Module Name: xsrc
Committed By: mrg
Date: Thu Jun 6 06:46:33 UTC 2013
Modified Files:
xsrc/external/mit/libXi/dist/src: XGMotion.c XGetBMap.c XGetDCtl.c
XGetDProp.c XGetFCtl.c XGetProp.c XIPassiveGrab.c XIProperties.c
XISelEv.c XListDev.c XQueryDv.c
xsrc/external/mit/libXrender/dist/src: Filter.c Xrender.c
xsrc/external/mit/libXvMC/dist/src: XvMC.c
xsrc/external/mit/libxcb/dist/src: xcb_in.c
Log Message:
merge patches to libXi, libXrender, libXvMC and libxcb that fix
security issues listed in "X.Org Security Advisory: May 23, 2013"
but haven't had new versions released yet. see:
http://www.x.org/wiki/Development/Security/Advisory-2013-05-23
for more details on these patches.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4 -r1.2 xsrc/external/mit/libXi/dist/src/XGMotion.c \
xsrc/external/mit/libXi/dist/src/XGetFCtl.c \
xsrc/external/mit/libXi/dist/src/XIPassiveGrab.c \
xsrc/external/mit/libXi/dist/src/XListDev.c \
xsrc/external/mit/libXi/dist/src/XQueryDv.c
cvs rdiff -u -r1.1.1.3 -r1.2 xsrc/external/mit/libXi/dist/src/XGetBMap.c \
xsrc/external/mit/libXi/dist/src/XGetProp.c \
xsrc/external/mit/libXi/dist/src/XIProperties.c
cvs rdiff -u -r1.1.1.5 -r1.2 xsrc/external/mit/libXi/dist/src/XGetDCtl.c \
xsrc/external/mit/libXi/dist/src/XISelEv.c
cvs rdiff -u -r1.1.1.1 -r1.2 xsrc/external/mit/libXi/dist/src/XGetDProp.c
cvs rdiff -u -r1.1.1.4 -r1.2 xsrc/external/mit/libXrender/dist/src/Filter.c
cvs rdiff -u -r1.1.1.3 -r1.2 xsrc/external/mit/libXrender/dist/src/Xrender.c
cvs rdiff -u -r1.1.1.3 -r1.2 xsrc/external/mit/libXvMC/dist/src/XvMC.c
cvs rdiff -u -r1.1.1.3 -r1.2 xsrc/external/mit/libxcb/dist/src/xcb_in.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/libXi/dist/src/XGMotion.c
diff -u xsrc/external/mit/libXi/dist/src/XGMotion.c:1.1.1.4 xsrc/external/mit/libXi/dist/src/XGMotion.c:1.2
--- xsrc/external/mit/libXi/dist/src/XGMotion.c:1.1.1.4 Wed Jun 5 00:51:23 2013
+++ xsrc/external/mit/libXi/dist/src/XGMotion.c Thu Jun 6 06:46:32 2013
@@ -59,6 +59,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XDeviceTimeCoord *
XGetDeviceMotionEvents(
@@ -74,7 +75,7 @@ XGetDeviceMotionEvents(
xGetDeviceMotionEventsReply rep;
XDeviceTimeCoord *tc;
int *data, *bufp, *readp, *savp;
- long size, size2;
+ unsigned long size;
int i, j;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -104,10 +105,21 @@ XGetDeviceMotionEvents(
SyncHandle();
return (NULL);
}
- size = rep.length << 2;
- size2 = rep.nEvents * (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
- savp = readp = (int *)Xmalloc(size);
- bufp = (int *)Xmalloc(size2);
+ if (rep.length < (INT_MAX >> 2)) {
+ size = rep.length << 2;
+ savp = readp = Xmalloc(size);
+ } else {
+ size = 0;
+ savp = readp = NULL;
+ }
+ /* rep.axes is a CARD8, so assume max number of axes for bounds check */
+ if (rep.nEvents <
+ (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) {
+ size_t bsize = rep.nEvents *
+ (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
+ bufp = Xmalloc(bsize);
+ } else
+ bufp = NULL;
if (!bufp || !savp) {
Xfree(bufp);
Xfree(savp);
Index: xsrc/external/mit/libXi/dist/src/XGetFCtl.c
diff -u xsrc/external/mit/libXi/dist/src/XGetFCtl.c:1.1.1.4 xsrc/external/mit/libXi/dist/src/XGetFCtl.c:1.2
--- xsrc/external/mit/libXi/dist/src/XGetFCtl.c:1.1.1.4 Wed Jun 5 00:51:23 2013
+++ xsrc/external/mit/libXi/dist/src/XGetFCtl.c Thu Jun 6 06:46:32 2013
@@ -61,6 +61,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XFeedbackState *
XGetFeedbackControl(
@@ -68,8 +69,6 @@ XGetFeedbackControl(
XDevice *dev,
int *num_feedbacks)
{
- int size = 0;
