xserver: Branch 'master' - 10 commits
Keith Packard
keithp at kemper.freedesktop.org
Mon Jul 22 20:37:24 PDT 2013
configure.ac | 4 +--
hw/dmx/dmx_glxvisuals.c | 25 ++++++++++++++------
hw/dmx/glxProxy/glxcmds.c | 16 +++----------
hw/dmx/glxProxy/glxscreens.c | 9 ++-----
hw/dmx/glxProxy/glxsingle.c | 6 ++--
hw/dmx/glxProxy/glxvendor.c | 4 +--
hw/kdrive/ephyr/XF86dri.c | 23 ++++++++++++-------
hw/kdrive/ephyr/ephyrhostglx.c | 47 ++++++++++++++++++++++++---------------
hw/kdrive/ephyr/ephyrhostvideo.c | 2 -
hw/xnest/Args.h | 2 -
10 files changed, 78 insertions(+), 60 deletions(-)
New commits:
commit d5ebe20f9ba9569351c4a41449866679fd60ba45
Merge: 21ea7eb 33f7e60
Author: Keith Packard <keithp at keithp.com>
Date: Mon Jul 22 20:34:41 2013 -0700
Merge remote-tracking branch 'alanc/master'
commit 33f7e60785f12770ce10558c2ca7ce1323eefc59
Author: Thomas Klausner <wiz at NetBSD.org>
Date: Fri Jul 12 08:21:19 2013 +0200
Fix typo in header guard.
Signed-off-by: Thomas Klausner <wiz at NetBSD.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
diff --git a/hw/xnest/Args.h b/hw/xnest/Args.h
index 514a395..225418d 100644
--- a/hw/xnest/Args.h
+++ b/hw/xnest/Args.h
@@ -12,7 +12,7 @@ is" without express or implied warranty.
*/
-#ifndef XNESTARGC_H
+#ifndef XNESTARGS_H
#define XNESTARGS_H
extern char *xnestDisplayName;
commit ddc52b9cbae017f04c7a232af4e8b16c9f96823d
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Jul 5 22:43:17 2013 -0700
Xephyr: Use _XEatDataWords (from Xlib 1.6) instead of _XEatData
Simplifies code and reduces risk of overflow from converting length
field in X replies from words to bytes.
One call to _XEatData is left in ephyrHostGLXGetStringFromServer where
it's already been checked for overflow, and other values have been
subtracted from it to reduce the size of data remaining to be eaten.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
diff --git a/configure.ac b/configure.ac
index 206b9c4..75281f0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2112,7 +2112,7 @@ if test "$KDRIVE" = yes; then
AC_DEFINE(KDRIVE_MOUSE, 1, [Enable KDrive mouse driver])
fi
- XEPHYR_REQUIRED_LIBS="x11 $LIBXEXT xau xdmcp"
+ XEPHYR_REQUIRED_LIBS="x11 >= 1.6 $LIBXEXT xau xdmcp"
if test "x$XV" = xyes; then
XEPHYR_REQUIRED_LIBS="$XEPHYR_REQUIRED_LIBS xv"
fi
diff --git a/hw/kdrive/ephyr/XF86dri.c b/hw/kdrive/ephyr/XF86dri.c
index 9f230fc..15b6219 100644
--- a/hw/kdrive/ephyr/XF86dri.c
+++ b/hw/kdrive/ephyr/XF86dri.c
@@ -231,7 +231,7 @@ XF86DRIOpenConnection(Display * dpy, int screen,
else
*busIdString = NULL;
if (*busIdString == NULL) {
- _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
TRACE("OpenConnection... return False");
@@ -333,7 +333,7 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
else
*clientDriverName = NULL;
if (*clientDriverName == NULL) {
