1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
From 1c7ad6773ce6be00dcd6e51e9be08f203abe5071 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 3 May 2013 23:29:22 -0700
Subject: [PATCH 2/7] Use _XEatDataWords to avoid overflow of rep.length bit
shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
configure.ac | 6 ++++++
src/Xrandrint.h | 13 +++++++++++++
src/XrrCrtc.c | 6 +++---
src/XrrOutput.c | 2 +-
src/XrrProperty.c | 9 ++++-----
src/XrrProvider.c | 4 ++--
src/XrrProviderProperty.c | 9 ++++-----
src/XrrScreen.c | 2 +-
8 files changed, 34 insertions(+), 17 deletions(-)
diff --git a/configure.ac b/configure.ac
index 3f28bef..8466999 100644
--- a/configure.ac
+++ b/configure.ac
@@ -55,6 +55,12 @@ AC_SUBST(RANDR_VERSION)
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(RANDR, x11 randrproto >= $RANDR_VERSION xext xextproto xrender renderproto)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$RANDR_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/Xrandrint.h b/src/Xrandrint.h
index aed10e4..1687c29 100644
--- a/src/Xrandrint.h
+++ b/src/Xrandrint.h
@@ -42,6 +42,19 @@ extern char XRRExtensionName[];
XExtDisplayInfo *XRRFindDisplay (Display *dpy);
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
/* deliberately opaque internal data structure; can be extended,
but not reordered */
diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c
index 04087c5..a704a52 100644
--- a/src/XrrCrtc.c
+++ b/src/XrrCrtc.c
@@ -74,7 +74,7 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc)
xci = (XRRCrtcInfo *) Xmalloc(rbytes);
if (xci == NULL) {
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
@@ -203,7 +203,7 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc)
if (!crtc_gamma)
{
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords (dpy, rep.length);
goto out;
}
_XRead16 (dpy, crtc_gamma->red, rep.size * 2);
@@ -397,7 +397,7 @@ XRRGetCrtcTransform (Display *dpy,
int extraBytes = rep.length * 4 - CrtcTransformExtra;
extra = Xmalloc (extraBytes);
if (!extra) {
- _XEatData (dpy, extraBytes);
+ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
UnlockDisplay (dpy);
SyncHandle ();
return False;
diff --git a/src/XrrOutput.c b/src/XrrOutput.c
index f13a932..4df894e 100644
--- a/src/XrrOutput.c
+++ b/src/XrrOutput.c
@@ -81,7 +81,7 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
xoi = (XRROutputInfo *) Xmalloc(rbytes);
if (xoi == NULL) {
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
diff --git a/src/XrrProperty.c b/src/XrrProperty.c
index 4c3fdb0..2b065b2 100644
--- a/src/XrrProperty.c
+++ b/src/XrrProperty.c
@@ -62,7 +62,7 @@ XRRListOutputProperties (Display *dpy, RROutput output, int *nprop)
props = (Atom *) Xmalloc (rbytes);
if (props == NULL) {
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
*nprop = 0;
@@ -107,7 +107,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
if (prop_info == NULL) {
- _XEatData (dpy, nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
@@ -313,14 +313,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output,
* This part of the code should never be reached. If it is,
* the server sent back a property with an invalid format.
*/
- nbytes = rep.length << 2;
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadImplementation);
}
if (! *prop) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadAlloc);
diff --git a/src/XrrProvider.c b/src/XrrProvider.c
index fcd06ff..309e321 100644
--- a/src/XrrProvider.c
+++ b/src/XrrProvider.c
@@ -67,7 +67,7 @@ XRRGetProviderResources(Display *dpy, Window window)
xrpr = (XRRProviderResources *) Xmalloc(rbytes);
if (xrpr == NULL) {
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
@@ -136,7 +136,7 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
xpi = (XRRProviderInfo *)Xmalloc(rbytes);
if (xpi == NULL) {
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2));
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
index c8c08e9..2d90a0a 100644
--- a/src/XrrProviderProperty.c
+++ b/src/XrrProviderProperty.c
@@ -62,7 +62,7 @@ XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop)
props = (Atom *) Xmalloc (rbytes);
if (props == NULL) {
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
*nprop = 0;
@@ -107,7 +107,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
if (prop_info == NULL) {
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
@@ -313,14 +313,13 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider,
* This part of the code should never be reached. If it is,
* the server sent back a property with an invalid format.
*/
- nbytes = rep.length << 2;
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadImplementation);
}
if (! *prop) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadAlloc);
diff --git a/src/XrrScreen.c b/src/XrrScreen.c
index f830913..08710b6 100644
--- a/src/XrrScreen.c
+++ b/src/XrrScreen.c
@@ -129,7 +129,7 @@ doGetScreenResources (Display *dpy, Window window, int poll)
if (xrsr == NULL || wire_names == NULL) {
if (xrsr) Xfree (xrsr);
if (wire_names) Xfree (wire_names);
- _XEatData (dpy, (unsigned long) nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
--
1.8.2.3
|
