aboutsummaryrefslogtreecommitdiffstats
path: root/main/libxxf86vm/0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch
blob: b10d3b713513e6a1f198efb7a48d85cde96af113 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
From 284a88e21fc05a63466115b33efa411c60d988c9 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 14:24:12 -0700
Subject: [PATCH 6/8] Use _XEatDataWords to avoid overflow of length
 calculations

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 configure.ac    |  6 ++++++
 src/XF86VMode.c | 35 +++++++++++++++++++++++++----------
 2 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/configure.ac b/configure.ac
index d8a23b0..b637788 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO
 # Obtain compiler/linker options for depedencies
 PKG_CHECK_MODULES(XXF86VM, xproto x11 xextproto xext [xf86vidmodeproto >= 2.2.99.1])
 
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XXF86VM_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
 AC_CONFIG_FILES([Makefile
 		src/Makefile
 		man/Makefile
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index 1b907f4..bd54937 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -30,11 +30,27 @@ from Kaleb S. KEITHLEY.
 
 /* THIS IS NOT AN X CONSORTIUM STANDARD */
 
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
 #include <X11/Xlibint.h>
 #include <X11/extensions/xf86vmproto.h>
 #include <X11/extensions/xf86vmode.h>
 #include <X11/extensions/Xext.h>
 #include <X11/extensions/extutil.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+    if (n >= (ULONG_MAX >> 2))
+        _XIOError(dpy);
+# endif
+    _XEatData (dpy, n << 2);
+}
+#endif
 
 #ifdef DEBUG
 #include <stdio.h>
@@ -257,7 +273,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
     if (modeline->privsize > 0) {
 	modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
 	if (modeline->private == NULL) {
-	    _XEatData(dpy, (modeline->privsize) * sizeof(INT32));
+	    _XEatDataWords(dpy, rep.length -
+		((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
 	    result = False;
 	} else
 	    _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
@@ -318,10 +335,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
     if (!(modelines = (XF86VidModeModeInfo **) Xcalloc(rep.modecount,
                                           sizeof(XF86VidModeModeInfo *)
                                           +sizeof(XF86VidModeModeInfo)))) {
-	if (majorVersion < 2)
-            _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo));
-	else
-            _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo));
+	_XEatDataWords(dpy, rep.length -
+	    ((SIZEOF(xXF86VidModeGetAllModeLinesReply) - SIZEOF(xReply)) >> 2));
 	UnlockDisplay(dpy);
 	SyncHandle();
         return False;
@@ -354,7 +369,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
 		if (oldxmdline.privsize > 0) {
 	            if (!(modelines[i]->private =
 			    Xcalloc(oldxmdline.privsize, sizeof(INT32)))) {
-			_XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32));
+			_XEatDataWords(dpy, oldxmdline.privsize);
 		    } else {
 			_XRead(dpy, (char*)modelines[i]->private,
 			     oldxmdline.privsize * sizeof(INT32));
@@ -384,7 +399,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
 		if (xmdline.privsize > 0) {
 		    if (!(modelines[i]->private =
 			    Xcalloc(xmdline.privsize, sizeof(INT32)))) {
-			_XEatData(dpy, (xmdline.privsize) * sizeof(INT32));
+			_XEatDataWords(dpy, xmdline.privsize);
 		    } else {
 			_XRead(dpy, (char*)modelines[i]->private,
 			     xmdline.privsize * sizeof(INT32));
@@ -902,8 +917,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor)
 	monitor->hsync = monitor->vsync = NULL;
     }
     if (result == False) {
-	_XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
-		  ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
+	_XEatDataWords(dpy, rep.length);
 	Xfree(monitor->vendor);
 	monitor->vendor = NULL;
 	Xfree(monitor->model);
@@ -1036,7 +1050,8 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr,
 
     dotclocks = Xcalloc(rep.clocks, sizeof(int));
     if (dotclocks == NULL) {
-        _XEatData(dpy, (rep.clocks) * 4);
+        _XEatDataWords(dpy, rep.length -
+	    ((SIZEOF(xXF86VidModeGetDotClocksReply) - SIZEOF(xReply)) >> 2));
         result = False;
     }
     else {
-- 
1.8.2.3