS IN THE SOFTWARE.
# See the "minimum version" comment for each macro you use to see what
# version you require.
m4_defun([XORG_MACROS_VERSION],[
-m4_define([vers_have], [1.19.0])
+m4_define([vers_have], [1.19.2])
m4_define([maj_have], m4_substr(vers_have, 0, m4_index(vers_have, [.])))
m4_define([maj_needed], m4_substr([$1], 0, m4_index([$1], [.])))
m4_if(m4_cmp(maj_have, maj_needed), 0,,
@@ -9944,6 +9944,17 @@ AC_DEFUN([XORG_MANPAGE_SECTIONS],[
AC_REQUIRE([AC_CANONICAL_HOST])
AC_REQUIRE([AC_PROG_SED])
+case $host_os in
+ solaris*)
+ # Solaris 2.0 - 11.3 use SysV man page section numbers, so we
+ # check for a man page file found in later versions that use
+ # traditional section numbers instead
+ AC_CHECK_FILE([/usr/share/man/man7/attributes.7],
+ [SYSV_MAN_SECTIONS=false], [SYSV_MAN_SECTIONS=true])
+ ;;
+ *) SYSV_MAN_SECTIONS=false ;;
+esac
+
if test x$APP_MAN_SUFFIX = x ; then
APP_MAN_SUFFIX=1
fi
@@ -9959,9 +9970,9 @@ if test x$LIB_MAN_DIR = x ; then
fi
if test x$FILE_MAN_SUFFIX = x ; then
- case $host_os in
- solaris*) FILE_MAN_SUFFIX=4 ;;
- *) FILE_MAN_SUFFIX=5 ;;
+ case $SYSV_MAN_SECTIONS in
+ true) FILE_MAN_SUFFIX=4 ;;
+ *) FILE_MAN_SUFFIX=5 ;;
esac
fi
if test x$FILE_MAN_DIR = x ; then
@@ -9969,9 +9980,9 @@ if test x$FILE_MAN_DIR = x ; then
fi
if test x$MISC_MAN_SUFFIX = x ; then
- case $host_os in
- solaris*) MISC_MAN_SUFFIX=5 ;;
- *) MISC_MAN_SUFFIX=7 ;;
+ case $SYSV_MAN_SECTIONS in
+ true) MISC_MAN_SUFFIX=5 ;;
+ *) MISC_MAN_SUFFIX=7 ;;
esac
fi
if test x$MISC_MAN_DIR = x ; then
@@ -9979,9 +9990,9 @@ if test x$MISC_MAN_DIR = x ; then
fi
if test x$DRIVER_MAN_SUFFIX = x ; then
- case $host_os in
- solaris*) DRIVER_MAN_SUFFIX=7 ;;
- *) DRIVER_MAN_SUFFIX=4 ;;
+ case $SYSV_MAN_SECTIONS in
+ true) DRIVER_MAN_SUFFIX=7 ;;
+ *) DRIVER_MAN_SUFFIX=4 ;;
esac
fi
if test x$DRIVER_MAN_DIR = x ; then
@@ -9989,9 +10000,9 @@ if test x$DRIVER_MAN_DIR = x ; then
fi
if test x$ADMIN_MAN_SUFFIX = x ; then
- case $host_os in
- solaris*) ADMIN_MAN_SUFFIX=1m ;;
- *) ADMIN_MAN_SUFFIX=8 ;;
+ case $SYSV_MAN_SECTIONS in
+ true) ADMIN_MAN_SUFFIX=1m ;;
+ *) ADMIN_MAN_SUFFIX=8 ;;
esac
fi
if test x$ADMIN_MAN_DIR = x ; then
@@ -10252,13 +10263,24 @@ m4_ifval([$1],
fi])
# Test for the ability of xmlto to generate a text target
+#
+# NOTE: xmlto 0.0.27 or higher return a non-zero return code in the
+# following test for empty XML docbook files.
+# For compatibility reasons use the following empty XML docbook file and if
+# it fails try it again with a non-empty XML file.
have_xmlto_text=no
cat > conftest.xml << "EOF"
EOF
AS_IF([test "$have_xmlto" = yes],
[AS_IF([$XMLTO --skip-validation txt conftest.xml >/dev/null 2>&1],
[have_xmlto_text=yes],
- [AC_MSG_WARN([xmlto cannot generate text format, this format skipped])])])
+ [# Try it again with a non-empty XML file.
