[PATCH 1/2] Fix panoramiX request and reply swapping

Peter Harris peter.harris at hummingbird.com
Thu Dec 20 13:44:39 PST 2007 

From 2188de17e8dea5141d9af4fda3176a8c97bf7ac6 Mon Sep 17 00:00:00 2001
From: Peter Harris <peter.harris at hummingbird.com>
Date: Thu, 20 Dec 2007 15:58:01 -0500
Subject: [PATCH] Fix panoramiX request and reply swapping

 Fix panoramiX request and reply swapping
 Set window and screen values in panoramix replies
 Prevent buffer overrun in ProcPanoramiXGetScreenSize

---
 Xext/panoramiX.c   |   17 +++++++++++++----
 randr/rrxinerama.c |   18 ++++++++++++++----
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
index 311a8e7..1e25a5a 100644
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@@ -917,10 +917,11 @@ ProcPanoramiXGetState(ClientPtr client)
 	rep.length = 0;
 	rep.sequenceNumber = client->sequence;
 	rep.state = !noPanoramiXExtension;
+	rep.window = stuff->window;
     	if (client->swapped) {
 	    swaps (&rep.sequenceNumber, n);
 	    swapl (&rep.length, n);
-	    swaps (&rep.state, n);
+	    swapl (&rep.window, n);
 	}	
 	WriteToClient (client, sizeof (xPanoramiXGetStateReply), (char *) &rep);
 	return client->noClientException;
@@ -944,10 +945,11 @@ ProcPanoramiXGetScreenCount(ClientPtr client)
 	rep.length = 0;
 	rep.sequenceNumber = client->sequence;
 	rep.ScreenCount = PanoramiXNumScreens;
+	rep.window = stuff->window;
     	if (client->swapped) {
 	    swaps (&rep.sequenceNumber, n);
 	    swapl (&rep.length, n);
-	    swaps (&rep.ScreenCount, n);
+	    swapl (&rep.window, n);
 	}	
 	WriteToClient (client, sizeof (xPanoramiXGetScreenCountReply), (char *) &rep);
 	return client->noClientException;
@@ -961,6 +963,9 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
 	xPanoramiXGetScreenSizeReply	rep;
 	register int			n, rc;
 	
+	if (stuff->screen >= PanoramiXNumScreens)
+	    return BadMatch;
+
 	REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
 	rc = dixLookupWindow(&pWin, stuff->window, client, DixUnknownAccess);
 	if (rc != Success)
@@ -972,11 +977,15 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
 		/* screen dimensions */
 	rep.width  = panoramiXdataPtr[stuff->screen].width; 
 	rep.height = panoramiXdataPtr[stuff->screen].height; 
+	rep.window = stuff->window;
+	rep.screen = stuff->screen;
     	if (client->swapped) {
 	    swaps (&rep.sequenceNumber, n);
 	    swapl (&rep.length, n);
-	    swaps (&rep.width, n);
-	    swaps (&rep.height, n);
+	    swapl (&rep.width, n);
+	    swapl (&rep.height, n);
+	    swapl (&rep.window, n);
+	    swapl (&rep.screen, n);
 	}	
 	WriteToClient (client, sizeof (xPanoramiXGetScreenSizeReply), (char *) &rep);
 	return client->noClientException;
diff --git a/randr/rrxinerama.c b/randr/rrxinerama.c
index 896f61f..16028fe 100644
--- a/randr/rrxinerama.c
+++ b/randr/rrxinerama.c
@@ -138,10 +138,11 @@ ProcRRXineramaGetState(ClientPtr client)
     rep.length = 0;
     rep.sequenceNumber = client->sequence;
     rep.state = active;
+    rep.window = stuff->window;
     if(client->swapped) {
        swaps (&rep.sequenceNumber, n);
        swapl (&rep.length, n);
-       swaps (&rep.state, n);
+       swapl (&rep.window, n);
     }
     WriteToClient(client, sizeof(xPanoramiXGetStateReply), (char *)&rep);
     return client->noClientException;
@@ -192,10 +193,11 @@ ProcRRXineramaGetScreenCount(ClientPtr client)
     rep.length = 0;
     rep.sequenceNumber = client->sequence;
     rep.ScreenCount = RRXineramaScreenCount (pWin->drawable.pScreen);
+    rep.window = stuff->window;
     if(client->swapped) {
        swaps(&rep.sequenceNumber, n);
        swapl(&rep.length, n);
-       swaps(&rep.ScreenCount, n);
+       swapl(&rep.window, n);
     }
     WriteToClient(client, sizeof(xPanoramiXGetScreenCountReply), (char *)&rep);
     return client->noClientException;
@@ -223,11 +225,15 @@ ProcRRXineramaGetScreenSize(ClientPtr client)
     rep.sequenceNumber = client->sequence;
     rep.width  = pRoot->drawable.width;
     rep.height = pRoot->drawable.height;
+    rep.window = stuff->window;
+    rep.screen = stuff->screen;
     if(client->swapped) {
        swaps(&rep.sequenceNumber, n);
        swapl(&rep.length, n);
-       swaps(&rep.width, n);
-       swaps(&rep.height, n);
+       swapl(&rep.width, n);
+       swapl(&rep.height, n);
+       swapl(&rep.window, n);
+       swapl(&rep.screen, n);
     }
     WriteToClient(client, sizeof(xPanoramiXGetScreenSizeReply), (char *)&rep);
     return client->noClientException;
@@ -351,6 +357,7 @@ SProcRRXineramaGetState(ClientPtr client)
     register int n;
     swaps (&stuff->length, n);
     REQUEST_SIZE_MATCH(xPanoramiXGetStateReq);
+    swapl (&stuff->window, n);
     return ProcRRXineramaGetState(client);
 }
 
@@ -361,6 +368,7 @@ SProcRRXineramaGetScreenCount(ClientPtr client)
     register int n;
     swaps (&stuff->length, n);
     REQUEST_SIZE_MATCH(xPanoramiXGetScreenCountReq);
+    swapl (&stuff->window, n);
     return ProcRRXineramaGetScreenCount(client);
 }
 
@@ -371,6 +379,8 @@ SProcRRXineramaGetScreenSize(ClientPtr client)
     register int n;
     swaps (&stuff->length, n);
     REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+    swapl (&stuff->window, n);
+    swapl (&stuff->screen, n);
     return ProcRRXineramaGetScreenSize(client);
 }
 
-- 
1.5.3.7


-- 
     Hummingbird Connectivity - A Division of Open Text
Peter Harris                    http://connectivity.hummingbird.com
Research and Development        Phone: +1 905 762 6001
peter.harris at hummingbird.com    Toll Free: 1 877 359 4866

More information about the xorg mailing list