This fixes the two callers of GetReqExtra to check that "req" is non-NULL to avoid crashing now that GetReqExtra does internal bounds-checking on the resulting buffer sizes.
Additionally updates comment describing return values to use names instead of only literal values. Signed-off-by: Kees Cook <[email protected]> --- src/Host.c | 8 ++++++++ src/ModMap.c | 10 +++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/Host.c b/src/Host.c index da9923a..da5e2f7 100644 --- a/src/Host.c +++ b/src/Host.c @@ -83,6 +83,10 @@ XAddHost ( LockDisplay(dpy); GetReqExtra (ChangeHosts, length, req); + if (!req) { + UnlockDisplay(dpy); + return 0; + } req->mode = HostInsert; req->hostFamily = host->family; req->hostLength = addrlen; @@ -118,6 +122,10 @@ XRemoveHost ( LockDisplay(dpy); GetReqExtra (ChangeHosts, length, req); + if (!req) { + UnlockDisplay(dpy); + return 0; + } req->mode = HostDelete; req->hostFamily = host->family; req->hostLength = addrlen; diff --git a/src/ModMap.c b/src/ModMap.c index 5c5b426..2aa2903 100644 --- a/src/ModMap.c +++ b/src/ModMap.c @@ -65,9 +65,9 @@ XGetModifierMapping(register Display *dpy) /* * Returns: - * 0 Success - * 1 Busy - one or more old or new modifiers are down - * 2 Failed - one or more new modifiers unacceptable + * MappingSuccess (0) Success + * MappingBusy (1) Busy - one or more old or new modifiers are down + * MappingFailed (2) Failed - one or more new modifiers unacceptable */ int XSetModifierMapping( @@ -80,6 +80,10 @@ XSetModifierMapping( LockDisplay(dpy); GetReqExtra(SetModifierMapping, mapSize, req); + if (!req) { + UnlockDisplay(dpy); + return MappingFailed; + } req->numKeyPerModifier = modifier_map->max_keypermod; -- 1.8.1.2 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