+ cat > conftest.xml << "EOF"
+<x></x>
+EOF
+ AS_IF([$XMLTO --skip-validation txt conftest.xml >/dev/null 2>&1],
+ [have_xmlto_text=yes],
+ [AC_MSG_WARN([xmlto cannot generate text format, this format skipped])])])])
rm -f conftest.xml
AM_CONDITIONAL([HAVE_XMLTO_TEXT], [test $have_xmlto_text = yes])
AM_CONDITIONAL([HAVE_XMLTO], [test "$have_xmlto" = yes])
@@ -11654,8 +11676,9 @@ AC_REQUIRE([PKG_PROG_PKG_CONFIG])
macros_datadir=`$PKG_CONFIG --print-errors --variable=pkgdatadir xorg-macros`
INSTALL_CMD="(cp -f "$macros_datadir/INSTALL" \$(top_srcdir)/.INSTALL.tmp && \
mv \$(top_srcdir)/.INSTALL.tmp \$(top_srcdir)/INSTALL) \
-|| (rm -f \$(top_srcdir)/.INSTALL.tmp; touch \$(top_srcdir)/INSTALL; \
-echo 'util-macros \"pkgdatadir\" from xorg-macros.pc not found: installing possibly empty INSTALL.' >&2)"
+|| (rm -f \$(top_srcdir)/.INSTALL.tmp; test -e \$(top_srcdir)/INSTALL || ( \
+touch \$(top_srcdir)/INSTALL; \
+echo 'failed to copy INSTALL from util-macros: installing empty INSTALL.' >&2))"
AC_SUBST([INSTALL_CMD])
]) # XORG_INSTALL
dnl Copyright 2005 Red Hat, Inc
@@ -11716,10 +11739,11 @@ AC_DEFUN([XORG_RELEASE_VERSION],[
#
#
AC_DEFUN([XORG_CHANGELOG], [
-CHANGELOG_CMD="(GIT_DIR=\$(top_srcdir)/.git git log > \$(top_srcdir)/.changelog.tmp && \
+CHANGELOG_CMD="((GIT_DIR=\$(top_srcdir)/.git git log > \$(top_srcdir)/.changelog.tmp) 2>/dev/null && \
mv \$(top_srcdir)/.changelog.tmp \$(top_srcdir)/ChangeLog) \
-|| (rm -f \$(top_srcdir)/.changelog.tmp; touch \$(top_srcdir)/ChangeLog; \
-echo 'git directory not found: installing possibly empty changelog.' >&2)"
+|| (rm -f \$(top_srcdir)/.changelog.tmp; test -e \$(top_srcdir)/ChangeLog || ( \
+touch \$(top_srcdir)/ChangeLog; \
+echo 'git failed to create ChangeLog: installing empty ChangeLog.' >&2))"
AC_SUBST([CHANGELOG_CMD])
]) # XORG_CHANGELOG
diff --git a/lib/libSM/compile b/lib/libSM/compile
index 531136b06..a85b723c7 100644
--- a/lib/libSM/compile
+++ b/lib/libSM/compile
@@ -3,7 +3,7 @@
scriptversion=2012-10-14.11; # UTC
-# Copyright (C) 1999-2013 Free Software Foundation, Inc.
+# Copyright (C) 1999-2014 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
diff --git a/lib/libSM/configure b/lib/libSM/configure
index 88cacdca6..87214149b 100644
--- a/lib/libSM/configure
+++ b/lib/libSM/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libSM 1.2.2.
+# Generated by GNU Autoconf 2.69 for libSM 1.2.3.
#
# Report bugs to <https://bugs.freedesktop.org/enter_bug.cgi?product=xorg>.
#
@@ -651,8 +651,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='libSM'
PACKAGE_TARNAME='libSM'
-PACKAGE_VERSION='1.2.2'
-PACKAGE_STRING='libSM 1.2.2'
+PACKAGE_VERSION='1.2.3'
+PACKAGE_STRING='libSM 1.2.3'
PACKAGE_BUGREPORT='https://bugs.freedesktop.org/enter_bug.cgi?product=xorg'
PACKAGE_URL=''
@@ -1442,7 +1442,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures libSM 1.2.2 to adapt to many kinds of systems.
+\`configure' configures libSM 1.2.3 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1512,7 +1512,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of libSM 1.2.2:";;
+ short | recursive ) echo "Configuration of libSM 1.2.3:";;
esac
cat <<\_ACEOF
@@ -1652,7 +1652,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-libSM configure 1.2.2
+libSM configure 1.2.3
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2087,7 +2087,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by libSM $as_me 1.2.2, which was
+It was created by libSM $as_me 1.2.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2916,7 +2916,7 @@ fi