- _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
TRACE("GetClientDriverName... return False");
@@ -539,7 +539,7 @@ XF86DRIGetDrawableInfo(Display * dpy, int screen, Drawable drawable,
SIZEOF(xGenericReply) +
total_rects * sizeof(drm_clip_rect_t)) +
3) & ~3) >> 2)) {
- _XEatData(dpy, rep.length);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
TRACE("GetDrawableInfo... return False");
@@ -613,7 +613,7 @@ XF86DRIGetDeviceInfo(Display * dpy, int screen, drm_handle_t * hFrameBuffer,
if (rep.length) {
if (!(*pDevPrivate = (void *) calloc(rep.devPrivateSize, 1))) {
- _XEatData(dpy, ((rep.devPrivateSize + 3) & ~3));
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
TRACE("GetDeviceInfo... return False");
diff --git a/hw/kdrive/ephyr/ephyrhostglx.c b/hw/kdrive/ephyr/ephyrhostglx.c
index 90f450c..6a4392f 100644
--- a/hw/kdrive/ephyr/ephyrhostglx.c
+++ b/hw/kdrive/ephyr/ephyrhostglx.c
@@ -211,8 +211,10 @@ ephyrHostGLXGetStringFromServer(int a_screen_number,
_XReply(dpy, (xReply *) &reply, 0, False);
#if UINT32_MAX >= (ULONG_MAX / 4)
- if (reply.length >= (ULONG_MAX / 4))
+ if (reply.length >= (ULONG_MAX / 4)) {
+ _XEatDataWords(dpy, reply.length);
goto eat_out;
+ }
#endif
if (reply.length > 0) {
length = (unsigned long) reply.length * 4;
diff --git a/hw/kdrive/ephyr/ephyrhostvideo.c b/hw/kdrive/ephyr/ephyrhostvideo.c
index 362aa05..05e9ad9 100644
--- a/hw/kdrive/ephyr/ephyrhostvideo.c
+++ b/hw/kdrive/ephyr/ephyrhostvideo.c
@@ -677,7 +677,7 @@ ephyrHostXVQueryImageAttributes(int a_port_id,
_XRead(dpy, (char *) a_offsets, rep.num_planes << 2);
}
else {
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
*a_width = rep.width;
*a_height = rep.height;
commit a3d43edf71847f4b486f971405d2b457f81b73d1
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Jul 5 22:35:32 2013 -0700
glxproxy: Use _XEatDataWords (from Xlib 1.6) instead of _XEatData
Reduces risk of overflow from converting length field in X replies
from words to bytes. (Also seems to be what several calls were
already incorrectly passing to _XEatData.)
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
diff --git a/configure.ac b/configure.ac
index 89a7a9d..206b9c4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2003,7 +2003,7 @@ AM_CONDITIONAL(STANDALONE_XPBPROXY, [test "x$STANDALONE_XPBPROXY" = xyes])
dnl DMX DDX
PKG_CHECK_MODULES(
[DMXMODULES],
- [xmuu $LIBXEXT x11 xrender xfixes $LIBXI $DMXPROTO xau $XDMCP_MODULES],
+ [xmuu $LIBXEXT x11 >= 1.6 xrender xfixes $LIBXI $DMXPROTO xau $XDMCP_MODULES],
[PKG_CHECK_MODULES(
[XDMXCONFIG_DEP],
[xaw7 xmu xt xpm x11],
diff --git a/hw/dmx/glxProxy/glxcmds.c b/hw/dmx/glxProxy/glxcmds.c
index 0e817ca..8cdb25e 100644
--- a/hw/dmx/glxProxy/glxcmds.c
+++ b/hw/dmx/glxProxy/glxcmds.c
@@ -2610,7 +2610,7 @@ __glXQueryExtensionsString(__GLXclientState * cl, GLbyte * pc)
