1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
From 284a88e21fc05a63466115b33efa411c60d988c9 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 14:24:12 -0700
Subject: [PATCH 6/8] Use _XEatDataWords to avoid overflow of length
calculations
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
configure.ac | 6 ++++++
src/XF86VMode.c | 35 +++++++++++++++++++++++++----------
2 files changed, 31 insertions(+), 10 deletions(-)
diff --git a/configure.ac b/configure.ac
index d8a23b0..b637788 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XXF86VM, xproto x11 xextproto xext [xf86vidmodeproto >= 2.2.99.1])
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XXF86VM_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index 1b907f4..bd54937 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -30,11 +30,27 @@ from Kaleb S. KEITHLEY.
/* THIS IS NOT AN X CONSORTIUM STANDARD */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
#include <X11/Xlibint.h>
#include <X11/extensions/xf86vmproto.h>
#include <X11/extensions/xf86vmode.h>
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
#ifdef DEBUG
#include <stdio.h>
@@ -257,7 +273,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
if (modeline->privsize > 0) {
modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
if (modeline->private == NULL) {
- _XEatData(dpy, (modeline->privsize) * sizeof(INT32));
+ _XEatDataWords(dpy, rep.length -
+ ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
result = False;
} else
_XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
@@ -318,10 +335,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
if (!(modelines = (XF86VidModeModeInfo **) Xcalloc(rep.modecount,
sizeof(XF86VidModeModeInfo *)
+sizeof(XF86VidModeModeInfo)))) {
- if (majorVersion < 2)
- _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo));
- else
- _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo));
+ _XEatDataWords(dpy, rep.length -
+ ((SIZEOF(xXF86VidModeGetAllModeLinesReply) - SIZEOF(xReply)) >> 2));
UnlockDisplay(dpy);
SyncHandle();
return False;
@@ -354,7 +369,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
if (oldxmdline.privsize > 0) {
if (!(modelines[i]->private =
Xcalloc(oldxmdline.privsize, sizeof(INT32)))) {
- _XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32));
+ _XEatDataWords(dpy, oldxmdline.privsize);
} else {
_XRead(dpy, (char*)modelines[i]->private,
oldxmdline.privsize * sizeof(INT32));
@@ -384,7 +399,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
if (xmdline.privsize > 0) {
if (!(modelines[i]->private =
Xcalloc(xmdline.privsize, sizeof(INT32)))) {
- _XEatData(dpy, (xmdline.privsize) * sizeof(INT32));
+ _XEatDataWords(dpy, xmdline.privsize);
} else {
_XRead(dpy, (char*)modelines[i]->private,
xmdline.privsize * sizeof(INT32));
@@ -902,8 +917,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor)
monitor->hsync = monitor->vsync = NULL;
}
if (result == False) {
- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
+ _XEatDataWords(dpy, rep.length);
Xfree(monitor->vendor);
monitor->vendor = NULL;
Xfree(monitor->model);
@@ -1036,7 +1050,8 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr,
dotclocks = Xcalloc(rep.clocks, sizeof(int));
if (dotclocks == NULL) {
- _XEatData(dpy, (rep.clocks) * 4);
+ _XEatDataWords(dpy, rep.length -
+ ((SIZEOF(xXF86VidModeGetDotClocksReply) - SIZEOF(xReply)) >> 2));
result = False;
}
else {
--
1.8.2.3
|