# Define the identity of the package.
PACKAGE='libSM'
- VERSION='1.2.2'
+ VERSION='1.2.3'
cat >>confdefs.h <<_ACEOF
@@ -17602,10 +17602,11 @@ _ACEOF
-CHANGELOG_CMD="(GIT_DIR=\$(top_srcdir)/.git git log > \$(top_srcdir)/.changelog.tmp && \
+CHANGELOG_CMD="((GIT_DIR=\$(top_srcdir)/.git git log > \$(top_srcdir)/.changelog.tmp) 2>/dev/null && \
mv \$(top_srcdir)/.changelog.tmp \$(top_srcdir)/ChangeLog) \
-|| (rm -f \$(top_srcdir)/.changelog.tmp; touch \$(top_srcdir)/ChangeLog; \
-echo 'git directory not found: installing possibly empty changelog.' >&2)"
+|| (rm -f \$(top_srcdir)/.changelog.tmp; test -e \$(top_srcdir)/ChangeLog || ( \
+touch \$(top_srcdir)/ChangeLog; \
+echo 'git failed to create ChangeLog: installing empty ChangeLog.' >&2))"
@@ -17613,14 +17614,45 @@ echo 'git directory not found: installing possibly empty changelog.' >&2)"
macros_datadir=`$PKG_CONFIG --print-errors --variable=pkgdatadir xorg-macros`
INSTALL_CMD="(cp -f "$macros_datadir/INSTALL" \$(top_srcdir)/.INSTALL.tmp && \
mv \$(top_srcdir)/.INSTALL.tmp \$(top_srcdir)/INSTALL) \
-|| (rm -f \$(top_srcdir)/.INSTALL.tmp; touch \$(top_srcdir)/INSTALL; \
-echo 'util-macros \"pkgdatadir\" from xorg-macros.pc not found: installing possibly empty INSTALL.' >&2)"
+|| (rm -f \$(top_srcdir)/.INSTALL.tmp; test -e \$(top_srcdir)/INSTALL || ( \
+touch \$(top_srcdir)/INSTALL; \
+echo 'failed to copy INSTALL from util-macros: installing empty INSTALL.' >&2))"
+case $host_os in
+ solaris*)
+ # Solaris 2.0 - 11.3 use SysV man page section numbers, so we
+ # check for a man page file found in later versions that use
+ # traditional section numbers instead
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for /usr/share/man/man7/attributes.7" >&5
+$as_echo_n "checking for /usr/share/man/man7/attributes.7... " >&6; }
+if ${ac_cv_file__usr_share_man_man7_attributes_7+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ test "$cross_compiling" = yes &&
+ as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
+if test -r "/usr/share/man/man7/attributes.7"; then
+ ac_cv_file__usr_share_man_man7_attributes_7=yes
+else
+ ac_cv_file__usr_share_man_man7_attributes_7=no
+fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_file__usr_share_man_man7_attributes_7" >&5
+$as_echo "$ac_cv_file__usr_share_man_man7_attributes_7" >&6; }
+if test "x$ac_cv_file__usr_share_man_man7_attributes_7" = xyes; then :
+ SYSV_MAN_SECTIONS=false
+else
+ SYSV_MAN_SECTIONS=true
+fi
+
+ ;;
+ *) SYSV_MAN_SECTIONS=false ;;
+esac
+
if test x$APP_MAN_SUFFIX = x ; then
APP_MAN_SUFFIX=1
fi
@@ -17636,9 +17668,9 @@ if test x$LIB_MAN_DIR = x ; then
fi
if test x$FILE_MAN_SUFFIX = x ; then
- case $host_os in
- solaris*) FILE_MAN_SUFFIX=4 ;;
- *) FILE_MAN_SUFFIX=5 ;;
+ case $SYSV_MAN_SECTIONS in
+ true) FILE_MAN_SUFFIX=4 ;;
+ *) FILE_MAN_SUFFIX=5 ;;
esac
fi
if test x$FILE_MAN_DIR = x ; then
@@ -17646,9 +17678,9 @@ if test x$FILE_MAN_DIR = x ; then
fi
if test x$MISC_MAN_SUFFIX = x ; then
- case $host_os in
- solaris*) MISC_MAN_SUFFIX=5 ;;
- *) MISC_MAN_SUFFIX=7 ;;
+ case $SYSV_MAN_SECTIONS in
+ true) MISC_MAN_SUFFIX=5 ;;
+ *) MISC_MAN_SUFFIX=7 ;;
esac
fi
if test x$MISC_MAN_DIR = x ; then
@@ -17656,9 +17688,9 @@ if test x$MISC_MAN_DIR = x ; then
fi
if test x$DRIVER_MAN_SUFFIX = x ; then
- case $host_os in
- solaris*) DRIVER_MAN_SUFFIX=7 ;;
- *) DRIVER_MAN_SUFFIX=4 ;;
+ case $SYSV_MAN_SECTIONS in
+ true) DRIVER_MAN_SUFFIX=7 ;;
+ *) DRIVER_MAN_SUFFIX=4 ;;
esac
fi
if test x$DRIVER_MAN_DIR = x ; then
@@ -17666,9 +17698,9 @@ if test x$DRIVER_MAN_DIR = x ; then
fi
if test x$ADMIN_MAN_SUFFIX = x ; then
- case $host_os in
- solaris*) ADMIN_MAN_SUFFIX=1m ;;
- *) ADMIN_MAN_SUFFIX=8 ;;
+ case $SYSV_MAN_SECTIONS in
+ true) ADMIN_MAN_SUFFIX=1m ;;
+ *) ADMIN_MAN_SUFFIX=8 ;;
esac
fi
if test x$ADMIN_MAN_DIR = x ; then
@@ -17916,6 +17948,11 @@ esac
fi
# Test for the ability of xmlto to generate a text target
+#
+# NOTE: xmlto 0.0.27 or higher return a non-zero return code in the
+# following test for empty XML docbook files.
+# For compatibility reasons use the following empty XML docbook file and if
+# it fails try it again with a non-empty XML file.
have_xmlto_text=no
cat > conftest.xml << "EOF"
EOF
@@ -17923,10 +17960,18 @@ if test "$have_xmlto" = yes; then :
if $XMLTO --skip-validation txt conftest.xml >/dev/null 2>&1; then :
have_xmlto_text=yes
else
+ # Try it again with a non-empty XML file.
