Wed Oct 5 10:47:18 2016 UTC ()
Apply patch, requested my mrg in ticket 1410:
	xsrc/external/mit/libX11/dist/include/X11/Xlibint.h	patch
	xsrc/external/mit/libX11/dist/src/FontNames.c		patch
	xsrc/external/mit/libX11/dist/src/GetImage.c		patch
	xsrc/external/mit/libX11/dist/src/ListExt.c		patch
	xsrc/external/mit/libX11/dist/src/ModMap.c		patch
	xsrc/external/mit/libXfixes/dist/src/Region.c		patch
	xsrc/external/mit/libXi/dist/src/XGMotion.c		patch
	xsrc/external/mit/libXi/dist/src/XGetBMap.c		patch
	xsrc/external/mit/libXi/dist/src/XGetDCtl.c		patch
	xsrc/external/mit/libXi/dist/src/XGetFCtl.c		patch
	xsrc/external/mit/libXi/dist/src/XGetKMap.c		patch
	xsrc/external/mit/libXi/dist/src/XGetMMap.c		patch
	xsrc/external/mit/libXi/dist/src/XIQueryDevice.c	patch
	xsrc/external/mit/libXi/dist/src/XListDev.c		patch
	xsrc/external/mit/libXi/dist/src/XOpenDev.c		patch
	xsrc/external/mit/libXi/dist/src/XQueryDv.c		patch
	xsrc/external/mit/libXrandr/dist/src/XrrConfig.c	patch
	xsrc/external/mit/libXrandr/dist/src/XrrCrtc.c		patch
	xsrc/external/mit/libXrandr/dist/src/XrrOutput.c	patch
	xsrc/external/mit/libXrandr/dist/src/XrrProvider.c	patch
	xsrc/external/mit/libXrandr/dist/src/XrrScreen.c	patch
	xsrc/external/mit/libXrender/dist/src/Filter.c		patch
	xsrc/external/mit/libXrender/dist/src/Xrender.c		patch
	xsrc/external/mit/libXtst/dist/src/XRecord.c		patch
	xsrc/external/mit/libXv/dist/src/Xv.c			patch
	xsrc/external/mit/libXvMC/dist/src/XvMC.c		patch

Fix (backported from upstream) the following issues in X client
libraries:
libX11 - insufficient validation of data from the X server
	 can cause out of boundary memory read (XGetImage())
	 or write (XListFonts()).
	 Affected versions libX11 <= 1.6.3

libXfixes - insufficient validation of data from the X server
	can cause an integer overflow on 32 bit architectures.
	Affected versions : libXfixes <= 5.0.2

libXi - insufficient validation of data from the X server
	can cause out of boundary memory access or
	endless loops (Denial of Service).
	Affected versions libXi <= 1.7.6

libXrandr - insufficient validation of data from the X server
	can cause out of boundary memory writes.
	Affected versions: libXrandr <= 1.5.0

libXrender - insufficient validation of data from the X server
	can cause out of boundary memory writes.
	Affected version: libXrender <= 0.9.9

XRecord - insufficient validation of data from the X server
	can cause out of boundary memory access or
	endless loops (Denial of Service).
	 Affected version libXtst <= 1.2.2

libXv - insufficient validation of data from the X server
	can cause out of boundary memory and memory corruption.
	CVE-2016-5407
	affected versions libXv <= 1.0.10

libXvMC - insufficient validation of data from the X server
	can cause a one byte buffer read underrun.
	Affected versions: libXvMC <= 1.0.9


(bouyer)
diff -r1.1.1.7.2.1 -r1.1.1.7.2.2 xsrc/external/mit/libX11/dist/include/X11/Xlibint.h
diff -r1.1.1.4.2.1 -r1.1.1.4.2.2 xsrc/external/mit/libX11/dist/src/FontNames.c
diff -r1.1.1.4.2.1 -r1.1.1.4.2.2 xsrc/external/mit/libX11/dist/src/GetImage.c
diff -r1.1.1.4.2.1 -r1.1.1.4.2.2 xsrc/external/mit/libX11/dist/src/ModMap.c
diff -r1.1.1.3.2.1 -r1.1.1.3.2.2 xsrc/external/mit/libX11/dist/src/ListExt.c
diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXfixes/dist/src/Region.c
diff -r1.1.1.3.2.1 -r1.1.1.3.2.2 xsrc/external/mit/libXi/dist/src/XGMotion.c
diff -r1.1.1.3.2.1 -r1.1.1.3.2.2 xsrc/external/mit/libXi/dist/src/XGetFCtl.c
diff -r1.1.1.3.2.1 -r1.1.1.3.2.2 xsrc/external/mit/libXi/dist/src/XListDev.c
diff -r1.1.1.3.2.1 -r1.1.1.3.2.2 xsrc/external/mit/libXi/dist/src/XQueryDv.c
diff -r1.1.1.2.2.1 -r1.1.1.2.2.2 xsrc/external/mit/libXi/dist/src/XGetBMap.c
diff -r1.1.1.4.2.1 -r1.1.1.4.2.2 xsrc/external/mit/libXi/dist/src/XGetDCtl.c
diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXi/dist/src/XGetKMap.c
diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXi/dist/src/XGetMMap.c
diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXi/dist/src/XIQueryDevice.c
diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXi/dist/src/XOpenDev.c
diff -r1.1.1.3 -r1.1.1.3.2.1 xsrc/external/mit/libXrandr/dist/src/XrrConfig.c
diff -r1.1.1.3 -r1.1.1.3.2.1 xsrc/external/mit/libXrandr/dist/src/XrrCrtc.c
diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXrandr/dist/src/XrrOutput.c
diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXrandr/dist/src/XrrScreen.c
diff -r1.1.1.3.2.1 -r1.1.1.3.2.2 xsrc/external/mit/libXrender/dist/src/Filter.c
diff -r1.1.1.2.2.1 -r1.1.1.2.2.2 xsrc/external/mit/libXrender/dist/src/Xrender.c
diff -r1.1.1.3 -r1.1.1.3.2.1 xsrc/external/mit/libXtst/dist/src/XRecord.c
diff -r1.1.1.2.2.1 -r1.1.1.2.2.2 xsrc/external/mit/libXv/dist/src/Xv.c
diff -r1.1.1.2.2.1 -r1.1.1.2.2.2 xsrc/external/mit/libXvMC/dist/src/XvMC.c
cvs diff -r1.1.1.7.2.1 -r1.1.1.7.2.2 xsrc/external/mit/libX11/dist/include/X11/Xlibint.h (expand / switch to unified diff)