- int nbytes, i;
XFeedbackState *Feedback = NULL;
XFeedbackState *Sav = NULL;
xFeedbackState *f = NULL;
@@ -91,9 +90,16 @@ XGetFeedbackControl(
goto out;
if (rep.length > 0) {
+ unsigned long nbytes;
+ size_t size = 0;
+ int i;
+
*num_feedbacks = rep.num_feedbacks;
- nbytes = (long)rep.length << 2;
- f = (xFeedbackState *) Xmalloc((unsigned)nbytes);
+
+ if (rep.length < (INT_MAX >> 2)) {
+ nbytes = rep.length << 2;
+ f = Xmalloc(nbytes);
+ }
if (!f) {
_XEatData(dpy, (unsigned long)nbytes);
goto out;
@@ -102,6 +108,10 @@ XGetFeedbackControl(
_XRead(dpy, (char *)f, nbytes);
for (i = 0; i < *num_feedbacks; i++) {
+ if (f->length > nbytes)
+ goto out;
+ nbytes -= f->length;
+
switch (f->class) {
case KbdFeedbackClass:
size += sizeof(XKbdFeedbackState);
@@ -116,6 +126,8 @@ XGetFeedbackControl(
{
xStringFeedbackState *strf = (xStringFeedbackState *) f;
+ if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym)))
+ goto out;
size += sizeof(XStringFeedbackState) +
(strf->num_syms_supported * sizeof(KeySym));
}
@@ -130,10 +142,12 @@ XGetFeedbackControl(
size += f->length;
break;
}
+ if (size > INT_MAX)
+ goto out;
f = (xFeedbackState *) ((char *)f + f->length);
}
- Feedback = (XFeedbackState *) Xmalloc((unsigned)size);
+ Feedback = Xmalloc(size);
if (!Feedback)
goto out;
Index: xsrc/external/mit/libXi/dist/src/XIPassiveGrab.c
diff -u xsrc/external/mit/libXi/dist/src/XIPassiveGrab.c:1.1.1.4 xsrc/external/mit/libXi/dist/src/XIPassiveGrab.c:1.2
--- xsrc/external/mit/libXi/dist/src/XIPassiveGrab.c:1.1.1.4 Wed Jun 5 00:51:23 2013
+++ xsrc/external/mit/libXi/dist/src/XIPassiveGrab.c Thu Jun 6 06:46:32 2013
@@ -88,7 +88,7 @@ _XIPassiveGrabDevice(Display* dpy, int d
return -1;
_XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo));
- for (i = 0; i < reply.num_modifiers; i++)
+ for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++)
{
modifiers_inout[i].status = failed_mods[i].status;
modifiers_inout[i].modifiers = failed_mods[i].modifiers;
Index: xsrc/external/mit/libXi/dist/src/XListDev.c
diff -u xsrc/external/mit/libXi/dist/src/XListDev.c:1.1.1.4 xsrc/external/mit/libXi/dist/src/XListDev.c:1.2
--- xsrc/external/mit/libXi/dist/src/XListDev.c:1.1.1.4 Wed Jun 5 00:51:23 2013
+++ xsrc/external/mit/libXi/dist/src/XListDev.c Thu Jun 6 06:46:32 2013
@@ -60,6 +60,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
/* Calculate length field to a multiples of sizeof(XID). XIDs are typedefs
* to ulong and thus may be 8 bytes on some platforms. This can trigger a
@@ -72,7 +73,7 @@ static int pad_to_xid(int base_size)
return ((base_size + padsize - 1)/padsize) * padsize;
}
-static int
+static size_t
SizeClassInfo(xAnyClassPtr *any, int num_classes)
{
int size = 0;
@@ -169,7 +170,7 @@ XListInputDevices(
register Display *dpy,
int *ndevices)
{
- int size;
+ size_t size;
xListInputDevicesReq *req;
xListInputDevicesReply rep;
xDeviceInfo *list, *slist = NULL;
@@ -177,9 +178,9 @@ XListInputDevices(
XDeviceInfo *clist = NULL;
xAnyClassPtr any, sav_any;
XAnyClassPtr Any;
- char *nptr, *Nptr;
+ unsigned char *nptr, *Nptr;
int i;
- long rlen;
+ unsigned long rlen;
XExtDisplayInfo *info = XInput_find_display(dpy);
LockDisplay(dpy);
@@ -198,9 +199,10 @@ XListInputDevices(
if ((*ndevices = rep.ndevices)) { /* at least 1 input device */
size = *ndevices * sizeof(XDeviceInfo);
- rlen = rep.length << 2; /* multiply length by 4 */
- list = (xDeviceInfo *) Xmalloc(rlen);
- slist = list;
+ if (rep.length < (INT_MAX >> 2)) {
+ rlen = rep.length << 2; /* multiply length by 4 */
+ slist = list = Xmalloc(rlen);
+ }
if (!slist) {