be_buf = (char *) malloc(numbytes);
if (!be_buf) {
/* Throw data on the floor */
- _XEatData(dpy, len);
+ _XEatDataWords(dpy, len);
}
else {
_XReadPad(dpy, (char *) be_buf, numbytes);
@@ -2691,7 +2691,7 @@ __glXQueryServerString(__GLXclientState * cl, GLbyte * pc)
be_buf = (char *) malloc(numbytes);
if (!be_buf) {
/* Throw data on the floor */
- _XEatData(dpy, len);
+ _XEatDataWords(dpy, len);
}
else {
_XReadPad(dpy, (char *) be_buf, numbytes);
diff --git a/hw/dmx/glxProxy/glxscreens.c b/hw/dmx/glxProxy/glxscreens.c
index 746d94e..138afed 100644
--- a/hw/dmx/glxProxy/glxscreens.c
+++ b/hw/dmx/glxProxy/glxscreens.c
@@ -154,7 +154,7 @@ CalcServerVersionAndExtensions(void)
be_extensions[s] = (char *) malloc(numbytes);
if (!be_extensions[s]) {
/* Throw data on the floor */
- _XEatData(dpy, length);
+ _XEatDataWords(dpy, length);
}
else {
_XReadPad(dpy, (char *) be_extensions[s], numbytes);
diff --git a/hw/dmx/glxProxy/glxsingle.c b/hw/dmx/glxProxy/glxsingle.c
index e60cfeb..abfb880 100644
--- a/hw/dmx/glxProxy/glxsingle.c
+++ b/hw/dmx/glxProxy/glxsingle.c
@@ -258,7 +258,7 @@ __glXForwardPipe0WithReply(__GLXclientState * cl, GLbyte * pc)
}
else {
/* Throw data on the floor */
- _XEatData(dpy, be_buf_size);
+ _XEatDataWords(dpy, be_reply.length);
return BadAlloc;
}
}
@@ -357,7 +357,7 @@ __glXForwardAllWithReply(__GLXclientState * cl, GLbyte * pc)
}
else {
/* Throw data on the floor */
- _XEatData(dpy, be_buf_size);
+ _XEatDataWords(dpy, be_reply.length);
return BadAlloc;
}
}
@@ -993,7 +993,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
}
else {
/* Throw data on the floor */
- _XEatData(dpy, be_buf_size);
+ _XEatDataWords(dpy, be_reply.length);
free(buf);
return BadAlloc;
}
diff --git a/hw/dmx/glxProxy/glxvendor.c b/hw/dmx/glxProxy/glxvendor.c
index 5777c6a..50d505c 100644
--- a/hw/dmx/glxProxy/glxvendor.c
+++ b/hw/dmx/glxProxy/glxvendor.c
@@ -246,7 +246,7 @@ __glXVForwardPipe0WithReply(__GLXclientState * cl, GLbyte * pc)
}
else {
/* Throw data on the floor */
- _XEatData(dpy, be_buf_size);
+ _XEatDataWords(dpy, be_reply.length);
return BadAlloc;
}
}
@@ -340,7 +340,7 @@ __glXVForwardAllWithReply(__GLXclientState * cl, GLbyte * pc)
}
else {
/* Throw data on the floor */
- _XEatData(dpy, be_buf_size);
+ _XEatDataWords(dpy, be_reply.length);
return BadAlloc;
}
}
commit 87b0cabc145a9b5f6faffdfb544ce1c647b8ab72
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Jul 5 22:32:10 2013 -0700
glxproxy: Use _XReadPad instead of _XEatData to clean up the slop
Xlib already provides a function to eat padding bytes after the
data read, so use it instead of calculating it ourselves.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
diff --git a/hw/dmx/glxProxy/glxcmds.c b/hw/dmx/glxProxy/glxcmds.c
index 4538274..0e817ca 100644
--- a/hw/dmx/glxProxy/glxcmds.c
+++ b/hw/dmx/glxProxy/glxcmds.c