--- xsrc/external/mit/libX11/dist/include/X11/Xlibint.h 2015/04/19 05:48:29 1.1.1.7.2.1
+++ xsrc/external/mit/libX11/dist/include/X11/Xlibint.h 2016/10/05 10:47:17 1.1.1.7.2.2
@@ -540,27 +540,27 @@ extern LockInfoPtr _Xglobal_lock; @@ -540,27 +540,27 @@ extern LockInfoPtr _Xglobal_lock;
540 * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32 540 * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32
541 * length, after req->length, before the data in the request. The new length 541 * length, after req->length, before the data in the request. The new length
542 * includes the "n" extra 32-bit words. 542 * includes the "n" extra 32-bit words.
543 * 543 *
544 * Do not use MakeBigReq if there is no data already in the request. 544 * Do not use MakeBigReq if there is no data already in the request.
545 * req->length must already be >= 2. 545 * req->length must already be >= 2.
546 */ 546 */
547#define MakeBigReq(req,n) \ 547#define MakeBigReq(req,n) \
548 { \ 548 { \
549 char _BRdat[4]; \ 549 char _BRdat[4]; \
550 unsigned long _BRlen = req->length - 1; \ 550 unsigned long _BRlen = req->length - 1; \
551 req->length = 0; \ 551 req->length = 0; \
552 memcpy(_BRdat, ((char *)req) + (_BRlen << 2), 4); \ 552 memcpy(_BRdat, ((char *)req) + (_BRlen << 2), 4); \
553 memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ 553 memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
554 memcpy(((char *)req) + 4, _BRdat, 4); \ 554 memcpy(((char *)req) + 4, _BRdat, 4); \
555 Data32(dpy, (long *)&_BRdat, 4); \ 555 Data32(dpy, (long *)&_BRdat, 4); \
556 } 556 }
557#else 557#else
558#ifdef LONG64 558#ifdef LONG64
559#define MakeBigReq(req,n) \ 559#define MakeBigReq(req,n) \
560 { \ 560 { \
561 CARD64 _BRdat; \ 561 CARD64 _BRdat; \
562 CARD32 _BRlen = req->length - 1; \ 562 CARD32 _BRlen = req->length - 1; \
563 req->length = 0; \ 563 req->length = 0; \
564 _BRdat = ((CARD32 *)req)[_BRlen]; \ 564 _BRdat = ((CARD32 *)req)[_BRlen]; \
565 memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ 565 memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
566 ((CARD32 *)req)[1] = _BRlen + n + 2; \ 566 ((CARD32 *)req)[1] = _BRlen + n + 2; \
cvs diff -r1.1.1.4.2.1 -r1.1.1.4.2.2 xsrc/external/mit/libX11/dist/src/FontNames.c (expand / switch to unified diff)

--- xsrc/external/mit/libX11/dist/src/FontNames.c 2013/06/06 03:44:25 1.1.1.4.2.1
+++ xsrc/external/mit/libX11/dist/src/FontNames.c 2016/10/05 10:47:17 1.1.1.4.2.2
@@ -56,58 +56,69 @@ int *actualCount) /* RETURN */ @@ -56,58 +56,69 @@ int *actualCount) /* RETURN */
56 req->length += (nbytes + 3) >> 2; 56 req->length += (nbytes + 3) >> 2;
57 _XSend (dpy, pattern, nbytes); 57 _XSend (dpy, pattern, nbytes);
58 /* use _XSend instead of Data, since following _XReply will flush buffer */ 58 /* use _XSend instead of Data, since following _XReply will flush buffer */
59 59
60 if (!_XReply (dpy, (xReply *)&rep, 0, xFalse)) { 60 if (!_XReply (dpy, (xReply *)&rep, 0, xFalse)) {
61 *actualCount = 0; 61 *actualCount = 0;
62 UnlockDisplay(dpy); 62 UnlockDisplay(dpy);
63 SyncHandle(); 63 SyncHandle();
64 return (char **) NULL; 64 return (char **) NULL;
65 } 65 }
66 66
67 if (rep.nFonts) { 67 if (rep.nFonts) {
68 flist = Xmalloc (rep.nFonts * sizeof(char *)); 68 flist = Xmalloc (rep.nFonts * sizeof(char *));
69 if (rep.length < (LONG_MAX >> 2)) { 69 if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
70 rlen = rep.length << 2; 70 rlen = rep.length << 2;
71 ch = Xmalloc(rlen + 1); 71 ch = Xmalloc(rlen + 1);
72 /* +1 to leave room for last null-terminator */ 72 /* +1 to leave room for last null-terminator */
73 } 73 }
74 74
75 if ((! flist) || (! ch)) { 75 if ((! flist) || (! ch)) {
76 if (flist) Xfree((char *) flist); 76 if (flist) Xfree((char *) flist);
77 if (ch) Xfree(ch); 77 if (ch) Xfree(ch);
78 _XEatData(dpy, rep.length << 2); 78 _XEatData(dpy, rep.length << 2);
79 *actualCount = 0; 79 *actualCount = 0;
80 UnlockDisplay(dpy); 80 UnlockDisplay(dpy);
81 SyncHandle(); 81 SyncHandle();
82 return (char **) NULL; 82 return (char **) NULL;
83 } 83 }
84 84
85 _XReadPad (dpy, ch, rlen); 85 _XReadPad (dpy, ch, rlen);
86 /* 86 /*
87 * unpack into null terminated strings. 87 * unpack into null terminated strings.
88 */ 88 */
89 chend = ch + (rlen + 1); 89 chend = ch + (rlen + 1);
90 length = *(unsigned char *)ch; 90 length = *(unsigned char *)ch;
91 *ch = 1; /* make sure it is non-zero for XFreeFontNames */ 91 *ch = 1; /* make sure it is non-zero for XFreeFontNames */
92 for (i = 0; i < rep.nFonts; i++) { 92 for (i = 0; i < rep.nFonts; i++) {
93 if (ch + length < chend) { 93 if (ch + length < chend) {
94 flist[i] = ch + 1; /* skip over length */ 94 flist[i] = ch + 1; /* skip over length */
95 ch += length + 1; /* find next length ... */ 95 ch += length + 1; /* find next length ... */
96 length = *(unsigned char *)ch; 96 if (ch <= chend) {
97 *ch = '\0'; /* and replace with null-termination */ 97 length = *(unsigned char *)ch;
98 count++; 98 *ch = '\0'; /* and replace with null-termination */
99 } else 99 count++;
100 flist[i] = NULL; 100 } else {
 101 Xfree(flist);
 102 flist = NULL;
 103 count = 0;
 104 break;
 105 }
 106 } else {
 107 Xfree(flist);
 108 flist = NULL;
 109 count = 0;
 110 break;
 111 }
101 } 112 }
102 } 113 }
103 *actualCount = count; 114 *actualCount = count;
104 UnlockDisplay(dpy); 115 UnlockDisplay(dpy);
105 SyncHandle(); 116 SyncHandle();
106 return (flist); 117 return (flist);
107} 118}
108 119
109int 120int
110XFreeFontNames(char **list) 121XFreeFontNames(char **list)
111{ 122{
112 if (list) { 123 if (list) {
113 if (!*(list[0]-1)) { /* from ListFontsWithInfo */ 124 if (!*(list[0]-1)) { /* from ListFontsWithInfo */
cvs diff -r1.1.1.4.2.1 -r1.1.1.4.2.2 xsrc/external/mit/libX11/dist/src/GetImage.c (expand / switch to unified diff)

