upstream/oracle/x-cons/x-s11-update-clone: open-src/lib/libXfixes/CVE-2013-1983.patch@d5dacbb8de2b (annotated)

1345 d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	1	From b031e3b60fa1af9e49449f23d4a84395868be3ab Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	2	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	3	Date: Sat, 13 Apr 2013 10:20:59 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	4	Subject: [PATCH:libXfixes 1/2] Use _XEatDataWords to avoid overflow of
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	5	_XEatData calculations
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	6
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	7	rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	8
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	9	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	10	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	11	configure.ac \| 7 +++++++
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	12	src/Cursor.c \| 4 ++--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	13	src/Region.c \| 2 +-
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	14	src/Xfixesint.h \| 14 ++++++++++++++
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	15	4 files changed, 24 insertions(+), 3 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	16
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	17	diff --git a/configure.ac b/configure.ac
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	18	index b942ffa..bb8e976 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	19	--- a/configure.ac
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	20	+++ b/configure.ac
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	21	@@ -57,6 +57,13 @@ AC_SUBST(FIXESEXT_VERSION)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	22	# Obtain compiler/linker options for depedencies
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	23	PKG_CHECK_MODULES(FIXESEXT, xproto [fixesproto >= $FIXESEXT_VERSION] xextproto x11)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	24
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	25	+# Check for _XEatDataWords function that may be patched into older Xlib releases
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	26	+SAVE_LIBS="$LIBS"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	27	+LIBS="$FIXESEXT_LIBS"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	28	+AC_CHECK_FUNCS([_XEatDataWords])
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	29	+LIBS="$SAVE_LIBS"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	30	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	31	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	32	AC_CONFIG_FILES([Makefile
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	33	src/Makefile
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	34	man/Makefile
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	35	diff --git a/src/Cursor.c b/src/Cursor.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	36	index b3dfed1..641b747 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	37	--- a/src/Cursor.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	38	+++ b/src/Cursor.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	39	@@ -113,7 +113,7 @@ XFixesGetCursorImage (Display *dpy)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	40	image = (XFixesCursorImage *) Xmalloc (rlength);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	41	if (!image)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	42	{
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	43	- _XEatData (dpy, nbytes);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	44	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	45	UnlockDisplay (dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	46	SyncHandle ();
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	47	return NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	48	@@ -191,7 +191,7 @@ XFixesGetCursorName (Display dpy, Cursor cursor, Atom atom)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	49	_XReadPad(dpy, name, (long)rep.nbytes);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	50	name[rep.nbytes] = '\0';
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	51	} else {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	52	- _XEatData(dpy, (unsigned long) (rep.nbytes + 3) & ~3);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	53	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	54	name = (char *) NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	55	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	56	UnlockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	57	diff --git a/src/Region.c b/src/Region.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	58	index 042f966..cb0cf6e 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	59	--- a/src/Region.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	60	+++ b/src/Region.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	61	@@ -338,7 +338,7 @@ XFixesFetchRegionAndBounds (Display *dpy,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	62	rects = Xmalloc (nrects * sizeof (XRectangle));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	63	if (!rects)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	64	{
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	65	- _XEatData (dpy, nbytes);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	66	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	67	UnlockDisplay (dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	68	SyncHandle ();
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	69	return NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	70	diff --git a/src/Xfixesint.h b/src/Xfixesint.h
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	71	index 8a4d5fd..7bf5bfd 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	72	--- a/src/Xfixesint.h
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	73	+++ b/src/Xfixesint.h
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	74	@@ -60,4 +60,18 @@ XFixesFindDisplay (Display *dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	75	#define XFixesSimpleCheckExtension(dpy,i) \
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	76	if (!XFixesHasExtension(i)) { return; }
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	77
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	78	+#ifndef HAVE__XEATDATAWORDS
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	79	+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	80	+#include <limits.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	81	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	82	+static inline void _XEatDataWords(Display *dpy, unsigned long n)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	83	+{
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	84	+# ifndef LONG64
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	85	+ if (n >= (ULONG_MAX >> 2))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	86	+ _XIOError(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	87	+# endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	88	+ _XEatData (dpy, n << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	89	+}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	90	+#endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	91	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	92	#endif /* _XFIXESINT_H_ */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	93	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	94	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	95
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	96	From c480fe3271873ec7471b0cbd680f4dac18ca8904 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	97	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	98	Date: Sat, 13 Apr 2013 10:24:08 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	99	Subject: [PATCH:libXfixes 2/2] integer overflow in XFixesGetCursorImage()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	100	[CVE-2013-1983]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	101
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	102	If the reported cursor dimensions or name length are too large, the
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	103	calculations to allocate memory for them may overflow, leaving us
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	104	writing beyond the bounds of the allocation.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	105
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	106	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	107	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	108	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	109	src/Cursor.c \| 30 ++++++++++++++++++------------
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	110	1 file changed, 18 insertions(+), 12 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	111
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	112	diff --git a/src/Cursor.c b/src/Cursor.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	113	index 641b747..33590b7 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	114	--- a/src/Cursor.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	115	+++ b/src/Cursor.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	116	@@ -47,6 +47,7 @@
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	117	#include <config.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	118	#endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	119	#include "Xfixesint.h"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	120	+#include <limits.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	121
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	122	void
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	123	XFixesSelectCursorInput (Display *dpy,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	124	@@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	125	XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	126	xXFixesGetCursorImageAndNameReq *req;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	127	xXFixesGetCursorImageAndNameReply rep;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	128	- int npixels;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	129	- int nbytes_name;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	130	- int nbytes, nread, rlength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	131	+ size_t npixels;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	132	+ size_t nbytes_name;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	133	+ size_t nbytes, nread, rlength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	134	XFixesCursorImage *image;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	135	char *name;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	136
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	137	@@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	138	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	139	npixels = rep.width * rep.height;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	140	nbytes_name = rep.nbytes;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	141	- /* reply data length */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	142	- nbytes = (long) rep.length << 2;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	143	- /* bytes of actual data in the reply */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	144	- nread = (npixels << 2) + nbytes_name;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	145	- /* size of data returned to application */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	146	- rlength = (sizeof (XFixesCursorImage) +
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	147	- npixels * sizeof (unsigned long) +
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	148	- nbytes_name + 1);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	149	+ if ((rep.length < (INT_MAX >> 2)) &&
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	150	+ npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	151	+ - nbytes_name)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	152	+ /* reply data length */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	153	+ nbytes = (size_t) rep.length << 2;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	154	+ /* bytes of actual data in the reply */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	155	+ nread = (npixels << 2) + nbytes_name;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	156	+ /* size of data returned to application */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	157	+ rlength = (sizeof (XFixesCursorImage) +
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	158	+ npixels * sizeof (unsigned long) +
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	159	+ nbytes_name + 1);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	160
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	161	- image = (XFixesCursorImage *) Xmalloc (rlength);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	162	+ image = Xmalloc (rlength);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	163	+ } else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	164	+ image = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	165	if (!image)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	166	{
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	167	_XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	168
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	169

author	Alan Coopersmith <Alan.Coopersmith@Oracle.COM>
	Wed, 15 May 2013 13:44:02 -0700
changeset 1345	d5dacbb8de2b
permissions	-rw-r--r--