@@ -2582,7 +2582,6 @@ __glXQueryExtensionsString(__GLXclientState * cl, GLbyte * pc)
xGLXQueryExtensionsStringReply be_reply;
DMXScreenInfo *dmxScreen;
Display *dpy;
- int slop;
#endif
screen = req->screen;
@@ -2608,16 +2607,13 @@ __glXQueryExtensionsString(__GLXclientState * cl, GLbyte * pc)
_XReply(dpy, (xReply *) &be_reply, 0, False);
len = (int) be_reply.length;
numbytes = (int) be_reply.n;
- slop = numbytes * __GLX_SIZE_INT8 & 3;
be_buf = (char *) malloc(numbytes);
if (!be_buf) {
/* Throw data on the floor */
_XEatData(dpy, len);
}
else {
- _XRead(dpy, (char *) be_buf, numbytes);
- if (slop)
- _XEatData(dpy, 4 - slop);
+ _XReadPad(dpy, (char *) be_buf, numbytes);
}
UnlockDisplay(dpy);
SyncHandle();
@@ -2666,7 +2662,6 @@ __glXQueryServerString(__GLXclientState * cl, GLbyte * pc)
xGLXQueryServerStringReply be_reply;
DMXScreenInfo *dmxScreen;
Display *dpy;
- int slop;
#endif
name = req->name;
@@ -2693,16 +2688,13 @@ __glXQueryServerString(__GLXclientState * cl, GLbyte * pc)
_XReply(dpy, (xReply *) &be_reply, 0, False);
len = (int) be_reply.length;
numbytes = (int) be_reply.n;
- slop = numbytes * __GLX_SIZE_INT8 & 3;
be_buf = (char *) malloc(numbytes);
if (!be_buf) {
/* Throw data on the floor */
_XEatData(dpy, len);
}
else {
- _XRead(dpy, (char *) be_buf, numbytes);
- if (slop)
- _XEatData(dpy, 4 - slop);
+ _XReadPad(dpy, (char *) be_buf, numbytes);
}
UnlockDisplay(dpy);
SyncHandle();
diff --git a/hw/dmx/glxProxy/glxscreens.c b/hw/dmx/glxProxy/glxscreens.c
index 2a19092..746d94e 100644
--- a/hw/dmx/glxProxy/glxscreens.c
+++ b/hw/dmx/glxProxy/glxscreens.c
@@ -138,7 +138,7 @@ CalcServerVersionAndExtensions(void)
Display *dpy = dmxScreen->beDisplay;
xGLXQueryServerStringReq *req;
xGLXQueryServerStringReply reply;
- int length, numbytes, slop;
+ int length, numbytes;
/* Send the glXQueryServerString request */
LockDisplay(dpy);
@@ -151,16 +151,13 @@ CalcServerVersionAndExtensions(void)
length = (int) reply.length;
numbytes = (int) reply.n;
- slop = numbytes * __GLX_SIZE_INT8 & 3;
be_extensions[s] = (char *) malloc(numbytes);
if (!be_extensions[s]) {
/* Throw data on the floor */
_XEatData(dpy, length);
}
else {
- _XRead(dpy, (char *) be_extensions[s], numbytes);
- if (slop)
- _XEatData(dpy, 4 - slop);
+ _XReadPad(dpy, (char *) be_extensions[s], numbytes);
}
UnlockDisplay(dpy);
SyncHandle();
commit 1cb182cbdc11fc1c97507c57875f1d2453f27328
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Mon Apr 15 08:41:14 2013 -0700
Xephyr: integer overflow in XF86DRIGetClientDriverName()
clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
diff --git a/hw/kdrive/ephyr/XF86dri.c b/hw/kdrive/ephyr/XF86dri.c
index 7074bc3..9f230fc 100644
--- a/hw/kdrive/ephyr/XF86dri.c
+++ b/hw/kdrive/ephyr/XF86dri.c
@@ -328,9 +328,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
if (rep.length) {
- if (!