--- xsrc/external/mit/libX11/dist/src/GetImage.c 2013/06/06 03:44:25 1.1.1.4.2.1
+++ xsrc/external/mit/libX11/dist/src/GetImage.c 2016/10/05 10:47:17 1.1.1.4.2.2
@@ -49,26 +49,27 @@ XImage *XGetImage ( @@ -49,26 +49,27 @@ XImage *XGetImage (
49 Drawable d, 49 Drawable d,
50 int x, 50 int x,
51 int y, 51 int y,
52 unsigned int width, 52 unsigned int width,
53 unsigned int height, 53 unsigned int height,
54 unsigned long plane_mask, 54 unsigned long plane_mask,
55 int format) /* either XYPixmap or ZPixmap */ 55 int format) /* either XYPixmap or ZPixmap */
56{ 56{
57 xGetImageReply rep; 57 xGetImageReply rep;
58 register xGetImageReq *req; 58 register xGetImageReq *req;
59 char *data; 59 char *data;
60 unsigned long nbytes; 60 unsigned long nbytes;
61 XImage *image; 61 XImage *image;
 62 int planes;
62 LockDisplay(dpy); 63 LockDisplay(dpy);
63 GetReq (GetImage, req); 64 GetReq (GetImage, req);
64 /* 65 /*
65 * first set up the standard stuff in the request 66 * first set up the standard stuff in the request
66 */ 67 */
67 req->drawable = d; 68 req->drawable = d;
68 req->x = x; 69 req->x = x;
69 req->y = y; 70 req->y = y;
70 req->width = width; 71 req->width = width;
71 req->height = height; 72 req->height = height;
72 req->planeMask = plane_mask; 73 req->planeMask = plane_mask;
73 req->format = format; 74 req->format = format;
74 75
@@ -81,38 +82,48 @@ XImage *XGetImage ( @@ -81,38 +82,48 @@ XImage *XGetImage (
81 82
82 if (rep.length < (INT_MAX >> 2)) { 83 if (rep.length < (INT_MAX >> 2)) {
83 nbytes = (unsigned long)rep.length << 2; 84 nbytes = (unsigned long)rep.length << 2;
84 data = Xmalloc(nbytes); 85 data = Xmalloc(nbytes);
85 } else 86 } else
86 data = NULL; 87 data = NULL;
87 if (! data) { 88 if (! data) {
88 _XEatData(dpy, rep.length << 2); 89 _XEatData(dpy, rep.length << 2);
89 UnlockDisplay(dpy); 90 UnlockDisplay(dpy);
90 SyncHandle(); 91 SyncHandle();
91 return (XImage *) NULL; 92 return (XImage *) NULL;
92 } 93 }
93 _XReadPad (dpy, data, nbytes); 94 _XReadPad (dpy, data, nbytes);
94 if (format == XYPixmap) 95 if (format == XYPixmap) {
95 image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), 96 image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
96 Ones (plane_mask & 97 Ones (plane_mask &
97 (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), 98 (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
98 format, 0, data, width, height, dpy->bitmap_pad, 0); 99 format, 0, data, width, height, dpy->bitmap_pad, 0);
99 else /* format == ZPixmap */ 100 planes = image->depth;
100 image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), 101 } else { /* format == ZPixmap */
101 rep.depth, ZPixmap, 0, data, width, height, 102 image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
102 _XGetScanlinePad(dpy, (int) rep.depth), 0); 103 rep.depth, ZPixmap, 0, data, width, height,
 104 _XGetScanlinePad(dpy, (int) rep.depth), 0);
 105 planes = 1;
 106 }
103 107
104 if (!image) 108 if (!image)
105 Xfree(data); 109 Xfree(data);
 110 if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
 111 INT_MAX / image->height <= image->bytes_per_line ||
 112 INT_MAX / planes <= image->height * image->bytes_per_line ||
 113 nbytes < planes * image->height * image->bytes_per_line) {
 114 XDestroyImage(image);
 115 image = NULL;
 116 }
106 UnlockDisplay(dpy); 117 UnlockDisplay(dpy);
107 SyncHandle(); 118 SyncHandle();
108 return (image); 119 return (image);
109} 120}
110 121
111XImage *XGetSubImage( 122XImage *XGetSubImage(
112 register Display *dpy, 123 register Display *dpy,
113 Drawable d, 124 Drawable d,
114 int x, 125 int x,
115 int y, 126 int y,
116 unsigned int width, 127 unsigned int width,
117 unsigned int height, 128 unsigned int height,
118 unsigned long plane_mask, 129 unsigned long plane_mask,
cvs diff -r1.1.1.4.2.1 -r1.1.1.4.2.2 xsrc/external/mit/libX11/dist/src/ModMap.c (expand / switch to unified diff)

--- xsrc/external/mit/libX11/dist/src/ModMap.c 2013/06/06 03:44:25 1.1.1.4.2.1
+++ xsrc/external/mit/libX11/dist/src/ModMap.c 2016/10/05 10:47:17 1.1.1.4.2.2
@@ -32,27 +32,28 @@ in this Software without prior written a @@ -32,27 +32,28 @@ in this Software without prior written a
32 32
33XModifierKeymap * 33XModifierKeymap *
34XGetModifierMapping(register Display *dpy) 34XGetModifierMapping(register Display *dpy)
35{ 35{
36 xGetModifierMappingReply rep; 36 xGetModifierMappingReply rep;
37 register xReq *req; 37 register xReq *req;
38 unsigned long nbytes; 38 unsigned long nbytes;
39 XModifierKeymap *res; 39 XModifierKeymap *res;
40 40
41 LockDisplay(dpy); 41 LockDisplay(dpy);
42 GetEmptyReq(GetModifierMapping, req); 42 GetEmptyReq(GetModifierMapping, req);
43 (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); 43 (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
44 44
45 if (rep.length < (LONG_MAX >> 2)) { 45 if (rep.length < (INT_MAX >> 2) &&
 46 (rep.length >> 1) == rep.numKeyPerModifier) {
46 nbytes = (unsigned long)rep.length << 2; 47 nbytes = (unsigned long)rep.length << 2;
47 res = Xmalloc(sizeof (XModifierKeymap)); 48 res = Xmalloc(sizeof (XModifierKeymap));
48 if (res) 49 if (res)
49 res->modifiermap = Xmalloc (nbytes); 50 res->modifiermap = Xmalloc (nbytes);
50 } else 51 } else
51 res = NULL; 52 res = NULL;
52 if ((! res) || (! res->modifiermap)) { 53 if ((! res) || (! res->modifiermap)) {
53 if (res) Xfree((char *) res); 54 if (res) Xfree((char *) res);
54 res = (XModifierKeymap *) NULL; 55 res = (XModifierKeymap *) NULL;
55 _XEatData(dpy, rep.length << 2); 56 _XEatData(dpy, rep.length << 2);
56 } else { 57 } else {
57 _XReadPad(dpy, (char *) res->modifiermap, (long) nbytes); 58 _XReadPad(dpy, (char *) res->modifiermap, (long) nbytes);
58 res->max_keypermod = rep.numKeyPerModifier; 59 res->max_keypermod = rep.numKeyPerModifier;
cvs diff -r1.1.1.3.2.1 -r1.1.1.3.2.2 xsrc/external/mit/libX11/dist/src/ListExt.c (expand / switch to unified diff)

