1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
From 7ce3ce4be46087f9cc57cb415875abaaa961f734 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 4 May 2013 09:21:14 -0700
Subject: [PATCH 1/2] Use _XEatDataWords to avoid overflow of _XEatData
calculations
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
configure.ac | 6 ++++++
src/Xinerama.c | 19 ++++++++++++++++++-
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index e335508..046a1aa 100644
--- a/configure.ac
+++ b/configure.ac
@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XINERAMA, x11 xext xextproto [xineramaproto >= 1.1.99.1])
+# Check for _XEatDataWords function that may be patched into older Xlib releases
+SAVE_LIBS="$LIBS"
+LIBS="$XINERAMA_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
# Allow checking code with lint, sparse, etc.
XORG_WITH_LINT
LINT_FLAGS="${LINT_FLAGS} ${XINERAMA_CFLAGS}"
diff --git a/src/Xinerama.c b/src/Xinerama.c
index 7d7e4d8..04189b6 100644
--- a/src/Xinerama.c
+++ b/src/Xinerama.c
@@ -23,6 +23,10 @@ dealings in this Software without prior written authorization from Digital
Equipment Corporation.
******************************************************************/
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
#include <X11/Xlibint.h>
#include <X11/Xutil.h>
#include <X11/extensions/Xext.h>
@@ -31,6 +35,19 @@ Equipment Corporation.
#include <X11/extensions/panoramiXproto.h>
#include <X11/extensions/Xinerama.h>
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
static XExtensionInfo _panoramiX_ext_info_data;
static XExtensionInfo *panoramiX_ext_info = &_panoramiX_ext_info_data;
@@ -302,7 +319,7 @@ XineramaQueryScreens(
*number = rep.number;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
} else {
*number = 0;
}
--
1.8.2.3
|
