summaryrefslogtreecommitdiff
path: root/lib/libX11/src/LiHosts.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libX11/src/LiHosts.c')
-rw-r--r--lib/libX11/src/LiHosts.c21
1 files changed, 14 insertions, 7 deletions
diff --git a/lib/libX11/src/LiHosts.c b/lib/libX11/src/LiHosts.c
index 83cf3c791..315e4dbb4 100644
--- a/lib/libX11/src/LiHosts.c
+++ b/lib/libX11/src/LiHosts.c
@@ -77,7 +77,7 @@ XHostAddress *XListHosts (
xListHostsReply reply;
unsigned char *buf, *bp;
register unsigned i;
- register xListHostsReq *req;
+ _X_UNUSED register xListHostsReq *req;
XServerInterpretedAddress *sip;
*nhosts = 0;
@@ -119,11 +119,16 @@ XHostAddress *XListHosts (
_XRead (dpy, (char *) buf, nbytes);
for (i = 0; i < reply.nHosts; i++) {
+ if (bp > buf + nbytes - SIZEOF(xHostEntry))
+ goto fail;
op->family = ((xHostEntry *) bp)->family;
op->length =((xHostEntry *) bp)->length;
if (op->family == FamilyServerInterpreted) {
char *tp = (char *) (bp + SIZEOF(xHostEntry));
- char *vp = memchr(tp, 0, op->length);
+ char *vp;
+ if (tp > (char *) (buf + nbytes - op->length))
+ goto fail;
+ vp = memchr(tp, 0, op->length);
if (vp != NULL) {
sip->type = tp;
@@ -138,6 +143,8 @@ XHostAddress *XListHosts (
sip++;
} else {
op->address = (char *) (bp + SIZEOF(xHostEntry));
+ if (op->address > (char *) (buf + nbytes - op->length))
+ goto fail;
}
bp += SIZEOF(xHostEntry) + (((op->length + 3) >> 2) << 2);
op++;
@@ -149,9 +156,9 @@ XHostAddress *XListHosts (
UnlockDisplay(dpy);
SyncHandle();
return (outbuf);
+fail:
+ *enabled = reply.enabled;
+ *nhosts = 0;
+ Xfree(outbuf);
+ return (NULL);
}
-
-
-
-
-
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-07 23:45:08 +0000