_XEatData(dpy, (unsigned long)rlen);
UnlockDisplay(dpy);
@@ -215,9 +217,12 @@ XListInputDevices(
size += SizeClassInfo(&any, (int)list->num_classes);
}
- for (i = 0, nptr = (char *)any; i < *ndevices; i++) {
+ Nptr = ((unsigned char *)list) + rlen + 1;
+ for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) {
size += *nptr + 1;
nptr += (*nptr + 1);
+ if (nptr > Nptr)
+ goto out;
}
clist = (XDeviceInfoPtr) Xmalloc(size);
@@ -243,8 +248,8 @@ XListInputDevices(
}
clist = sclist;
- nptr = (char *)any;
- Nptr = (char *)Any;
+ nptr = (unsigned char *)any;
+ Nptr = (unsigned char *)Any;
for (i = 0; i < *ndevices; i++, clist++) {
clist->name = (char *)Nptr;
memcpy(Nptr, nptr + 1, *nptr);
@@ -254,6 +259,7 @@ XListInputDevices(
}
}
+ out:
XFree((char *)slist);
UnlockDisplay(dpy);
SyncHandle();
Index: xsrc/external/mit/libXi/dist/src/XQueryDv.c
diff -u xsrc/external/mit/libXi/dist/src/XQueryDv.c:1.1.1.4 xsrc/external/mit/libXi/dist/src/XQueryDv.c:1.2
--- xsrc/external/mit/libXi/dist/src/XQueryDv.c:1.1.1.4 Wed Jun 5 00:51:23 2013
+++ xsrc/external/mit/libXi/dist/src/XQueryDv.c Thu Jun 6 06:46:32 2013
@@ -59,6 +59,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XDeviceState *
XQueryDeviceState(
@@ -66,8 +67,8 @@ XQueryDeviceState(
XDevice *dev)
{
int i, j;
- int rlen;
- int size = 0;
+ unsigned long rlen;
+ size_t size = 0;
xQueryDeviceStateReq *req;
xQueryDeviceStateReply rep;
XDeviceState *state = NULL;
@@ -87,9 +88,11 @@ XQueryDeviceState(
if (!_XReply(dpy, (xReply *) & rep, 0, xFalse))
goto out;
- rlen = rep.length << 2;
- if (rlen > 0) {
- data = Xmalloc(rlen);
+ if (rep.length > 0) {
+ if (rep.length < (INT_MAX >> 2)) {
+ rlen = (unsigned long) rep.length << 2;
+ data = Xmalloc(rlen);
+ }
if (!data) {
_XEatData(dpy, (unsigned long)rlen);
goto out;
@@ -97,6 +100,10 @@ XQueryDeviceState(
_XRead(dpy, data, rlen);
for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) {
+ if (any->length > rlen)
+ goto out;
+ rlen -= any->length;
+
switch (any->class) {
case KeyClass:
size += sizeof(XKeyState);
Index: xsrc/external/mit/libXi/dist/src/XGetBMap.c
diff -u xsrc/external/mit/libXi/dist/src/XGetBMap.c:1.1.1.3 xsrc/external/mit/libXi/dist/src/XGetBMap.c:1.2
--- xsrc/external/mit/libXi/dist/src/XGetBMap.c:1.1.1.3 Wed Jun 5 00:51:23 2013
+++ xsrc/external/mit/libXi/dist/src/XGetBMap.c Thu Jun 6 06:46:32 2013
@@ -60,6 +60,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
#ifdef MIN /* some systems define this in <sys/param.h> */
#undef MIN
@@ -75,7 +76,6 @@ XGetDeviceButtonMapping(
{
int status = 0;
unsigned char mapping[256]; /* known fixed size */
- long nbytes;
XExtDisplayInfo *info = XInput_find_display(dpy);
register xGetDeviceButtonMappingReq *req;
@@ -92,13 +92,18 @@ XGetDeviceButtonMapping(
status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
if (status == 1) {
- nbytes = (long)rep.length << 2;
- _XRead(dpy, (char *)mapping, nbytes);
-
- /* don't return more data than the user asked for. */
- if (rep.nElts)
- memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap));
- status = rep.nElts;
+ if (rep.length <= (sizeof(mapping) >> 2)) {
+ unsigned long nbytes = rep.length << 2;
+ _XRead(dpy, (char *)mapping, nbytes);
+
+ /* don't return more data than the user asked for. */
+ if (rep.nElts)
+ memcpy(map, mapping, MIN((int)rep.nElts, nmap));
+ status = rep.nElts;
+ } else {
+ _XEatDataWords(dpy, rep.length);
+ status = 0;
+ }
} else
status = 0;
UnlockDisplay(dpy);
Index: xsrc/external/mit/libXi/dist/src/XGetProp.c
diff -u xsrc/external/mit/libXi/dist/src/XGetProp.c:1.1.1.3 xsrc/external/mit/libXi/dist/src/XGetProp.c:1.2
