From ca84a813716f9de691dc3f60390d83af4b5ae534 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 13 Apr 2013 09:32:12 -0700 Subject: [PATCH 1/7] Use _XEatDataWords to avoid overflow of rep.length bit shifting rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds Signed-off-by: Alan Coopersmith --- COPYING | 3 ++- configure.ac | 6 ++++++ src/Makefile.am | 1 + src/XEVI.c | 4 +++- src/XMultibuf.c | 3 ++- src/XSecurity.c | 3 ++- src/XShape.c | 3 ++- src/XSync.c | 3 ++- src/Xcup.c | 7 ++++--- src/eat.h | 40 ++++++++++++++++++++++++++++++++++++++++ 10 files changed, 64 insertions(+), 9 deletions(-) create mode 100644 src/eat.h diff --git a/COPYING b/COPYING index 80622a0..e3a63ef 100644 --- a/COPYING +++ b/COPYING @@ -160,7 +160,8 @@ makes no representations about the suitability for any purpose of the information in this document. This documentation is provided ``as is'' without express or implied warranty. -Copyright (c) 1999, 2005, 2006, Oracle and/or its affiliates. All rights reserved. +Copyright (c) 1999, 2005, 2006, 2013, Oracle and/or its affiliates. +All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), diff --git a/configure.ac b/configure.ac index 63775de..fb9888d 100644 --- a/configure.ac +++ b/configure.ac @@ -38,6 +38,12 @@ AC_SUBST(XEXT_SOREV) # Obtain compiler/linker options for depedencies PKG_CHECK_MODULES(XEXT, [xproto >= 7.0.13] [x11 >= 1.1.99.1] [xextproto >= 7.1.99]) +# Check for _XEatDataWords function that may be patched into older Xlib releases +SAVE_LIBS="$LIBS" +LIBS="$XEXT_LIBS" +AC_CHECK_FUNCS([_XEatDataWords]) +LIBS="$SAVE_LIBS" + # Allow checking code with lint, sparse, etc. XORG_WITH_LINT XORG_LINT_LIBRARY([Xext]) diff --git a/src/Makefile.am b/src/Makefile.am index e236c33..b828547 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -12,6 +12,7 @@ libXext_la_LDFLAGS = -version-number $(XEXT_SOREV) -no-undefined libXext_la_LIBADD = $(XEXT_LIBS) libXext_la_SOURCES = \ + eat.h \ DPMS.c \ MITMisc.c \ XAppgroup.c \ diff --git a/src/XEVI.c b/src/XEVI.c index eb09daa..0125c51 100644 --- a/src/XEVI.c +++ b/src/XEVI.c @@ -30,6 +30,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. #include #include #include +#include "eat.h" + static XExtensionInfo *xevi_info;/* needs to move to globals.c */ static const char *xevi_extension_name = EVINAME; #define XeviCheckExtension(dpy,i,val) \ @@ -171,7 +173,7 @@ Status XeviGetVisualInfo( xInfoPtr = temp_xInfo = (xExtendedVisualInfo *)Xmalloc(sz_xInfo); xConflictPtr = temp_conflict = (VisualID32 *)Xmalloc(sz_xConflict); if (!*evi_return || !temp_xInfo || !temp_conflict) { - _XEatData(dpy, (sz_xInfo + sz_xConflict + 3) & ~3); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); if (evi_return) diff --git a/src/XMultibuf.c b/src/XMultibuf.c index 7a746ba..43d56d3 100644 --- a/src/XMultibuf.c +++ b/src/XMultibuf.c @@ -34,6 +34,7 @@ in this Software without prior written authorization from The Open Group. #include #include #include +#include "eat.h" static XExtensionInfo _multibuf_info_data; static XExtensionInfo *multibuf_info = &_multibuf_info_data; @@ -408,7 +409,7 @@ Status XmbufGetWindowAttributes ( attr->buffers = (Multibuffer *) Xmalloc((unsigned) nbytes); nbytes = rep.length << 2; if (! attr->buffers) { - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (0); diff --git a/src/XSecurity.c b/src/XSecurity.c index f8c7da1..ab17755 100644 --- a/src/XSecurity.c +++ b/src/XSecurity.c @@ -33,6 +33,7 @@ in this Software without prior written authorization from The Open Group. #include #include #include +#include "eat.h" static XExtensionInfo _Security_info_data; static XExtensionInfo *Security_info = &_Security_info_data; @@ -282,7 +283,7 @@ XSecurityGenerateAuthorization( } else { - _XEatData(dpy, (unsigned long) (rep.dataLength + 3) & ~3); + _XEatDataWords(dpy, rep.length); } UnlockDisplay (dpy); diff --git a/src/XShape.c b/src/XShape.c index 6e8fbae..3987876 100644 --- a/src/XShape.c +++ b/src/XShape.c @@ -35,6 +35,7 @@ in this Software without prior written authorization from The Open Group. #include #include #include +#include "eat.h" static XExtensionInfo _shape_info_data; static XExtensionInfo *shape_info = &_shape_info_data; @@ -468,7 +469,7 @@ XRectangle *XShapeGetRectangles ( Xfree (xrects); if (rects) Xfree (rects); - _XEatData (dpy, *count * sizeof (xRectangle)); + _XEatDataWords (dpy, rep.length); rects = NULL; *count = 0; } else { diff --git a/src/XSync.c b/src/XSync.c index 5775293..3ca1308 100644 --- a/src/XSync.c +++ b/src/XSync.c @@ -59,6 +59,7 @@ PERFORMANCE OF THIS SOFTWARE. #include #include #include +#include "eat.h" static XExtensionInfo _sync_info_data; static XExtensionInfo *sync_info = &_sync_info_data; @@ -364,7 +365,7 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return) { if (list) Xfree((char *) list); if (pWireSysCounter) Xfree((char *) pWireSysCounter); - _XEatData(dpy, (unsigned long) replylen); + _XEatDataWords(dpy, rep.length); list = NULL; goto bail; } diff --git a/src/Xcup.c b/src/Xcup.c index bb9e90f..1f1d625 100644 --- a/src/Xcup.c +++ b/src/Xcup.c @@ -36,6 +36,7 @@ in this Software without prior written authorization from The Open Group. #include #include #include +#include "eat.h" static XExtensionInfo _xcup_info_data; static XExtensionInfo *xcup_info = &_xcup_info_data; @@ -144,7 +145,7 @@ XcupGetReservedColormapEntries( rbufp = rbuf; if (rbufp == NULL) { - _XEatData (dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return False; @@ -221,7 +222,7 @@ XcupStoreColors( nbytes = nentries * SIZEOF (xColorItem); if (nentries != ncolors) { - _XEatData (dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return False; @@ -233,7 +234,7 @@ XcupStoreColors( rbufp = rbuf; if (rbufp == NULL) { - _XEatData (dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return False; diff --git a/src/eat.h b/src/eat.h new file mode 100644 index 0000000..239532b --- /dev/null +++ b/src/eat.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#ifndef HAVE__XEATDATAWORDS +#include /* for LONG64 on 64-bit platforms */ +#include + +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif -- 1.8.2.3