[PATCH] Fix overflow of ConnectionOutput->size and ->count

Keith Packard keithp at keithp.com
Sun Nov 30 11:50:13 PST 2014


Peter Harris <pharris at opentext.com> writes:

> When (long) is larger than (int), and when realloc succeeds with sizes
> larger than INT_MAX, ConnectionOutput->size and ConnectionOutput->count
> overflow and become negative.
>
> When ConnectionOutput->count is negative, InsertIOV does not actually
> insert an IOV, and FlushClient goes into an infinite loop of writev(fd,
> iov, 0) [an empty list].
>
> Avoid this situation by killing the client when it has more than INT_MAX
> unread bytes of data.
>
> Signed-off-by: Peter Harris <pharris at opentext.com>

Merged.
   c52a2b1..4b0d0df  master -> master

-- 
keith.packard at intel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 810 bytes
Desc: not available
URL: <http://lists.x.org/archives/xorg-devel/attachments/20141130/b0a4af43/attachment.sig>


More information about the xorg-devel mailing list