--- xsrc/external/mit/libXi/dist/src/XGetProp.c:1.1.1.3 Wed Jun 5 00:51:23 2013
+++ xsrc/external/mit/libXi/dist/src/XGetProp.c Thu Jun 6 06:46:32 2013
@@ -60,6 +60,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XEventClass *
XGetDeviceDontPropagateList(
@@ -89,11 +90,12 @@ XGetDeviceDontPropagateList(
}
*count = rep.count;
- if (*count) {
+ if (rep.length != 0) {
+ if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass))))
+ list = Xmalloc(rep.length * sizeof(XEventClass));
rlen = rep.length << 2;
- list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass));
if (list) {
- int i;
+ unsigned int i;
CARD32 ec;
/* read and assign each XEventClass separately because
Index: xsrc/external/mit/libXi/dist/src/XIProperties.c
diff -u xsrc/external/mit/libXi/dist/src/XIProperties.c:1.1.1.3 xsrc/external/mit/libXi/dist/src/XIProperties.c:1.2
--- xsrc/external/mit/libXi/dist/src/XIProperties.c:1.1.1.3 Sat Jul 23 12:22:26 2011
+++ xsrc/external/mit/libXi/dist/src/XIProperties.c Thu Jun 6 06:46:32 2013
@@ -38,6 +38,7 @@
#include <X11/extensions/XInput2.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
Atom*
XIListProperties(Display* dpy, int deviceid, int *num_props_return)
@@ -170,7 +171,7 @@ XIGetProperty(Display* dpy, int deviceid
{
xXIGetPropertyReq *req;
xXIGetPropertyReply rep;
- long nbytes, rbytes;
+ unsigned long nbytes, rbytes;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -217,9 +218,11 @@ XIGetProperty(Display* dpy, int deviceid
* recopy the string to make it null terminated.
*/
- nbytes = rep.num_items * rep.format/8;
- rbytes = nbytes + 1;
- *data = Xmalloc(rbytes);
+ if (rep.num_items < (INT_MAX / (rep.format/8))) {
+ nbytes = rep.num_items * rep.format/8;
+ rbytes = nbytes + 1;
+ *data = Xmalloc(rbytes);
+ }
if (!(*data)) {
_XEatData(dpy, nbytes);
Index: xsrc/external/mit/libXi/dist/src/XGetDCtl.c
diff -u xsrc/external/mit/libXi/dist/src/XGetDCtl.c:1.1.1.5 xsrc/external/mit/libXi/dist/src/XGetDCtl.c:1.2
--- xsrc/external/mit/libXi/dist/src/XGetDCtl.c:1.1.1.5 Wed Jun 5 00:51:23 2013
+++ xsrc/external/mit/libXi/dist/src/XGetDCtl.c Thu Jun 6 06:46:32 2013
@@ -61,6 +61,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XDeviceControl *
XGetDeviceControl(
@@ -68,8 +69,6 @@ XGetDeviceControl(
XDevice *dev,
int control)
{
- int size = 0;
- int nbytes, i;
XDeviceControl *Device = NULL;
XDeviceControl *Sav = NULL;
xDeviceState *d = NULL;
@@ -92,8 +91,12 @@ XGetDeviceControl(
goto out;
if (rep.length > 0) {
- nbytes = (long)rep.length << 2;
- d = (xDeviceState *) Xmalloc((unsigned)nbytes);
+ unsigned long nbytes;
+ size_t size = 0;
+ if (rep.length < (INT_MAX >> 2)) {
+ nbytes = (unsigned long) rep.length << 2;
+ d = Xmalloc(nbytes);
+ }
if (!d) {
_XEatData(dpy, (unsigned long)nbytes);
goto out;
@@ -111,33 +114,46 @@ XGetDeviceControl(
case DEVICE_RESOLUTION:
{
xDeviceResolutionState *r;
+ size_t val_size;
r = (xDeviceResolutionState *) d;
- size += sizeof(XDeviceResolutionState) +
- (3 * sizeof(int) * r->num_valuators);
+ if (r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
+ goto out;
+ val_size = 3 * sizeof(int) * r->num_valuators;
+ if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
+ goto out;
+ size += sizeof(XDeviceResolutionState) + val_size;
break;
}
case DEVICE_ABS_CALIB:
{
+ if (sizeof(xDeviceAbsCalibState) > nbytes)
+ goto out;
size += sizeof(XDeviceAbsCalibState);
break;
}
case DEVICE_ABS_AREA:
{
+ if (sizeof(xDeviceAbsAreaState) > nbytes)
+ goto out;
size += sizeof(XDeviceAbsAreaState);
break;
}
case DEVICE_CORE:
{