+ cat > conftest.xml << "EOF"
+<x></x>
+EOF
+ if $XMLTO --skip-validation txt conftest.xml >/dev/null 2>&1; then :
+ have_xmlto_text=yes
+else
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: xmlto cannot generate text format, this format skipped" >&5
$as_echo "$as_me: WARNING: xmlto cannot generate text format, this format skipped" >&2;}
fi
fi
+fi
rm -f conftest.xml
if test $have_xmlto_text = yes; then
HAVE_XMLTO_TEXT_TRUE=
@@ -19327,7 +19372,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by libSM $as_me 1.2.2, which was
+This file was extended by libSM $as_me 1.2.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -19393,7 +19438,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-libSM config.status 1.2.2
+libSM config.status 1.2.3
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff --git a/lib/libSM/configure.ac b/lib/libSM/configure.ac
index 16b6ad109..c58c45fe0 100644
--- a/lib/libSM/configure.ac
+++ b/lib/libSM/configure.ac
@@ -1,7 +1,7 @@
# Initialize Autoconf
AC_PREREQ(2.60)
-AC_INIT([libSM], [1.2.2],
+AC_INIT([libSM], [1.2.3],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libSM])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
diff --git a/lib/libSM/doc/SMlib.xml b/lib/libSM/doc/SMlib.xml
index 43579f995..eb97effa5 100644
--- a/lib/libSM/doc/SMlib.xml
+++ b/lib/libSM/doc/SMlib.xml
@@ -494,7 +494,7 @@ The Save Yourself callback is of type <function>SmcSaveYourselfProc</function>
<funcprototype>
<funcdef>typedef void (*<function>SaveYourselfProc</function>)</funcdef>
<paramdef>SmcConn <parameter>smc_conn</parameter></paramdef>
- <paramdef>SmcConn <parameter>client_data</parameter></paramdef>
+ <paramdef>SmPointer <parameter>client_data</parameter></paramdef>
<paramdef>int <parameter>save_type</parameter></paramdef>
<paramdef>Bool <parameter>shutdown</parameter></paramdef>
<paramdef>int <parameter>interact_style</parameter></paramdef>
@@ -629,7 +629,7 @@ The Die callback is of type <xref linkend='SmcDieProc' xrefstyle='select: title'
<funcprototype>
<funcdef>typedef void (*<function>SmcDieProc</function>)</funcdef>
<paramdef>SmcConn <parameter>smc_conn</parameter></paramdef>
- <paramdef>SmcConn <parameter>client_data</parameter></paramdef>
+ <paramdef>SmPointer <parameter>client_data</parameter></paramdef>
</funcprototype>
</funcsynopsis>
diff --git a/lib/libSM/src/Makefile.am b/lib/libSM/src/Makefile.am
index a094ccc85..ace113b58 100644
--- a/lib/libSM/src/Makefile.am
+++ b/lib/libSM/src/Makefile.am
@@ -17,7 +17,6 @@ endif
libSM_la_SOURCES = \
SMlibint.h \
- sm_auth.c \
sm_client.c \
sm_error.c \
sm_genid.c \
@@ -25,6 +24,8 @@ libSM_la_SOURCES = \
sm_misc.c \
sm_process.c
+EXTRA_DIST = sm_auth.c
+
smincludedir=$(includedir)/X11/SM
sminclude_HEADERS=\
$(top_srcdir)/include/X11/SM/SM.h \
diff --git a/lib/libSM/src/Makefile.in b/lib/libSM/src/Makefile.in
index 19babfb35..ecb640537 100644
--- a/lib/libSM/src/Makefile.in
+++ b/lib/libSM/src/Makefile.in
@@ -96,7 +96,7 @@ LTLIBRARIES = $(lib_LTLIBRARIES)
am__DEPENDENCIES_1 =
@WITH_LIBUUID_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1)
libSM_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2)
-am_libSM_la_OBJECTS = sm_auth.lo sm_client.lo sm_error.lo sm_genid.lo \
+am_libSM_la_OBJECTS = sm_client.lo sm_error.lo sm_genid.lo \
sm_manager.lo sm_misc.lo sm_process.lo
libSM_la_OBJECTS = $(am_libSM_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
@@ -305,7 +305,6 @@ libSM_la_LDFLAGS = -version-number 6:0:1 -no-undefined
libSM_la_LIBADD = $(SM_LIBS) $(am__append_2)
libSM_la_SOURCES = \
SMlibint.h \
- sm_auth.c \
sm_client.c \
sm_error.c \
sm_genid.c \
@@ -313,6 +312,7 @@ libSM_la_SOURCES = \
sm_misc.c \
sm_process.c
+EXTRA_DIST = sm_auth.c
smincludedir = $(includedir)/X11/SM
sminclude_HEADERS = \
$(top_srcdir)/include/X11/SM/SM.h \
@@ -396,7 +396,6 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sm_auth.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sm_client.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sm_error.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sm_genid.Plo@am__quote@
diff --git a/lib/libSM/src/SMlibint.h b/lib/libSM/src/SMlibint.h
index 794692059..94f13e997 100644
--- a/lib/libSM/src/SMlibint.h
+++ b/lib/libSM/src/SMlibint.h
@@ -184,80 +184,6 @@ in this Software without prior written authorization from The Open Group.