- (*clientDriverName =
- (char *) calloc(rep.clientDriverNameLength + 1, 1))) {
+ if (rep.clientDriverNameLength < INT_MAX)
+ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
+ else
+ *clientDriverName = NULL;
+ if (*clientDriverName == NULL) {
_XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
commit 20644e53b385c54d73242c86a7d3f981d18a3843
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Mon Apr 15 08:39:03 2013 -0700
Xephyr: integer overflow in XF86DRIOpenConnection()
busIdStringLength is a CARD32 and needs to be bounds checked before adding
one to it to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
diff --git a/hw/kdrive/ephyr/XF86dri.c b/hw/kdrive/ephyr/XF86dri.c
index 9d742f3..7074bc3 100644
--- a/hw/kdrive/ephyr/XF86dri.c
+++ b/hw/kdrive/ephyr/XF86dri.c
@@ -64,6 +64,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#include <GL/glx.h>
#include "xf86dri.h"
#include <X11/dri/xf86driproto.h>
+#include <limits.h>
static XExtensionInfo _xf86dri_info_data;
static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -225,7 +226,11 @@ XF86DRIOpenConnection(Display * dpy, int screen,
}
if (rep.length) {
- if (!(*busIdString = (char *) calloc(rep.busIdStringLength + 1, 1))) {
+ if (rep.busIdStringLength < INT_MAX)
+ *busIdString = calloc(rep.busIdStringLength + 1, 1);
+ else
+ *busIdString = NULL;
+ if (*busIdString == NULL) {
_XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
commit c37ceda76bf9ec6f5166122e864663e10f106546
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Apr 14 10:50:50 2013 -0700
Xephyr: integer overflow in ephyrHostGLXGetStringFromServer()
reply.length & reply.size are CARD32s and need to be bounds checked before
multiplying or adding to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
diff --git a/hw/kdrive/ephyr/ephyrhostglx.c b/hw/kdrive/ephyr/ephyrhostglx.c
index 5c6c40f..90f450c 100644
--- a/hw/kdrive/ephyr/ephyrhostglx.c
+++ b/hw/kdrive/ephyr/ephyrhostglx.c
@@ -137,7 +137,7 @@ ephyrHostGLXQueryVersion(int *a_major, int *a_minor)
}
/**
- * GLX protocol structure for the ficticious "GXLGenericGetString" request.
+ * GLX protocol structure for the ficticious "GLXGenericGetString" request.
*
* This is a non-existant protocol packet. It just so happens that all of
* the real protocol packets used to request a string from the server have
@@ -169,7 +169,8 @@ ephyrHostGLXGetStringFromServer(int a_screen_number,
int default_screen = DefaultScreen(dpy);
xGLXGenericGetStringReq *req = NULL;
xGLXSingleReply reply;
- int length = 0, numbytes = 0, major_opcode = 0, get_string_op = 0;
+ unsigned long length = 0, numbytes = 0;
+ int major_opcode = 0, get_string_op = 0;
EPHYR_RETURN_VAL_IF_FAIL(dpy && a_string, FALSE);
@@ -209,36 +210,46 @@ ephyrHostGLXGetStringFromServer(int a_screen_number,
_XReply(dpy, (xReply *) &reply, 0, False);
- length = reply.length * 4;
- if (!length) {
- numbytes = 0;
- }
- else {
+#if UINT32_MAX >= (ULONG_MAX / 4)
+ if (reply.length >= (ULONG_MAX / 4))
+ goto eat_out;
+#endif
+ if (reply.length > 0) {
+ length = (unsigned long) reply.length * 4;
numbytes = reply.size;
+ if (numbytes > length) {
+ EPHYR_LOG_ERROR("string length %d longer than reply length %d\n",
+ numbytes, length);
+ goto eat_out;
+ }
}
EPHYR_LOG("going to get a string of size:%d\n", numbytes);
- *a_string = (char *) Xmalloc(numbytes + 1);
- if (!a_string) {
+ if (numbytes < INT_MAX)
+ *a_string = Xcalloc(numbytes + 1, 1);
+ else
+ *a_string = NULL;
+ if (*a_string == NULL) {
EPHYR_LOG_ERROR("allocation failed\n");
- goto out;
+ goto eat_out;
}