+ if (sizeof(xDeviceCoreState) > nbytes)
+ goto out;
size += sizeof(XDeviceCoreState);
break;
}
default:
+ if (d->length > nbytes)
+ goto out;
size += d->length;
break;
}
- Device = (XDeviceControl *) Xmalloc((unsigned)size);
+ Device = Xmalloc(size);
if (!Device)
goto out;
@@ -150,6 +166,7 @@ XGetDeviceControl(
int *iptr, *iptr2;
xDeviceResolutionState *r;
XDeviceResolutionState *R;
+ unsigned int i;
r = (xDeviceResolutionState *) d;
R = (XDeviceResolutionState *) Device;
Index: xsrc/external/mit/libXi/dist/src/XISelEv.c
diff -u xsrc/external/mit/libXi/dist/src/XISelEv.c:1.1.1.5 xsrc/external/mit/libXi/dist/src/XISelEv.c:1.2
--- xsrc/external/mit/libXi/dist/src/XISelEv.c:1.1.1.5 Wed Jun 5 00:51:23 2013
+++ xsrc/external/mit/libXi/dist/src/XISelEv.c Thu Jun 6 06:46:32 2013
@@ -42,6 +42,7 @@ in this Software without prior written a
#include <X11/extensions/ge.h>
#include <X11/extensions/geproto.h>
#include "XIint.h"
+#include <limits.h>
int
XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks)
@@ -101,13 +102,14 @@ out:
XIEventMask*
XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
{
- int i, len = 0;
+ unsigned int i, len = 0;
unsigned char *mask;
XIEventMask *mask_out = NULL;
xXIEventMask *mask_in = NULL, *mi;
xXIGetSelectedEventsReq *req;
xXIGetSelectedEventsReply reply;
XExtDisplayInfo *info = XInput_find_display(dpy);
+ size_t rbytes;
*num_masks_return = -1;
LockDisplay(dpy);
@@ -129,11 +131,16 @@ XIGetSelectedEvents(Display* dpy, Window
goto out;
}
- mask_in = Xmalloc(reply.length * 4);
- if (!mask_in)
+ if (reply.length < (INT_MAX >> 2)) {
+ rbytes = (unsigned long) reply.length << 2;
+ mask_in = Xmalloc(rbytes);
+ }
+ if (!mask_in) {
+ _XEatDataWords(dpy, reply.length);
goto out;
+ }
- _XRead(dpy, (char*)mask_in, reply.length * 4);
+ _XRead(dpy, (char*)mask_in, rbytes);
/* Memory layout of the XIEventMask for a 3 mask reply:
* [struct a][struct b][struct c][masks a][masks b][masks c]
@@ -142,8 +149,14 @@ XIGetSelectedEvents(Display* dpy, Window
for (i = 0, mi = mask_in; i < reply.num_masks; i++)
{
- len += mi->mask_len * 4;
- mi = (xXIEventMask*)((char*)mi + mi->mask_len * 4);
+ unsigned int mask_bytes = mi->mask_len * 4;
+ len += mask_bytes;
+ if (len > INT_MAX)
+ goto out;
+ if ((sizeof(xXIEventMask) + mask_bytes) > rbytes)
+ goto out;
+ rbytes -= (sizeof(xXIEventMask) + mask_bytes);
+ mi = (xXIEventMask*)((char*)mi + mask_bytes);
mi++;
}
Index: xsrc/external/mit/libXi/dist/src/XGetDProp.c
diff -u xsrc/external/mit/libXi/dist/src/XGetDProp.c:1.1.1.1 xsrc/external/mit/libXi/dist/src/XGetDProp.c:1.2
--- xsrc/external/mit/libXi/dist/src/XGetDProp.c:1.1.1.1 Tue Mar 10 04:27:02 2009
+++ xsrc/external/mit/libXi/dist/src/XGetDProp.c Thu Jun 6 06:46:32 2013
@@ -38,6 +38,7 @@ in this Software without prior written a
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
int
XGetDeviceProperty(Display* dpy, XDevice* dev,
@@ -48,7 +49,8 @@ XGetDeviceProperty(Display* dpy, XDevice
{
xGetDevicePropertyReq *req;
xGetDevicePropertyReply rep;
- long nbytes, rbytes;
+ unsigned long nbytes, rbytes;
+ int ret = Success;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -81,30 +83,43 @@ XGetDeviceProperty(Display* dpy, XDevice
* data, but this last byte is null terminated and convenient for
* returning string properties, so the client doesn't then have to
* recopy the string to make it null terminated.
+ *
+ * Maximum item limits are set to both prevent integer overflow when
+ * calculating the amount of memory to malloc, and to limit how much
+ * memory will be used if a server provides an insanely high count.