--- xsrc/external/mit/libX11/dist/src/ListExt.c 2013/06/06 03:44:25 1.1.1.3.2.1
+++ xsrc/external/mit/libX11/dist/src/ListExt.c 2016/10/05 10:47:17 1.1.1.3.2.2
@@ -45,54 +45,58 @@ char **XListExtensions( @@ -45,54 +45,58 @@ char **XListExtensions(
45 unsigned long rlen; 45 unsigned long rlen;
46 46
47 LockDisplay(dpy); 47 LockDisplay(dpy);
48 GetEmptyReq (ListExtensions, req); 48 GetEmptyReq (ListExtensions, req);
49 49
50 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) { 50 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) {
51 UnlockDisplay(dpy); 51 UnlockDisplay(dpy);
52 SyncHandle(); 52 SyncHandle();
53 return (char **) NULL; 53 return (char **) NULL;
54 } 54 }
55 55
56 if (rep.nExtensions) { 56 if (rep.nExtensions) {
57 list = Xmalloc (rep.nExtensions * sizeof (char *)); 57 list = Xmalloc (rep.nExtensions * sizeof (char *));
58 if (rep.length < (LONG_MAX >> 2)) { 58 if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
59 rlen = rep.length << 2; 59 rlen = rep.length << 2;
60 ch = Xmalloc (rlen + 1); 60 ch = Xmalloc (rlen + 1);
61 /* +1 to leave room for last null-terminator */ 61 /* +1 to leave room for last null-terminator */
62 } 62 }
63 63
64 if ((!list) || (!ch)) { 64 if ((!list) || (!ch)) {
65 if (list) Xfree((char *) list); 65 if (list) Xfree((char *) list);
66 if (ch) Xfree((char *) ch); 66 if (ch) Xfree((char *) ch);
67 _XEatData(dpy, rep.length << 2); 67 _XEatData(dpy, rep.length << 2);
68 UnlockDisplay(dpy); 68 UnlockDisplay(dpy);
69 SyncHandle(); 69 SyncHandle();
70 return (char **) NULL; 70 return (char **) NULL;
71 } 71 }
72 72
73 _XReadPad (dpy, ch, rlen); 73 _XReadPad (dpy, ch, rlen);
74 /* 74 /*
75 * unpack into null terminated strings. 75 * unpack into null terminated strings.
76 */ 76 */
77 chend = ch + (rlen + 1); 77 chend = ch + (rlen + 1);
78 length = *ch; 78 length = *ch;
79 for (i = 0; i < rep.nExtensions; i++) { 79 for (i = 0; i < rep.nExtensions; i++) {
80 if (ch + length < chend) { 80 if (ch + length < chend) {
81 list[i] = ch+1; /* skip over length */ 81 list[i] = ch+1; /* skip over length */
82 ch += length + 1; /* find next length ... */ 82 ch += length + 1; /* find next length ... */
83 length = *ch; 83 if (ch <= chend) {
84 *ch = '\0'; /* and replace with null-termination */ 84 length = *ch;
85 count++; 85 *ch = '\0'; /* and replace with null-termination */
 86 count++;
 87 } else {
 88 list[i] = NULL;
 89 }
86 } else 90 } else
87 list[i] = NULL; 91 list[i] = NULL;
88 } 92 }
89 } 93 }
90 94
91 *nextensions = count; 95 *nextensions = count;
92 UnlockDisplay(dpy); 96 UnlockDisplay(dpy);
93 SyncHandle(); 97 SyncHandle();
94 return (list); 98 return (list);
95} 99}
96 100
97int 101int
98XFreeExtensionList (char **list) 102XFreeExtensionList (char **list)
cvs diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXfixes/dist/src/Region.c (expand / switch to unified diff)

--- xsrc/external/mit/libXfixes/dist/src/Region.c 2009/11/08 09:43:06 1.1.1.2
+++ xsrc/external/mit/libXfixes/dist/src/Region.c 2016/10/05 10:47:17 1.1.1.2.2.1
@@ -13,26 +13,27 @@ @@ -13,26 +13,27 @@
13 * 13 *
14 * KEITH PACKARD DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 14 * KEITH PACKARD DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
16 * EVENT SHALL KEITH PACKARD BE LIABLE FOR ANY SPECIAL, INDIRECT OR 16 * EVENT SHALL KEITH PACKARD BE LIABLE FOR ANY SPECIAL, INDIRECT OR
17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, 17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
20 * PERFORMANCE OF THIS SOFTWARE. 20 * PERFORMANCE OF THIS SOFTWARE.
21 */ 21 */
22 22
23#ifdef HAVE_CONFIG_H 23#ifdef HAVE_CONFIG_H
24#include <config.h> 24#include <config.h>
25#endif 25#endif
 26#include <limits.h>
26#include "Xfixesint.h" 27#include "Xfixesint.h"
27 28
28XserverRegion 29XserverRegion
29XFixesCreateRegion (Display *dpy, XRectangle *rectangles, int nrectangles) 30XFixesCreateRegion (Display *dpy, XRectangle *rectangles, int nrectangles)
30{ 31{
31 XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy); 32 XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy);
32 xXFixesCreateRegionReq *req; 33 xXFixesCreateRegionReq *req;
33 long len; 34 long len;
34 XserverRegion region; 35 XserverRegion region;
35 36
36 XFixesCheckExtension (dpy, info, 0); 37 XFixesCheckExtension (dpy, info, 0);
37 LockDisplay (dpy); 38 LockDisplay (dpy);
38 GetReq (XFixesCreateRegion, req); 39 GetReq (XFixesCreateRegion, req);
@@ -323,30 +324,37 @@ XFixesFetchRegionAndBounds (Display  @@ -323,30 +324,37 @@ XFixesFetchRegionAndBounds (Display
323 req->xfixesReqType = X_XFixesFetchRegion; 324 req->xfixesReqType = X_XFixesFetchRegion;
324 req->region = region; 325 req->region = region;
325 *nrectanglesRet = 0; 326 *nrectanglesRet = 0;
326 if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) 327 if (!_XReply (dpy, (xReply *) &rep, 0, xFalse))
327 { 328 {
328 UnlockDisplay (dpy); 329 UnlockDisplay (dpy);
329 SyncHandle (); 330 SyncHandle ();
330 return NULL; 331 return NULL;
331 } 332 }
332 bounds->x = rep.x; 333 bounds->x = rep.x;
333 bounds->y = rep.y; 334 bounds->y = rep.y;
334 bounds->width = rep.width; 335 bounds->width = rep.width;
335 bounds->height = rep.height; 336 bounds->height = rep.height;
336 nbytes = (long) rep.length << 2; 337 if (rep.length < (INT_MAX >> 2)) {
337 nrects = rep.length >> 1; 338 nbytes = (long) rep.length << 2;
338 nread = nrects << 3; 339 nrects = rep.length >> 1;
339 rects = Xmalloc (nrects * sizeof (XRectangle)); 340 nread = nrects << 3;
 341 rects = Xmalloc (nrects * sizeof (XRectangle));
 342 } else {
 343 nbytes = 0;
 344 nrects = 0;
 345 nread = 0;
 346 rects = NULL;
 347 }
340 if (!rects) 348 if (!rects)
341 { 349 {
342 _XEatData (dpy, nbytes); 350 _XEatData (dpy, nbytes);
343 UnlockDisplay (dpy); 351 UnlockDisplay (dpy);
344 SyncHandle (); 352 SyncHandle ();
345 return NULL; 353 return NULL;
346 } 354 }
347 _XRead16 (dpy, (short *) rects, nrects << 3); 355 _XRead16 (dpy, (short *) rects, nrects << 3);
348 /* skip any padding */ 356 /* skip any padding */
349 if(nbytes > nread) 357 if(nbytes > nread)
350 { 358 {
351 _XEatData (dpy, (unsigned long) (nbytes - nread)); 359 _XEatData (dpy, (unsigned long) (nbytes - nread));
352 } 360 }
cvs diff -r1.1.1.3.2.1 -r1.1.1.3.2.2 xsrc/external/mit/libXi/dist/src/XGMotion.c (expand / switch to unified diff)