/*
- * EXTRACT FOO
- */
-
-#define EXTRACT_ARRAY8(_pBuf, _swap, _len, _array8) \
-{ \
- EXTRACT_CARD32 (_pBuf, _swap, _len); \
- _array8 = malloc (_len + 1); \
- memcpy (_array8, _pBuf, _len); \
- _array8[_len] = '\0'; \
- _pBuf += _len + PAD64 (4 + _len); \
-}
-
-#define EXTRACT_ARRAY8_AS_STRING(_pBuf, _swap, _string) \
-{ \
- CARD32 _len; \
- EXTRACT_CARD32 (_pBuf, _swap, _len); \
- _string = malloc (_len + 1); \
- memcpy (_string, _pBuf, _len); \
- _string[_len] = '\0'; \
- _pBuf += _len + PAD64 (4 + _len); \
-}
-
-#define EXTRACT_LISTOF_PROPERTY(_pBuf, _swap, _count, _props) \
-{ \
- int _i, _j; \
- EXTRACT_CARD32 (_pBuf, _swap, _count); \
- _pBuf += 4; \
- _props = malloc (_count * sizeof (SmProp *)); \
- for (_i = 0; _i < _count; _i++) \
- { \
- _props[_i] = malloc (sizeof (SmProp)); \
- EXTRACT_ARRAY8_AS_STRING (_pBuf, _swap, _props[_i]->name); \
- EXTRACT_ARRAY8_AS_STRING (_pBuf, _swap, _props[_i]->type); \
- EXTRACT_CARD32 (_pBuf, _swap, _props[_i]->num_vals); \
- _pBuf += 4; \
- _props[_i]->vals = malloc ( \
- _props[_i]->num_vals * sizeof (SmPropValue)); \
- for (_j = 0; _j < _props[_i]->num_vals; _j++) \
- { \
- char *_temp; \
- EXTRACT_ARRAY8 (_pBuf, _swap, _props[_i]->vals[_j].length, _temp);\
- _props[_i]->vals[_j].value = (SmPointer) _temp; \
- } \
- } \
-}
-
-
-#define SKIP_ARRAY8(_pBuf, _swap) \
-{ \
- CARD32 _len; \
- EXTRACT_CARD32 (_pBuf, _swap, _len); \
- _pBuf += _len + PAD64 (4 + _len); \
-}
-
-#define SKIP_LISTOF_PROPERTY(_pBuf, _swap) \
-{ \
- CARD32 _i, _j; \
- CARD32 _count; \
- EXTRACT_CARD32 (_pBuf, _swap, _count); \
- _pBuf += 4; \
- for (_i = 0; _i < _count; _i++) \
- { \
- CARD32 _numvals; \
- SKIP_ARRAY8 (_pBuf, _swap); \
- SKIP_ARRAY8 (_pBuf, _swap); \
- EXTRACT_CARD32 (_pBuf, _swap, _numvals); \
- _pBuf += 4; \
- for (_j = 0; _j < _numvals; _j++) \
- SKIP_ARRAY8 (_pBuf, _swap);\
- } \
-}
-
-
-/*
* Client replies not processed by callbacks (we block for them).
*/
diff --git a/lib/libSM/src/sm_genid.c b/lib/libSM/src/sm_genid.c
index 9535cd136..1a8b9a0ed 100644
--- a/lib/libSM/src/sm_genid.c
+++ b/lib/libSM/src/sm_genid.c
@@ -64,6 +64,7 @@ in this Software without prior written authorization from The Open Group.
# include <X11/Xthreads.h>
#endif
#include <stdio.h>
+#include <unistd.h>
#include <time.h>
#define Time_t time_t
diff --git a/lib/libSM/src/sm_process.c b/lib/libSM/src/sm_process.c
index 95883b9bb..ee38057c6 100644
--- a/lib/libSM/src/sm_process.c
+++ b/lib/libSM/src/sm_process.c
@@ -32,6 +32,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include <X11/SM/SMlib.h>
+#include <limits.h>
#include "SMlibint.h"
@@ -53,15 +54,120 @@ in this Software without prior written authorization from The Open Group.
return; \
}
-#define CHECK_COMPLETE_SIZE(_iceConn, _majorOp, _minorOp, _expected_len, _actual_len, _pStart, _severity) \
- if (((unsigned long)(PADDED_BYTES64((_actual_len)) - SIZEOF (iceMsg)) >> 3) \
- != _expected_len) \
- { \
- _IceErrorBadLength (_iceConn, _majorOp, _minorOp, _severity); \
- IceDisposeCompleteMessage (iceConn, _pStart); \
- return; \
+
+static char *
+extractArray8(char **pBuf, char *pEnd, Bool swap, int *len)
+{
+ char *p;
+ int n;
+
+ if (pEnd - *pBuf < 4)
+ return NULL;
+ EXTRACT_CARD32 (*pBuf, swap, n);
+ if (n < 0 || n > INT_MAX - 7)
+ return NULL;
+
+ if ((p = malloc (n + 1)) == NULL)
+ return NULL;
+ memcpy(p, *pBuf, n);
+ p[n] = '\0';
+
+ *pBuf += n + PAD64 (4 + n);
+ if (len != NULL)
+ *len = n;
+
+ return p;
+}
+
+
+static SmProp **
+extractListofProperty(char *pBuf, char *pEnd, Bool swap, int *count)
+{
+ int i, j, n;
+ SmProp **props;
+
+ if (pEnd - pBuf < 4)
+ return NULL;
+ EXTRACT_CARD32 (pBuf, swap, n);
+ if (n < 0 || n > INT_MAX / sizeof (SmProp *))
+ return NULL;
+ pBuf += 4;
+
+ props = malloc (n * sizeof(SmProp *));
+ if (props == NULL)
+ return NULL;
+
+ for (i = 0; i < n; i++)
+ {