*/
switch (rep.format) {
case 8:
- nbytes = rep.nItems;
- rbytes = rep.nItems + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
- _XReadPad (dpy, (char *) *prop, nbytes);
+ if (rep.nItems < INT_MAX) {
+ nbytes = rep.nItems;
+ rbytes = rep.nItems + 1;
+ if ((*prop = Xmalloc (rbytes)))
+ _XReadPad (dpy, (char *) *prop, nbytes);
+ else
+ ret = BadAlloc;
+ }
break;
case 16:
- nbytes = rep.nItems << 1;
- rbytes = rep.nItems * sizeof (short) + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
- _XRead16Pad (dpy, (short *) *prop, nbytes);
+ if (rep.nItems < (INT_MAX / sizeof (short))) {
+ nbytes = rep.nItems << 1;
+ rbytes = rep.nItems * sizeof (short) + 1;
+ if ((*prop = Xmalloc (rbytes)))
+ _XRead16Pad (dpy, (short *) *prop, nbytes);
+ else
+ ret = BadAlloc;
+ }
break;
case 32:
- nbytes = rep.nItems << 2;
- rbytes = rep.nItems * sizeof (long) + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
- _XRead32 (dpy, (long *) *prop, nbytes);
+ if (rep.nItems < (INT_MAX / sizeof (long))) {
+ nbytes = rep.nItems << 2;
+ rbytes = rep.nItems * sizeof (long) + 1;
+ if ((*prop = Xmalloc (rbytes)))
+ _XRead32 (dpy, (long *) *prop, nbytes);
+ else
+ ret = BadAlloc;
+ }
break;
default:
@@ -112,17 +127,13 @@ XGetDeviceProperty(Display* dpy, XDevice
* This part of the code should never be reached. If it is,
* the server sent back a property with an invalid format.
*/
- nbytes = rep.length << 2;
- _XEatData(dpy, (unsigned long) nbytes);
- UnlockDisplay(dpy);
- SyncHandle();
- return(BadImplementation);
+ ret = BadImplementation;
}
if (! *prop) {
_XEatData(dpy, (unsigned long) nbytes);
- UnlockDisplay(dpy);
- SyncHandle();
- return(BadAlloc);
+ if (ret == Success)
+ ret = BadAlloc;
+ goto out;
}
(*prop)[rbytes - 1] = '\0';
}
@@ -131,9 +142,10 @@ XGetDeviceProperty(Display* dpy, XDevice
*actual_format = rep.format;
*nitems = rep.nItems;
*bytes_after = rep.bytesAfter;
+ out:
UnlockDisplay (dpy);
SyncHandle ();
- return Success;
+ return ret;
}
Index: xsrc/external/mit/libXrender/dist/src/Filter.c
diff -u xsrc/external/mit/libXrender/dist/src/Filter.c:1.1.1.4 xsrc/external/mit/libXrender/dist/src/Filter.c:1.2
--- xsrc/external/mit/libXrender/dist/src/Filter.c:1.1.1.4 Thu Jun 6 06:15:21 2013
+++ xsrc/external/mit/libXrender/dist/src/Filter.c Thu Jun 6 06:46:33 2013
@@ -25,6 +25,7 @@
#include <config.h>
#endif
#include "Xrenderint.h"
+#include <limits.h>
XFilters *
XRenderQueryFilters (Display *dpy, Drawable drawable)
@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawa
char *name;
char len;
int i;
- long nbytes, nbytesAlias, nbytesName;
+ unsigned long nbytes, nbytesAlias, nbytesName;
if (!RenderHasExtension (info))
return NULL;
@@ -60,22 +61,32 @@ XRenderQueryFilters (Display *dpy, Drawa
SyncHandle ();
return NULL;
}
- /*
- * Compute total number of bytes for filter names
- */
- nbytes = (long)rep.length << 2;
- nbytesAlias = rep.numAliases * 2;
- if (rep.numAliases & 1)
- nbytesAlias += 2;
- nbytesName = nbytes - nbytesAlias;
/*
- * Allocate one giant block for the whole data structure
+ * Limit each component of combined size to 1/4 the max, which is far
+ * more than they should ever possibly need.