--- xsrc/external/mit/libXi/dist/src/XGMotion.c 2013/06/06 03:44:25 1.1.1.3.2.1
+++ xsrc/external/mit/libXi/dist/src/XGMotion.c 2016/10/05 10:47:17 1.1.1.3.2.2
@@ -101,27 +101,28 @@ XGetDeviceMotionEvents( @@ -101,27 +101,28 @@ XGetDeviceMotionEvents(
101 UnlockDisplay(dpy); 101 UnlockDisplay(dpy);
102 SyncHandle(); 102 SyncHandle();
103 return (NULL); 103 return (NULL);
104 } 104 }
105 if (rep.length < (INT_MAX >> 2)) { 105 if (rep.length < (INT_MAX >> 2)) {
106 size = rep.length << 2; 106 size = rep.length << 2;
107 savp = readp = Xmalloc(size); 107 savp = readp = Xmalloc(size);
108 } else { 108 } else {
109 size = 0; 109 size = 0;
110 savp = readp = NULL; 110 savp = readp = NULL;
111 } 111 }
112 /* rep.axes is a CARD8, so assume max number of axes for bounds check */ 112 /* rep.axes is a CARD8, so assume max number of axes for bounds check */
113 if (rep.nEvents < 113 if (rep.nEvents <
114 (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) { 114 (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int)))) &&
 115 rep.nEvents * (rep.axes + 1) <= rep.length) {
115 size_t bsize = rep.nEvents * 116 size_t bsize = rep.nEvents *
116 (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); 117 (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
117 bufp = Xmalloc(bsize); 118 bufp = Xmalloc(bsize);
118 } else 119 } else
119 bufp = NULL; 120 bufp = NULL;
120 if (!bufp || !savp) { 121 if (!bufp || !savp) {
121 Xfree(bufp); 122 Xfree(bufp);
122 Xfree(savp); 123 Xfree(savp);
123 *nEvents = 0; 124 *nEvents = 0;
124 _XEatData(dpy, (unsigned long)size); 125 _XEatData(dpy, (unsigned long)size);
125 UnlockDisplay(dpy); 126 UnlockDisplay(dpy);
126 SyncHandle(); 127 SyncHandle();
127 return (NULL); 128 return (NULL);
cvs diff -r1.1.1.3.2.1 -r1.1.1.3.2.2 xsrc/external/mit/libXi/dist/src/XGetFCtl.c (expand / switch to unified diff)

--- xsrc/external/mit/libXi/dist/src/XGetFCtl.c 2013/06/06 03:44:25 1.1.1.3.2.1
+++ xsrc/external/mit/libXi/dist/src/XGetFCtl.c 2016/10/05 10:47:17 1.1.1.3.2.2
@@ -59,26 +59,27 @@ SOFTWARE. @@ -59,26 +59,27 @@ SOFTWARE.
59#include "XIint.h" 59#include "XIint.h"
60#include <limits.h> 60#include <limits.h>
61 61
62XFeedbackState * 62XFeedbackState *
63XGetFeedbackControl( 63XGetFeedbackControl(
64 register Display *dpy, 64 register Display *dpy,
65 XDevice *dev, 65 XDevice *dev,
66 int *num_feedbacks) 66 int *num_feedbacks)
67{ 67{
68 XFeedbackState *Feedback = NULL; 68 XFeedbackState *Feedback = NULL;
69 XFeedbackState *Sav = NULL; 69 XFeedbackState *Sav = NULL;
70 xFeedbackState *f = NULL; 70 xFeedbackState *f = NULL;
71 xFeedbackState *sav = NULL; 71 xFeedbackState *sav = NULL;
 72 char *end = NULL;
72 xGetFeedbackControlReq *req; 73 xGetFeedbackControlReq *req;
73 xGetFeedbackControlReply rep; 74 xGetFeedbackControlReply rep;
74 XExtDisplayInfo *info = XInput_find_display(dpy); 75 XExtDisplayInfo *info = XInput_find_display(dpy);
75 76
76 LockDisplay(dpy); 77 LockDisplay(dpy);
77 if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1) 78 if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1)
78 return ((XFeedbackState *) NoSuchExtension); 79 return ((XFeedbackState *) NoSuchExtension);
79 80
80 GetReq(GetFeedbackControl, req); 81 GetReq(GetFeedbackControl, req);
81 req->reqType = info->codes->major_opcode; 82 req->reqType = info->codes->major_opcode;
82 req->ReqType = X_GetFeedbackControl; 83 req->ReqType = X_GetFeedbackControl;
83 req->deviceid = dev->device_id; 84 req->deviceid = dev->device_id;
84 85
@@ -91,47 +92,51 @@ XGetFeedbackControl( @@ -91,47 +92,51 @@ XGetFeedbackControl(
91 int i; 92 int i;
92 93
93 *num_feedbacks = rep.num_feedbacks; 94 *num_feedbacks = rep.num_feedbacks;
94 95
95 if (rep.length < (INT_MAX >> 2)) { 96 if (rep.length < (INT_MAX >> 2)) {
96 nbytes = rep.length << 2; 97 nbytes = rep.length << 2;
97 f = Xmalloc(nbytes); 98 f = Xmalloc(nbytes);
98 } 99 }
99 if (!f) { 100 if (!f) {
100 _XEatData(dpy, (unsigned long)nbytes); 101 _XEatData(dpy, (unsigned long)nbytes);
101 goto out; 102 goto out;
102 } 103 }
103 sav = f; 104 sav = f;
 105 end = (char *)f + nbytes;
104 _XRead(dpy, (char *)f, nbytes); 106 _XRead(dpy, (char *)f, nbytes);
105 107
106 for (i = 0; i < *num_feedbacks; i++) { 108 for (i = 0; i < *num_feedbacks; i++) {
107 if (f->length > nbytes) 109 if ((char *)f + sizeof(*f) > end ||
 110 f->length == 0 || f->length > nbytes)
108 goto out; 111 goto out;
109 nbytes -= f->length; 112 nbytes -= f->length;
110 113
111 switch (f->class) { 114 switch (f->class) {
112 case KbdFeedbackClass: 115 case KbdFeedbackClass:
113 size += sizeof(XKbdFeedbackState); 116 size += sizeof(XKbdFeedbackState);
114 break; 117 break;
115 case PtrFeedbackClass: 118 case PtrFeedbackClass:
116 size += sizeof(XPtrFeedbackState); 119 size += sizeof(XPtrFeedbackState);
117 break; 120 break;
118 case IntegerFeedbackClass: 121 case IntegerFeedbackClass:
119 size += sizeof(XIntegerFeedbackState); 122 size += sizeof(XIntegerFeedbackState);
120 break; 123 break;
121 case StringFeedbackClass: 124 case StringFeedbackClass:
122 { 125 {
123 xStringFeedbackState *strf = (xStringFeedbackState *) f; 126 xStringFeedbackState *strf = (xStringFeedbackState *) f;
124 127
 128 if ((char *)f + sizeof(*strf) > end)
 129 goto out;
125 if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym))) 130 if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym)))
126 goto out; 131 goto out;
127 size += sizeof(XStringFeedbackState) + 132 size += sizeof(XStringFeedbackState) +
128 (strf->num_syms_supported * sizeof(KeySym)); 133 (strf->num_syms_supported * sizeof(KeySym));
129 } 134 }
130 break; 135 break;
131 case LedFeedbackClass: 136 case LedFeedbackClass:
132 size += sizeof(XLedFeedbackState); 137 size += sizeof(XLedFeedbackState);
133 break; 138 break;
134 case BellFeedbackClass: 139 case BellFeedbackClass:
135 size += sizeof(XBellFeedbackState); 140 size += sizeof(XBellFeedbackState);
136 break; 141 break;
137 default: 142 default:
cvs diff -r1.1.1.3.2.1 -r1.1.1.3.2.2 xsrc/external/mit/libXi/dist/src/XListDev.c (expand / switch to unified diff)