+ props[i] = calloc (1, sizeof (SmProp));
+ if (props[i] == NULL)
+ goto fail;
+ if ((props[i]->name = extractArray8 (&pBuf, pEnd, swap, NULL)) == NULL)
+ goto fail;
+ if ((props[i]->type = extractArray8 (&pBuf, pEnd, swap, NULL)) == NULL)
+ goto fail;
+
+ if (pEnd - pBuf < 4)
+ goto fail;
+ EXTRACT_CARD32 (pBuf, swap, props[i]->num_vals);
+ if (props[i]->num_vals < 0)
+ goto fail;
+ pBuf += 4;
+ props[i]->vals = calloc (props[i]->num_vals, sizeof (SmPropValue));
+ if (props[i]->vals == NULL)
+ goto fail;
+
+ for (j = 0; j < props[i]->num_vals; j++)
+ {
+ props[i]->vals[j].value = extractArray8 (&pBuf, pEnd, swap,
+ &props[i]->vals[j].length);
+ if (props[i]->vals[j].value == NULL)
+ goto fail;
+ }
+ }
+
+ *count = n;
+ return props;
+
+fail:
+ for (; i >= 0; i--)
+ {
+ if (props[i] != NULL)
+ {
+ free (props[i]->name);
+ free (props[i]->type);
+ if (props[i]->vals != NULL)
+ {
+ for (j = 0; j < props[i]->num_vals; j++)
+ free (props[i]->vals[j].value);
+ free (props[i]->vals);
+ }
+ free (props[i]);
+ }
+ }
+ free (props);
+ return NULL;
+}
+
+
+static Bool
+validErrorMessage(char *pData, char *pEnd, int errorClass, Bool swap)
+{
+ if (errorClass == IceBadValue)
+ {
+ unsigned int length;
+
+ if (pEnd - pData < 8)
+ return False;
+
+ pData += 4;
+ EXTRACT_CARD32 (pData, swap, length);
+ if (length > pEnd - pData)
+ return False;
}
+ return True;
+}
void
@@ -88,7 +194,7 @@ _SmcProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
case SM_Error:
{
iceErrorMsg *pMsg;
- char *pData;
+ char *pData, *pEnd;
CHECK_AT_LEAST_SIZE (iceConn, _SmcOpcode, opcode,
length, SIZEOF (iceErrorMsg), IceFatalToProtocol);
@@ -108,6 +214,8 @@ _SmcProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
pMsg->offendingSequenceNum = lswapl (pMsg->offendingSequenceNum);
}
+ pEnd = pData + (length << 3) - (SIZEOF (iceErrorMsg) - SIZEOF(iceMsg));
+
if (replyWait &&
replyWait->minor_opcode_of_request == SM_RegisterClient &&
pMsg->errorClass == IceBadValue &&
@@ -125,6 +233,13 @@ _SmcProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
*replyReadyRet = True;
}
+ else if (!validErrorMessage(pData, pEnd, pMsg->errorClass, swap))
+ {
+ _IceErrorBadLength (iceConn, _SmcOpcode, opcode,
+ IceFatalToProtocol);
+ IceDisposeCompleteMessage (iceConn, pData);
+ return;
+ }
else
{
(*_SmcErrorHandler) (smcConn, swap,
@@ -151,14 +266,12 @@ _SmcProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
else
{
smRegisterClientReplyMsg *pMsg;
- char *pData, *pStart;
+ char *pData, *pStart, *pEnd;
_SmcRegisterClientReply *reply =
(_SmcRegisterClientReply *) (replyWait->reply);
-#if 0 /* No-op */
CHECK_AT_LEAST_SIZE (iceConn, _SmcOpcode, opcode,
length, SIZEOF (smRegisterClientReplyMsg), IceFatalToProtocol);
-#endif
IceReadCompleteMessage (iceConn, SIZEOF (smRegisterClientReplyMsg),
smRegisterClientReplyMsg, pMsg, pStart);
@@ -170,16 +283,16 @@ _SmcProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
}
pData = pStart;
+ pEnd = pStart + (length << 3) -
+ (SIZEOF (smRegisterClientReplyMsg) - SIZEOF (iceMsg));
- SKIP_ARRAY8 (pData, swap); /* client id */
-
- CHECK_COMPLETE_SIZE (iceConn, _SmcOpcode, opcode,
- length, pData - pStart + SIZEOF (smRegisterClientReplyMsg),
- pStart, IceFatalToProtocol);
-
- pData = pStart;
-
- EXTRACT_ARRAY8_AS_STRING (pData, swap, reply->client_id);
+ reply->client_id = extractArray8(&pData, pEnd, swap, NULL);
+ if (reply->client_id == NULL) {
+ _IceErrorBadLength (iceConn, _SmcOpcode, opcode,
+ IceFatalToProtocol);
+ IceDisposeCompleteMessage (iceConn, pStart);
+ return;
+ }
reply->status = 1;
*replyReadyRet = True;
@@ -357,15 +470,13 @@ _SmcProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
else
{
smPropertiesReplyMsg *pMsg;
- char *pData, *pStart;
- int numProps;
+ char *pStart, *pEnd;
+ int numProps = 0;
SmProp **props = NULL;
_SmcPropReplyWait *next;
-#if 0 /* No-op */
