From 284a88e21fc05a63466115b33efa411c60d988c9 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 13 Apr 2013 14:24:12 -0700 Subject: [PATCH 6/8] Use _XEatDataWords to avoid overflow of length calculations Signed-off-by: Alan Coopersmith --- configure.ac | 6 ++++++ src/XF86VMode.c | 35 +++++++++++++++++++++++++---------- 2 files changed, 31 insertions(+), 10 deletions(-) diff --git a/configure.ac b/configure.ac index d8a23b0..b637788 100644 --- a/configure.ac +++ b/configure.ac @@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO # Obtain compiler/linker options for depedencies PKG_CHECK_MODULES(XXF86VM, xproto x11 xextproto xext [xf86vidmodeproto >= 2.2.99.1]) +# Check for _XEatDataWords function that may be patched into older Xlib release +SAVE_LIBS="$LIBS" +LIBS="$XXF86VM_LIBS" +AC_CHECK_FUNCS([_XEatDataWords]) +LIBS="$SAVE_LIBS" + AC_CONFIG_FILES([Makefile src/Makefile man/Makefile diff --git a/src/XF86VMode.c b/src/XF86VMode.c index 1b907f4..bd54937 100644 --- a/src/XF86VMode.c +++ b/src/XF86VMode.c @@ -30,11 +30,27 @@ from Kaleb S. KEITHLEY. /* THIS IS NOT AN X CONSORTIUM STANDARD */ +#ifdef HAVE_CONFIG_H +#include +#endif + #include #include #include #include #include +#include + +#ifndef HAVE__XEATDATAWORDS +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif #ifdef DEBUG #include @@ -257,7 +273,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, if (modeline->privsize > 0) { modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)); if (modeline->private == NULL) { - _XEatData(dpy, (modeline->privsize) * sizeof(INT32)); + _XEatDataWords(dpy, rep.length - + ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2)); result = False; } else _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32)); @@ -318,10 +335,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, if (!(modelines = (XF86VidModeModeInfo **) Xcalloc(rep.modecount, sizeof(XF86VidModeModeInfo *) +sizeof(XF86VidModeModeInfo)))) { - if (majorVersion < 2) - _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo)); - else - _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo)); + _XEatDataWords(dpy, rep.length - + ((SIZEOF(xXF86VidModeGetAllModeLinesReply) - SIZEOF(xReply)) >> 2)); UnlockDisplay(dpy); SyncHandle(); return False; @@ -354,7 +369,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, if (oldxmdline.privsize > 0) { if (!(modelines[i]->private = Xcalloc(oldxmdline.privsize, sizeof(INT32)))) { - _XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32)); + _XEatDataWords(dpy, oldxmdline.privsize); } else { _XRead(dpy, (char*)modelines[i]->private, oldxmdline.privsize * sizeof(INT32)); @@ -384,7 +399,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount, if (xmdline.privsize > 0) { if (!(modelines[i]->private = Xcalloc(xmdline.privsize, sizeof(INT32)))) { - _XEatData(dpy, (xmdline.privsize) * sizeof(INT32)); + _XEatDataWords(dpy, xmdline.privsize); } else { _XRead(dpy, (char*)modelines[i]->private, xmdline.privsize * sizeof(INT32)); @@ -902,8 +917,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor) monitor->hsync = monitor->vsync = NULL; } if (result == False) { - _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 + - ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3)); + _XEatDataWords(dpy, rep.length); Xfree(monitor->vendor); monitor->vendor = NULL; Xfree(monitor->model); @@ -1036,7 +1050,8 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr, dotclocks = Xcalloc(rep.clocks, sizeof(int)); if (dotclocks == NULL) { - _XEatData(dpy, (rep.clocks) * 4); + _XEatDataWords(dpy, rep.length - + ((SIZEOF(xXF86VidModeGetDotClocksReply) - SIZEOF(xReply)) >> 2)); result = False; } else { -- 1.8.2.3