--- xsrc/external/mit/libXi/dist/src/XListDev.c 2013/06/06 03:44:25 1.1.1.3.2.1
+++ xsrc/external/mit/libXi/dist/src/XListDev.c 2016/10/05 10:47:17 1.1.1.3.2.2
@@ -50,50 +50,54 @@ SOFTWARE. @@ -50,50 +50,54 @@ SOFTWARE.
50 * available input devices. 50 * available input devices.
51 * 51 *
52 */ 52 */
53 53
54#include <X11/extensions/XI.h> 54#include <X11/extensions/XI.h>
55#include <X11/extensions/XIproto.h> 55#include <X11/extensions/XIproto.h>
56#include <X11/Xlibint.h> 56#include <X11/Xlibint.h>
57#include <X11/extensions/XInput.h> 57#include <X11/extensions/XInput.h>
58#include <X11/extensions/extutil.h> 58#include <X11/extensions/extutil.h>
59#include "XIint.h" 59#include "XIint.h"
60#include <limits.h> 60#include <limits.h>
61 61
62static size_t 62static size_t
63SizeClassInfo(xAnyClassPtr *any, int num_classes) 63SizeClassInfo(xAnyClassPtr *any, size_t len, int num_classes)
64{ 64{
65 int size = 0; 65 int size = 0;
66 int j; 66 int j;
67 for (j = 0; j < num_classes; j++) { 67 for (j = 0; j < num_classes; j++) {
68 switch ((*any)->class) { 68 switch ((*any)->class) {
69 case KeyClass: 69 case KeyClass:
70 size += sizeof(XKeyInfo); 70 size += sizeof(XKeyInfo);
71 break; 71 break;
72 case ButtonClass: 72 case ButtonClass:
73 size += sizeof(XButtonInfo); 73 size += sizeof(XButtonInfo);
74 break; 74 break;
75 case ValuatorClass: 75 case ValuatorClass:
76 { 76 {
77 xValuatorInfoPtr v; 77 xValuatorInfoPtr v;
78 78
 79 if (len < sizeof(v))
 80 return 0;
79 v = (xValuatorInfoPtr) *any; 81 v = (xValuatorInfoPtr) *any;
80 size += sizeof(XValuatorInfo) + 82 size += sizeof(XValuatorInfo) +
81 (v->num_axes * sizeof(XAxisInfo)); 83 (v->num_axes * sizeof(XAxisInfo));
82 break; 84 break;
83 } 85 }
84 default: 86 default:
85 break; 87 break;
86 } 88 }
 89 if ((*any)->length > len)
 90 return 0;
87 *any = (xAnyClassPtr) ((char *)(*any) + (*any)->length); 91 *any = (xAnyClassPtr) ((char *)(*any) + (*any)->length);
88 } 92 }
89 93
90 return size; 94 return size;
91} 95}
92 96
93static void 97static void
94ParseClassInfo(xAnyClassPtr *any, XAnyClassPtr *Any, int num_classes) 98ParseClassInfo(xAnyClassPtr *any, XAnyClassPtr *Any, int num_classes)
95{ 99{
96 int j, k; 100 int j, k;
97 101
98 for (j = 0; j < num_classes; j++) { 102 for (j = 0; j < num_classes; j++) {
99 switch ((*any)->class) { 103 switch ((*any)->class) {
@@ -145,34 +149,35 @@ ParseClassInfo(xAnyClassPtr *any, XAnyCl @@ -145,34 +149,35 @@ ParseClassInfo(xAnyClassPtr *any, XAnyCl
145 default: 149 default:
146 break; 150 break;
147 } 151 }
148 *any = (xAnyClassPtr) ((char *)(*any) + (*any)->length); 152 *any = (xAnyClassPtr) ((char *)(*any) + (*any)->length);
149 *Any = (XAnyClassPtr) ((char *)(*Any) + (*Any)->length); 153 *Any = (XAnyClassPtr) ((char *)(*Any) + (*Any)->length);
150 } 154 }
151} 155}
152 156
153XDeviceInfo * 157XDeviceInfo *
154XListInputDevices( 158XListInputDevices(
155 register Display *dpy, 159 register Display *dpy,
156 int *ndevices) 160 int *ndevices)
157{ 161{
158 size_t size; 162 size_t s, size;
159 xListInputDevicesReq *req; 163 xListInputDevicesReq *req;
160 xListInputDevicesReply rep; 164 xListInputDevicesReply rep;
161 xDeviceInfo *list, *slist = NULL; 165 xDeviceInfo *list, *slist = NULL;
162 XDeviceInfo *sclist = NULL; 166 XDeviceInfo *sclist = NULL;
163 XDeviceInfo *clist = NULL; 167 XDeviceInfo *clist = NULL;
164 xAnyClassPtr any, sav_any; 168 xAnyClassPtr any, sav_any;
165 XAnyClassPtr Any; 169 XAnyClassPtr Any;
 170 char *end = NULL;
166 unsigned char *nptr, *Nptr; 171 unsigned char *nptr, *Nptr;
167 int i; 172 int i;
168 unsigned long rlen; 173 unsigned long rlen;
169 XExtDisplayInfo *info = XInput_find_display(dpy); 174 XExtDisplayInfo *info = XInput_find_display(dpy);
170 175
171 LockDisplay(dpy); 176 LockDisplay(dpy);
172 if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1) 177 if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1)
173 return ((XDeviceInfo *) NULL); 178 return ((XDeviceInfo *) NULL);
174 179
175 GetReq(ListInputDevices, req); 180 GetReq(ListInputDevices, req);
176 req->reqType = info->codes->major_opcode; 181 req->reqType = info->codes->major_opcode;
177 req->ReqType = X_ListInputDevices; 182 req->ReqType = X_ListInputDevices;
178 183
@@ -188,36 +193,40 @@ XListInputDevices( @@ -188,36 +193,40 @@ XListInputDevices(
188 rlen = rep.length << 2; /* multiply length by 4 */ 193 rlen = rep.length << 2; /* multiply length by 4 */
189 slist = list = Xmalloc(rlen); 194 slist = list = Xmalloc(rlen);
190 } 195 }
191 if (!slist) { 196 if (!slist) {
192 _XEatData(dpy, (unsigned long)rlen); 197 _XEatData(dpy, (unsigned long)rlen);
193 UnlockDisplay(dpy); 198 UnlockDisplay(dpy);
194 SyncHandle(); 199 SyncHandle();
195 return (XDeviceInfo *) NULL; 200 return (XDeviceInfo *) NULL;
196 } 201 }
197 _XRead(dpy, (char *)list, rlen); 202 _XRead(dpy, (char *)list, rlen);
198 203
199 any = (xAnyClassPtr) ((char *)list + (*ndevices * sizeof(xDeviceInfo))); 204 any = (xAnyClassPtr) ((char *)list + (*ndevices * sizeof(xDeviceInfo)));
200 sav_any = any; 205 sav_any = any;
 206 end = (char *)list + rlen;
201 for (i = 0; i < *ndevices; i++, list++) { 207 for (i = 0; i < *ndevices; i++, list++) {
202 size += SizeClassInfo(&any, (int)list->num_classes); 208 s = SizeClassInfo(&any, end - (char *)any, (int)list->num_classes);
 209 if (!s)
 210 goto out;
 211 size += s;
203 } 212 }
204 213
205 Nptr = ((unsigned char *)list) + rlen + 1; 214 Nptr = ((unsigned char *)list) + rlen;
206 for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) { 215 for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) {
 216 if (nptr >= Nptr)
 217 goto out;
207 size += *nptr + 1; 218 size += *nptr + 1;
208 nptr += (*nptr + 1); 219 nptr += (*nptr + 1);
209 if (nptr > Nptr) 
210 goto out; 
211 } 220 }
212 221
213 clist = (XDeviceInfoPtr) Xmalloc(size); 222 clist = (XDeviceInfoPtr) Xmalloc(size);
214 if (!clist) { 223 if (!clist) {
215 XFree((char *)slist); 224 XFree((char *)slist);
216 UnlockDisplay(dpy); 225 UnlockDisplay(dpy);
217 SyncHandle(); 226 SyncHandle();
218 return (XDeviceInfo *) NULL; 227 return (XDeviceInfo *) NULL;
219 } 228 }
220 sclist = clist; 229 sclist = clist;
221 Any = (XAnyClassPtr) ((char *)clist + 230 Any = (XAnyClassPtr) ((char *)clist +
222 (*ndevices * sizeof(XDeviceInfo))); 231 (*ndevices * sizeof(XDeviceInfo)));
223 list = slist; 232 list = slist;
cvs diff -r1.1.1.3.2.1 -r1.1.1.3.2.2 xsrc/external/mit/libXi/dist/src/XQueryDv.c (expand / switch to unified diff)