CHECK_AT_LEAST_SIZE (iceConn, _SmcOpcode, opcode,
length, SIZEOF (smPropertiesReplyMsg), IceFatalToProtocol);
-#endif
IceReadCompleteMessage (iceConn, SIZEOF (smPropertiesReplyMsg),
smPropertiesReplyMsg, pMsg, pStart);
@@ -376,17 +487,17 @@ _SmcProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
return;
}
- pData = pStart;
-
- SKIP_LISTOF_PROPERTY (pData, swap);
-
- CHECK_COMPLETE_SIZE (iceConn, _SmcOpcode, opcode,
- length, pData - pStart + SIZEOF (smPropertiesReplyMsg),
- pStart, IceFatalToProtocol);
+ pEnd = pStart + (length << 3) -
+ (SIZEOF (smPropertiesReplyMsg) - SIZEOF (iceMsg));
- pData = pStart;
-
- EXTRACT_LISTOF_PROPERTY (pData, swap, numProps, props);
+ props = extractListofProperty(pStart, pEnd, swap, &numProps);
+ if (props == NULL)
+ {
+ _IceErrorBadLength (iceConn, _SmcOpcode, opcode,
+ IceFatalToProtocol);
+ IceDisposeCompleteMessage (iceConn, pStart);
+ return;
+ }
next = smcConn->prop_reply_waits->next;
@@ -432,7 +543,7 @@ _SmsProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
case SM_Error:
{
iceErrorMsg *pMsg;
- char *pData;
+ char *pData, *pEnd;
CHECK_AT_LEAST_SIZE (iceConn, _SmsOpcode, opcode,
length, SIZEOF (iceErrorMsg), IceFatalToProtocol);
@@ -452,6 +563,16 @@ _SmsProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
pMsg->offendingSequenceNum = lswapl (pMsg->offendingSequenceNum);
}
+ pEnd = pData + (length << 3) - (SIZEOF (iceErrorMsg) - SIZEOF (iceMsg));
+
+ if (!validErrorMessage(pData, pEnd, pMsg->errorClass, swap))
+ {
+ _IceErrorBadLength (iceConn, _SmcOpcode, opcode,
+ IceFatalToProtocol);
+ IceDisposeCompleteMessage (iceConn, pData);
+ return;
+ }
+
(*_SmsErrorHandler) (smsConn, swap,
pMsg->offendingMinorOpcode,
pMsg->offendingSequenceNum,
@@ -465,14 +586,12 @@ _SmsProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
case SM_RegisterClient:
{
smRegisterClientMsg *pMsg;
- char *pData, *pStart;
+ char *pData, *pStart, *pEnd;
char *previousId;
int idLen;
-#if 0 /* No-op */
CHECK_AT_LEAST_SIZE (iceConn, _SmsOpcode, opcode,
length, SIZEOF (smRegisterClientMsg), IceFatalToProtocol);
-#endif
IceReadCompleteMessage (iceConn, SIZEOF (smRegisterClientMsg),
smRegisterClientMsg, pMsg, pStart);
@@ -484,16 +603,17 @@ _SmsProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
}
pData = pStart;
+ pEnd = pStart + (length << 3) -
+ (SIZEOF (smRegisterClientMsg) - SIZEOF (iceMsg));
- SKIP_ARRAY8 (pData, swap); /* previous id */
-
- CHECK_COMPLETE_SIZE (iceConn, _SmsOpcode, opcode,
- length, pData - pStart + SIZEOF (smRegisterClientMsg),
- pStart, IceFatalToProtocol);
-
- pData = pStart;
-
- EXTRACT_ARRAY8 (pData, swap, idLen, previousId);
+ previousId = extractArray8(&pData, pEnd, swap, &idLen);
+ if (previousId == NULL)
+ {
+ _IceErrorBadLength (iceConn, _SmcOpcode, opcode,
+ IceFatalToProtocol);
+ IceDisposeCompleteMessage (iceConn, pStart);
+ return;
+ }
if (*previousId == '\0')
{
@@ -720,14 +840,12 @@ _SmsProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
case SM_CloseConnection:
{
smCloseConnectionMsg *pMsg;
- char *pData, *pStart;
+ char *pData, *pStart, *pEnd;
int count, i;
char **reasonMsgs = NULL;
-#if 0 /* No-op */
CHECK_AT_LEAST_SIZE (iceConn, _SmsOpcode, opcode,
- length, SIZEOF (smCloseConnectionMsg), IceFatalToProtocol);
-#endif
+ length, SIZEOF (smCloseConnectionMsg) + 8, IceFatalToProtocol);
IceReadCompleteMessage (iceConn, SIZEOF (smCloseConnectionMsg),
smCloseConnectionMsg, pMsg, pStart);
@@ -739,22 +857,35 @@ _SmsProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
}
pData = pStart;
+ pEnd = pStart + (length << 3) -
+ (SIZEOF (smCloseConnectionMsg) - SIZEOF (iceMsg));
EXTRACT_CARD32 (pData, swap, count);
pData += 4;
- for (i = 0; i < count; i++)
- SKIP_ARRAY8 (pData, swap);
-
- CHECK_COMPLETE_SIZE (iceConn, _SmsOpcode, opcode,
- length, pData - pStart + SIZEOF (smCloseConnectionMsg),
- pStart, IceFatalToProtocol);
