1 diff --git a/Xext/EVI.c b/Xext/EVI.c |
|
2 index 8fe3481..13bd32a 100644 |
|
3 --- a/Xext/EVI.c |
|
4 +++ b/Xext/EVI.c |
|
5 @@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. |
|
6 #include <X11/extensions/XEVIstr.h> |
|
7 #include "EVIstruct.h" |
|
8 #include "modinit.h" |
|
9 +#include "scrnintstr.h" |
|
10 |
|
11 #if 0 |
|
12 static unsigned char XEVIReqCode = 0; |
|
13 @@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client) |
|
14 { |
|
15 REQUEST(xEVIGetVisualInfoReq); |
|
16 xEVIGetVisualInfoReply rep; |
|
17 - int n, n_conflict, n_info, sz_info, sz_conflict; |
|
18 + int i, n, n_conflict, n_info, sz_info, sz_conflict; |
|
19 VisualID32 *conflict; |
|
20 + unsigned int total_visuals = 0; |
|
21 xExtendedVisualInfo *eviInfo; |
|
22 int status; |
|
23 + |
|
24 + /* |
|
25 + * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume |
|
26 + * here that you don't have more than 2^32 visuals over all your screens; |
|
27 + * this seems like a safe assumption. |
|
28 + */ |
|
29 + for (i = 0; i < screenInfo.numScreens; i++) |
|
30 + total_visuals += screenInfo.screens[i]->numVisuals; |
|
31 + if (stuff->n_visual > total_visuals) |
|
32 + return BadValue; |
|
33 + |
|
34 REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32); |
|
35 status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual, |
|
36 &eviInfo, &n_info, &conflict, &n_conflict); |
|
37 diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c |
|
38 index 7508aa7..b8f39c7 100644 |
|
39 --- a/Xext/sampleEVI.c |
|
40 +++ b/Xext/sampleEVI.c |
|
41 @@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. |
|
42 #include <X11/extensions/XEVIstr.h> |
|
43 #include "EVIstruct.h" |
|
44 #include "scrnintstr.h" |
|
45 + |
|
46 +#if HAVE_STDINT_H |
|
47 +#include <stdint.h> |
|
48 +#elif !defined(UINT32_MAX) |
|
49 +#define UINT32_MAX 0xffffffff |
|
50 +#endif |
|
51 + |
|
52 static int sampleGetVisualInfo( |
|
53 VisualID32 *visual, |
|
54 int n_visual, |
|
55 @@ -42,24 +49,36 @@ static int sampleGetVisualInfo( |
|
56 VisualID32 **conflict_rn, |
|
57 int *n_conflict_rn) |
|
58 { |
|
59 - int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens; |
|
60 + unsigned int max_sz_evi; |
|
61 VisualID32 *temp_conflict; |
|
62 xExtendedVisualInfo *evi; |
|
63 - int max_visuals = 0, max_sz_conflict, sz_conflict = 0; |
|
64 + unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0; |
|
65 register int visualI, scrI, sz_evi = 0, conflictI, n_conflict; |
|
66 - *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi); |
|
67 - if (!*evi_rn) |
|
68 - return BadAlloc; |
|
69 + |
|
70 + if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens)) |
|
71 + return BadAlloc; |
|
72 + max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens; |
|
73 + |
|
74 for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { |
|
75 if (screenInfo.screens[scrI]->numVisuals > max_visuals) |
|
76 max_visuals = screenInfo.screens[scrI]->numVisuals; |
|
77 } |
|
78 + |
|
79 + if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens |
|
80 + * max_visuals)) |
|
81 + return BadAlloc; |
|
82 max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals; |
|
83 + |
|
84 + *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi); |
|
85 + if (!*evi_rn) |
|
86 + return BadAlloc; |
|
87 + |
|
88 temp_conflict = (VisualID32 *)xalloc(max_sz_conflict); |
|
89 if (!temp_conflict) { |
|
90 xfree(*evi_rn); |
|
91 return BadAlloc; |
|
92 } |
|
93 + |
|
94 for (scrI = 0; scrI < screenInfo.numScreens; scrI++) { |
|
95 for (visualI = 0; visualI < n_visual; visualI++) { |
|
96 evi[sz_evi].core_visual_id = visual[visualI]; |
|