- memset(*a_string, 0, numbytes + 1);
if (_XRead(dpy, *a_string, numbytes)) {
- UnlockDisplay(dpy);
- SyncHandle();
EPHYR_LOG_ERROR("read failed\n");
- goto out;
+ length = 0; /* if read failed, no idea how much to eat */
+ }
+ else {
+ length -= numbytes;
+ EPHYR_LOG("strname:%#x, strvalue:'%s', strlen:%d\n",
+ a_string_name, *a_string, numbytes);
+ is_ok = TRUE;
}
- length -= numbytes;
+
+ eat_out:
_XEatData(dpy, length);
UnlockDisplay(dpy);
SyncHandle();
- EPHYR_LOG("strname:%#x, strvalue:'%s', strlen:%d\n",
- a_string_name, *a_string, numbytes);
- is_ok = TRUE;
out:
EPHYR_LOG("leave\n");
return is_ok;
commit 5fbd8c45b46ab93522e417240aa770466c30b735
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Apr 14 09:45:26 2013 -0700
Xdmx: integer overflow in GetGLXFBConfigs()
numFBConfigs & numAttribs are CARD32s and need to be bounds checked before
multiplying by structure sizes to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
diff --git a/hw/dmx/dmx_glxvisuals.c b/hw/dmx/dmx_glxvisuals.c
index 027557a..56bd67b 100644
--- a/hw/dmx/dmx_glxvisuals.c
+++ b/hw/dmx/dmx_glxvisuals.c
@@ -279,7 +279,10 @@ GetGLXFBConfigs(Display * dpy, int glxMajorOpcode, int *nconfigs)
return NULL;
}
- attrs = (INT32 *) Xmalloc(2 * numAttribs * __GLX_SIZE_CARD32);
+ if (numAttribs < (INT_MAX / (2 * __GLX_SIZE_CARD32)))
+ attrs = Xmalloc(2 * numAttribs * __GLX_SIZE_CARD32);
+ else
+ attrs = NULL;
if (!attrs) {
UnlockDisplay(dpy);
SyncHandle();
@@ -287,15 +290,16 @@ GetGLXFBConfigs(Display * dpy, int glxMajorOpcode, int *nconfigs)
}
/* Allocate memory for our config structure */
- config = (__GLXFBConfig *)
- Xmalloc(numFBConfigs * sizeof(__GLXFBConfig));
+ if (numFBConfigs < (INT_MAX / sizeof(__GLXFBConfig)))
+ config = Xcalloc(numFBConfigs, sizeof(__GLXFBConfig));
+ else
+ config = NULL;
if (!config) {
free(attrs);
UnlockDisplay(dpy);
SyncHandle();
return NULL;
}
- memset(config, 0, numFBConfigs * sizeof(__GLXFBConfig));
fbconfigs = config;
/* Convert attribute list into our format */
commit c89bcd12f4fc7233830a8dbe7863c312f657da3c
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sun Apr 14 09:33:57 2013 -0700
Xdmx: integer overflow in GetGLXVisualConfigs()
numVisuals & numProps are both CARD32 and need to be bounds checked before
multiplying by structure sizes to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
diff --git a/hw/dmx/dmx_glxvisuals.c b/hw/dmx/dmx_glxvisuals.c
index f903b74..027557a 100644
--- a/hw/dmx/dmx_glxvisuals.c
+++ b/hw/dmx/dmx_glxvisuals.c
@@ -37,6 +37,7 @@
#include <GL/glxproto.h>
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
+#include <limits.h>
#include "dmx_glxvisuals.h"
@@ -84,7 +85,10 @@ GetGLXVisualConfigs(Display * dpy, int screen, int *nconfigs)
SyncHandle();
return NULL;
}
- props = (INT32 *) Xmalloc(nprops * __GLX_SIZE_CARD32);
+ if (nprops < (INT_MAX / __GLX_SIZE_CARD32))
+ props = Xmalloc(nprops * __GLX_SIZE_CARD32);
+ else
+ props = NULL;
if (!props) {
UnlockDisplay(dpy);
SyncHandle();
@@ -92,15 +96,16 @@ GetGLXVisualConfigs(Display * dpy, int screen, int *nconfigs)
}
/* Allocate memory for our config structure */
- config = (__GLXvisualConfig *)
- Xmalloc(nvisuals * sizeof(__GLXvisualConfig));
+ if (nvisuals < (INT_MAX / sizeof(__GLXvisualConfig)))
+ config = Xcalloc(nvisuals, sizeof(__GLXvisualConfig));
+ else
+ config = NULL;
if (!config) {
free(props);
UnlockDisplay(dpy);
SyncHandle();
return NULL;
}
- memset(config, 0, nvisuals * sizeof(__GLXvisualConfig));
configs = config;
num_good_visuals = 0;
More information about the xorg-commit
mailing list