-
- pData = pStart + 8;
+ if (count < 0 || count > INT_MAX / sizeof (char *) ||
+ (reasonMsgs = malloc (count * sizeof (char *))) == NULL)
+ {
+ _IceErrorBadLength (iceConn, _SmcOpcode, opcode, IceFatalToProtocol);
+ IceDisposeCompleteMessage (iceConn, pStart);
+ return;
+ }
- reasonMsgs = malloc (count * sizeof (char *));
for (i = 0; i < count; i++)
- EXTRACT_ARRAY8_AS_STRING (pData, swap, reasonMsgs[i]);
+ {
+ reasonMsgs[i] = extractArray8(&pData, pEnd, swap, NULL);
+ if (reasonMsgs[i] == NULL)
+ break;
+ }
+ if (i != count) {
+ while (i-- > 0)
+ free (reasonMsgs[i]);
+ free (reasonMsgs);
+ _IceErrorBadLength (iceConn, _SmcOpcode, opcode,
+ IceFatalToProtocol);
+ IceDisposeCompleteMessage (iceConn, pStart);
+ return;
+ }
IceDisposeCompleteMessage (iceConn, pStart);
@@ -767,14 +898,12 @@ _SmsProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
case SM_SetProperties:
{
smSetPropertiesMsg *pMsg;
- char *pData, *pStart;
+ char *pStart, *pEnd;
SmProp **props = NULL;
- int numProps;
+ int numProps = 0;
-#if 0 /* No-op */
CHECK_AT_LEAST_SIZE (iceConn, _SmsOpcode, opcode,
length, SIZEOF (smSetPropertiesMsg), IceFatalToProtocol);
-#endif
IceReadCompleteMessage (iceConn, SIZEOF (smSetPropertiesMsg),
smSetPropertiesMsg, pMsg, pStart);
@@ -785,17 +914,17 @@ _SmsProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
return;
}
- pData = pStart;
-
- SKIP_LISTOF_PROPERTY (pData, swap);
-
- CHECK_COMPLETE_SIZE (iceConn, _SmsOpcode, opcode,
- length, pData - pStart + SIZEOF (smSetPropertiesMsg),
- pStart, IceFatalToProtocol);
+ pEnd = pStart + (length << 3) -
+ (SIZEOF (smSetPropertiesMsg) - SIZEOF (iceMsg));
- pData = pStart;
-
- EXTRACT_LISTOF_PROPERTY (pData, swap, numProps, props);
+ props = extractListofProperty(pStart, pEnd, swap, &numProps);
+ if (props == NULL)
+ {
+ _IceErrorBadLength (iceConn, _SmcOpcode, opcode,
+ IceFatalToProtocol);
+ IceDisposeCompleteMessage (iceConn, pStart);
+ return;
+ }
(*smsConn->callbacks.set_properties.callback) (smsConn,
smsConn->callbacks.set_properties.manager_data, numProps, props);
@@ -807,14 +936,12 @@ _SmsProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
case SM_DeleteProperties:
{
smDeletePropertiesMsg *pMsg;
- char *pData, *pStart;
+ char *pData, *pStart, *pEnd;
int count, i;
char **propNames = NULL;
-#if 0 /* No-op */
CHECK_AT_LEAST_SIZE (iceConn, _SmsOpcode, opcode,
- length, SIZEOF (smDeletePropertiesMsg), IceFatalToProtocol);
-#endif
+ length, SIZEOF (smDeletePropertiesMsg) + 8, IceFatalToProtocol);
IceReadCompleteMessage (iceConn, SIZEOF (smDeletePropertiesMsg),
smDeletePropertiesMsg, pMsg, pStart);
@@ -826,22 +953,35 @@ _SmsProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
}
pData = pStart;
+ pEnd = pStart + (length << 3) -
+ (SIZEOF (smDeletePropertiesMsg) - SIZEOF (iceMsg));
EXTRACT_CARD32 (pData, swap, count);
pData += 4;
- for (i = 0; i < count; i++)
- SKIP_ARRAY8 (pData, swap); /* prop names */
-
- CHECK_COMPLETE_SIZE (iceConn, _SmsOpcode, opcode,
- length, pData - pStart + SIZEOF (smDeletePropertiesMsg),
- pStart, IceFatalToProtocol);
-
- pData = pStart + 8;
+ if (count < 0 || count > INT_MAX / sizeof (char *) ||
+ (propNames = malloc (count * sizeof (char *))) == NULL)
+ {
+ IceDisposeCompleteMessage (iceConn, pStart);
+ return;
+ }
- propNames = malloc (count * sizeof (char *));
for (i = 0; i < count; i++)
- EXTRACT_ARRAY8_AS_STRING (pData, swap, propNames[i]);
+ {
+ propNames[i] = extractArray8(&pData, pEnd, swap, NULL);
+ if (propNames[i] == NULL)
+ break;
+ }
+ if (i != count)
+ {
+ while (i-- > 0)
+ free (propNames[i]);
+ free (propNames);
+ _IceErrorBadLength (iceConn, _SmcOpcode, opcode,
+ IceFatalToProtocol);
+ IceDisposeCompleteMessage (iceConn, pStart);
+ return;
+ }
IceDisposeCompleteMessage (iceConn, pStart);
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 17:29:06 +0000