*/
- filters = Xmalloc (sizeof (XFilters) +
- rep.numFilters * sizeof (char *) +
- rep.numAliases * sizeof (short) +
- nbytesName);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) &&
+ (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) {
+ /*
+ * Compute total number of bytes for filter names
+ */
+ nbytes = (unsigned long)rep.length << 2;
+ nbytesAlias = rep.numAliases * 2;
+ if (rep.numAliases & 1)
+ nbytesAlias += 2;
+ nbytesName = nbytes - nbytesAlias;
+
+ /*
+ * Allocate one giant block for the whole data structure
+ */
+ filters = Xmalloc (sizeof (XFilters) +
+ (rep.numFilters * sizeof (char *)) +
+ (rep.numAliases * sizeof (short)) +
+ nbytesName);
+ } else
+ filters = NULL;
if (!filters)
{
Index: xsrc/external/mit/libXrender/dist/src/Xrender.c
diff -u xsrc/external/mit/libXrender/dist/src/Xrender.c:1.1.1.3 xsrc/external/mit/libXrender/dist/src/Xrender.c:1.2
--- xsrc/external/mit/libXrender/dist/src/Xrender.c:1.1.1.3 Thu Jun 6 06:15:21 2013
+++ xsrc/external/mit/libXrender/dist/src/Xrender.c Thu Jun 6 06:46:33 2013
@@ -26,6 +26,7 @@
#include <config.h>
#endif
#include "Xrenderint.h"
+#include <limits.h>
XRenderExtInfo XRenderExtensionInfo;
char XRenderExtensionName[] = RENDER_NAME;
@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy)
CARD32 *xSubpixel;
void *xData;
int nf, ns, nd, nv;
- int rlength;
- int nbytes;
+ unsigned long rlength;
+ unsigned long nbytes;
RenderCheckExtension (dpy, info, 0);
LockDisplay (dpy);
@@ -458,18 +459,29 @@ XRenderQueryFormats (Display *dpy)
if (async_state.major_version == 0 && async_state.minor_version < 6)
rep.numSubpixel = 0;
- xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) +
- rep.numFormats * sizeof (XRenderPictFormat) +
- rep.numScreens * sizeof (XRenderScreen) +
- rep.numDepths * sizeof (XRenderDepth) +
- rep.numVisuals * sizeof (XRenderVisual));
- rlength = (rep.numFormats * sizeof (xPictFormInfo) +
- rep.numScreens * sizeof (xPictScreen) +
- rep.numDepths * sizeof (xPictDepth) +
- rep.numVisuals * sizeof (xPictVisual) +
- rep.numSubpixel * 4);
- xData = (void *) Xmalloc (rlength);
- nbytes = (int) rep.length << 2;
+ if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) &&
+ (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) &&
+ (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) &&
+ (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) &&
+ (rep.numSubpixel < ((INT_MAX / 4) / 4)) &&
+ (rep.length < (INT_MAX >> 2)) ) {
+ xri = Xmalloc (sizeof (XRenderInfo) +
+ (rep.numFormats * sizeof (XRenderPictFormat)) +
+ (rep.numScreens * sizeof (XRenderScreen)) +
+ (rep.numDepths * sizeof (XRenderDepth)) +
+ (rep.numVisuals * sizeof (XRenderVisual)));
+ rlength = ((rep.numFormats * sizeof (xPictFormInfo)) +
+ (rep.numScreens * sizeof (xPictScreen)) +
+ (rep.numDepths * sizeof (xPictDepth)) +
+ (rep.numVisuals * sizeof (xPictVisual)) +
+ (rep.numSubpixel * 4));
+ xData = Xmalloc (rlength);
+ nbytes = (unsigned long) rep.length << 2;
+ } else {
+ xri = NULL;
+ xData = NULL;
+ rlength = nbytes = 0;
+ }
if (!xri || !xData || nbytes < rlength)
{
@@ -832,7 +844,7 @@ XRenderQueryPictIndexValues(Display *d
xRenderQueryPictIndexValuesReq *req;
xRenderQueryPictIndexValuesReply rep;
XIndexValue *values;
- int nbytes, nread, rlength, i;
+ unsigned int nbytes, nread, rlength, i;
RenderCheckExtension (dpy, info, NULL);
@@ -848,15 +860,22 @@ XRenderQueryPictIndexValues(Display *d
return NULL;
}
- /* request data length */
- nbytes = (long)rep.length << 2;
- /* bytes of actual data in the request */
- nread = rep.numIndexValues * SIZEOF (xIndexValue);
- /* size of array returned to application */
- rlength = rep.numIndexValues * sizeof (XIndexValue);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) {
+ /* request data length */
+ nbytes = rep.length << 2;
+ /* bytes of actual data in the request */
+ nread = rep.numIndexValues * SIZEOF (xIndexValue);
+ /* size of array returned to application */
+ rlength = rep.numIndexValues * sizeof (XIndexValue);
+
+ /* allocate returned data */