--- xsrc/external/mit/libXi/dist/src/XQueryDv.c 2013/06/06 03:44:25 1.1.1.3.2.1
+++ xsrc/external/mit/libXi/dist/src/XQueryDv.c 2016/10/05 10:47:17 1.1.1.3.2.2
@@ -60,67 +60,71 @@ SOFTWARE. @@ -60,67 +60,71 @@ SOFTWARE.
60 60
61XDeviceState * 61XDeviceState *
62XQueryDeviceState( 62XQueryDeviceState(
63 register Display *dpy, 63 register Display *dpy,
64 XDevice *dev) 64 XDevice *dev)
65{ 65{
66 int i, j; 66 int i, j;
67 unsigned long rlen; 67 unsigned long rlen;
68 size_t size = 0; 68 size_t size = 0;
69 xQueryDeviceStateReq *req; 69 xQueryDeviceStateReq *req;
70 xQueryDeviceStateReply rep; 70 xQueryDeviceStateReply rep;
71 XDeviceState *state = NULL; 71 XDeviceState *state = NULL;
72 XInputClass *any, *Any; 72 XInputClass *any, *Any;
73 char *data = NULL; 73 char *data = NULL, *end = NULL;
74 XExtDisplayInfo *info = XInput_find_display(dpy); 74 XExtDisplayInfo *info = XInput_find_display(dpy);
75 75
76 LockDisplay(dpy); 76 LockDisplay(dpy);
77 if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1) 77 if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1)
78 return ((XDeviceState *) NoSuchExtension); 78 return ((XDeviceState *) NoSuchExtension);
79 79
80 GetReq(QueryDeviceState, req); 80 GetReq(QueryDeviceState, req);
81 req->reqType = info->codes->major_opcode; 81 req->reqType = info->codes->major_opcode;
82 req->ReqType = X_QueryDeviceState; 82 req->ReqType = X_QueryDeviceState;
83 req->deviceid = dev->device_id; 83 req->deviceid = dev->device_id;
84 84
85 if (!_XReply(dpy, (xReply *) & rep, 0, xFalse)) 85 if (!_XReply(dpy, (xReply *) & rep, 0, xFalse))
86 goto out; 86 goto out;
87 87
88 if (rep.length > 0) { 88 if (rep.length > 0) {
89 if (rep.length < (INT_MAX >> 2)) { 89 if (rep.length < (INT_MAX >> 2)) {
90 rlen = (unsigned long) rep.length << 2; 90 rlen = (unsigned long) rep.length << 2;
91 data = Xmalloc(rlen); 91 data = Xmalloc(rlen);
 92 end = data + rlen;
92 } 93 }
93 if (!data) { 94 if (!data) {
94 _XEatData(dpy, (unsigned long)rlen); 95 _XEatData(dpy, (unsigned long)rlen);
95 goto out; 96 goto out;
96 } 97 }
97 _XRead(dpy, data, rlen); 98 _XRead(dpy, data, rlen);
98 99
99 for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) { 100 for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) {
100 if (any->length > rlen) 101 if ((char *)any + sizeof(XInputClass) > end ||
 102 any->length == 0 || any->length > rlen)
101 goto out; 103 goto out;
102 rlen -= any->length; 104 rlen -= any->length;
103 105
104 switch (any->class) { 106 switch (any->class) {
105 case KeyClass: 107 case KeyClass:
106 size += sizeof(XKeyState); 108 size += sizeof(XKeyState);
107 break; 109 break;
108 case ButtonClass: 110 case ButtonClass:
109 size += sizeof(XButtonState); 111 size += sizeof(XButtonState);
110 break; 112 break;
111 case ValuatorClass: 113 case ValuatorClass:
112 { 114 {
113 xValuatorState *v = (xValuatorState *) any; 115 xValuatorState *v = (xValuatorState *) any;
 116 if ((char *)any + sizeof(xValuatorState) > end)
 117 goto out;
114 size += (sizeof(XValuatorState) + 118 size += (sizeof(XValuatorState) +
115 (v->num_valuators * sizeof(int))); 119 (v->num_valuators * sizeof(int)));
116 } 120 }
117 break; 121 break;
118 } 122 }
119 any = (XInputClass *) ((char *)any + any->length); 123 any = (XInputClass *) ((char *)any + any->length);
120 } 124 }
121 state = (XDeviceState *) Xmalloc(size + sizeof(XDeviceState)); 125 state = (XDeviceState *) Xmalloc(size + sizeof(XDeviceState));
122 if (!state) 126 if (!state)
123 goto out; 127 goto out;
124 128
125 state->device_id = dev->device_id; 129 state->device_id = dev->device_id;
126 state->num_classes = rep.num_classes; 130 state->num_classes = rep.num_classes;
cvs diff -r1.1.1.2.2.1 -r1.1.1.2.2.2 xsrc/external/mit/libXi/dist/src/XGetBMap.c (expand / switch to unified diff)