+ values = Xmalloc (rlength);
+ } else {
+ nbytes = nread = rlength = 0;
+ values = NULL;
+ }
- /* allocate returned data */
- values = (XIndexValue *)Xmalloc (rlength);
if (!values)
{
_XEatData (dpy, nbytes);
Index: xsrc/external/mit/libXvMC/dist/src/XvMC.c
diff -u xsrc/external/mit/libXvMC/dist/src/XvMC.c:1.1.1.3 xsrc/external/mit/libXvMC/dist/src/XvMC.c:1.2
--- xsrc/external/mit/libXvMC/dist/src/XvMC.c:1.1.1.3 Thu Jun 6 06:15:26 2013
+++ xsrc/external/mit/libXvMC/dist/src/XvMC.c Thu Jun 6 06:46:33 2013
@@ -16,6 +16,7 @@
#include <sys/time.h>
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
+#include <limits.h>
static XExtensionInfo _xvmc_info_data;
static XExtensionInfo *xvmc_info = &_xvmc_info_data;
@@ -111,8 +112,8 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(D
}
if(rep.num > 0) {
- surface_info =
- (XvMCSurfaceInfo*)Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
+ if (rep.num < (INT_MAX / sizeof(XvMCSurfaceInfo)))
+ surface_info = Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
if(surface_info) {
xvmcSurfaceInfo sinfo;
@@ -172,8 +173,8 @@ XvImageFormatValues * XvMCListSubpicture
}
if(rep.num > 0) {
- ret =
- (XvImageFormatValues*)Xmalloc(rep.num * sizeof(XvImageFormatValues));
+ if (rep.num < (INT_MAX / sizeof(XvImageFormatValues)))
+ ret = Xmalloc(rep.num * sizeof(XvImageFormatValues));
if(ret) {
xvImageFormatInfo Info;
@@ -484,7 +485,6 @@ Status XvMCGetDRInfo(Display *dpy, XvPor
XExtDisplayInfo *info = xvmc_find_display(dpy);
xvmcGetDRInfoReply rep;
xvmcGetDRInfoReq *req;
- char *tmpBuf = NULL;
CARD32 magic;
#ifdef HAVE_SHMAT
@@ -495,6 +495,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPor
here.tz_dsttime = 0;
#endif
+ *name = NULL;
+ *busID = NULL;
+
XvMCCheckExtension (dpy, info, BadImplementation);
LockDisplay (dpy);
@@ -553,31 +556,31 @@ Status XvMCGetDRInfo(Display *dpy, XvPor
#endif
if (rep.length > 0) {
+ unsigned long realSize = 0;
+ char *tmpBuf = NULL;
- int realSize = rep.length << 2;
-
- tmpBuf = (char *) Xmalloc(realSize);
- if (tmpBuf) {
- *name = (char *) Xmalloc(rep.nameLen);
- if (*name) {
- *busID = (char *) Xmalloc(rep.busIDLen);
- if (! *busID) {
- XFree(*name);
- XFree(tmpBuf);
- }
- } else {
- XFree(tmpBuf);
+ if (rep.length < (INT_MAX >> 2)) {
+ realSize = rep.length << 2;
+ if (realSize >= (rep.nameLen + rep.busIDLen)) {
+ tmpBuf = Xmalloc(realSize);
+ *name = Xmalloc(rep.nameLen);
+ *busID = Xmalloc(rep.busIDLen);
}
}
if (*name && *busID && tmpBuf) {
-
_XRead(dpy, tmpBuf, realSize);
strncpy(*name,tmpBuf,rep.nameLen);
+ name[rep.nameLen - 1] = '\0';
strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
+ busID[rep.busIDLen - 1] = '\0';
XFree(tmpBuf);
-
} else {
+ XFree(*name);
+ *name = NULL;
+ XFree(*busID);
+ *name = NULL;
+ XFree(tmpBuf);
_XEatData(dpy, realSize);
UnlockDisplay (dpy);
Index: xsrc/external/mit/libxcb/dist/src/xcb_in.c
diff -u xsrc/external/mit/libxcb/dist/src/xcb_in.c:1.1.1.3 xsrc/external/mit/libxcb/dist/src/xcb_in.c:1.2
--- xsrc/external/mit/libxcb/dist/src/xcb_in.c:1.1.1.3 Fri May 31 08:50:45 2013
+++ xsrc/external/mit/libxcb/dist/src/xcb_in.c Thu Jun 6 06:46:33 2013
@@ -93,8 +93,9 @@ static void remove_finished_readers(read
static int read_packet(xcb_connection_t *c)
{
xcb_generic_reply_t genrep;
- int length = 32;
- int eventlength = 0; /* length after first 32 bytes for GenericEvents */
+ uint64_t length = 32;
+ uint64_t eventlength = 0; /* length after first 32 bytes for GenericEvents */
+ uint64_t bufsize;
void *buf;
pending_reply *pend = 0;
struct event_list *event;
@@ -169,8 +170,12 @@ static int read_packet(xcb_connection_t
if ((genrep.response_type & 0x7f) == XCB_XGE_EVENT)
eventlength = genrep.length * 4;
- buf = malloc(length + eventlength +
- (genrep.response_type == XCB_REPLY ? 0 : sizeof(uint32_t)));
+ bufsize = length + eventlength +
+ (genrep.response_type == XCB_REPLY ? 0 : sizeof(uint32_t));
+ if (bufsize < INT32_MAX)
+ buf = malloc((size_t) bufsize);
+ else
+ buf = NULL;
if(!buf)
{
_xcb_conn_shutdown(c, XCB_CONN_CLOSED_MEM_INSUFFICIENT);