--- xsrc/external/mit/libXi/dist/src/XGetBMap.c 2013/06/06 03:44:25 1.1.1.2.2.1
+++ xsrc/external/mit/libXi/dist/src/XGetBMap.c 2016/10/05 10:47:17 1.1.1.2.2.2
@@ -78,27 +78,28 @@ XGetDeviceButtonMapping( @@ -78,27 +78,28 @@ XGetDeviceButtonMapping(
78 xGetDeviceButtonMappingReply rep; 78 xGetDeviceButtonMappingReply rep;
79 79
80 LockDisplay(dpy); 80 LockDisplay(dpy);
81 if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1) 81 if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1)
82 return (NoSuchExtension); 82 return (NoSuchExtension);
83 GetReq(GetDeviceButtonMapping, req); 83 GetReq(GetDeviceButtonMapping, req);
84 84
85 req->reqType = info->codes->major_opcode; 85 req->reqType = info->codes->major_opcode;
86 req->ReqType = X_GetDeviceButtonMapping; 86 req->ReqType = X_GetDeviceButtonMapping;
87 req->deviceid = device->device_id; 87 req->deviceid = device->device_id;
88 88
89 status = _XReply(dpy, (xReply *) & rep, 0, xFalse); 89 status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
90 if (status == 1) { 90 if (status == 1) {
91 if (rep.length <= (sizeof(mapping) >> 2)) { 91 if (rep.length <= (sizeof(mapping) >> 2) &&
 92 rep.nElts <= (rep.length << 2)) {
92 unsigned long nbytes = rep.length << 2; 93 unsigned long nbytes = rep.length << 2;
93 _XRead(dpy, (char *)mapping, nbytes); 94 _XRead(dpy, (char *)mapping, nbytes);
94 95
95 /* don't return more data than the user asked for. */ 96 /* don't return more data than the user asked for. */
96 if (rep.nElts) 97 if (rep.nElts)
97 memcpy(map, mapping, MIN((int)rep.nElts, nmap)); 98 memcpy(map, mapping, MIN((int)rep.nElts, nmap));
98 status = rep.nElts; 99 status = rep.nElts;
99 } else { 100 } else {
100 _XEatData(dpy, rep.length << 2); 101 _XEatData(dpy, rep.length << 2);
101 status = 0; 102 status = 0;
102 } 103 }
103 } else 104 } else
104 status = 0; 105 status = 0;
cvs diff -r1.1.1.4.2.1 -r1.1.1.4.2.2 xsrc/external/mit/libXi/dist/src/XGetDCtl.c (expand / switch to unified diff)

--- xsrc/external/mit/libXi/dist/src/XGetDCtl.c 2013/06/06 03:44:25 1.1.1.4.2.1
+++ xsrc/external/mit/libXi/dist/src/XGetDCtl.c 2016/10/05 10:47:17 1.1.1.4.2.2
@@ -79,51 +79,53 @@ XGetDeviceControl( @@ -79,51 +79,53 @@ XGetDeviceControl(
79 79
80 GetReq(GetDeviceControl, req); 80 GetReq(GetDeviceControl, req);
81 req->reqType = info->codes->major_opcode; 81 req->reqType = info->codes->major_opcode;
82 req->ReqType = X_GetDeviceControl; 82 req->ReqType = X_GetDeviceControl;
83 req->deviceid = dev->device_id; 83 req->deviceid = dev->device_id;
84 req->control = control; 84 req->control = control;
85 85
86 if (!_XReply(dpy, (xReply *) & rep, 0, xFalse)) 86 if (!_XReply(dpy, (xReply *) & rep, 0, xFalse))
87 goto out; 87 goto out;
88 88
89 if (rep.length > 0) { 89 if (rep.length > 0) {
90 unsigned long nbytes; 90 unsigned long nbytes;
91 size_t size = 0; 91 size_t size = 0;
92 if (rep.length < (INT_MAX >> 2)) { 92 if (rep.length < (INT_MAX >> 2) &&
 93 (rep.length << 2) >= sizeof(xDeviceState)) {
93 nbytes = (unsigned long) rep.length << 2; 94 nbytes = (unsigned long) rep.length << 2;
94 d = Xmalloc(nbytes); 95 d = Xmalloc(nbytes);
95 } 96 }
96 if (!d) { 97 if (!d) {
97 _XEatData(dpy, (unsigned long)nbytes); 98 _XEatData(dpy, (unsigned long)nbytes);
98 goto out; 99 goto out;
99 } 100 }
100 sav = d; 101 sav = d;
101 _XRead(dpy, (char *)d, nbytes); 102 _XRead(dpy, (char *)d, nbytes);
102 103
103 /* In theory, we should just be able to use d->length to get the size. 104 /* In theory, we should just be able to use d->length to get the size.
104 * Turns out that a number of X servers (up to and including server 105 * Turns out that a number of X servers (up to and including server
105 * 1.4) sent the wrong length value down the wire. So to not break 106 * 1.4) sent the wrong length value down the wire. So to not break
106 * apps that run against older servers, we have to calculate the size 107 * apps that run against older servers, we have to calculate the size
107 * manually. 108 * manually.
108 */ 109 */
109 switch (d->control) { 110 switch (d->control) {
110 case DEVICE_RESOLUTION: 111 case DEVICE_RESOLUTION:
111 { 112 {
112 xDeviceResolutionState *r; 113 xDeviceResolutionState *r;
113 size_t val_size; 114 size_t val_size;
114 115
115 r = (xDeviceResolutionState *) d; 116 r = (xDeviceResolutionState *) d;
116 if (r->num_valuators >= (INT_MAX / (3 * sizeof(int)))) 117 if (sizeof(xDeviceResolutionState) > nbytes ||
 118 r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
117 goto out; 119 goto out;
118 val_size = 3 * sizeof(int) * r->num_valuators; 120 val_size = 3 * sizeof(int) * r->num_valuators;
119 if ((sizeof(xDeviceResolutionState) + val_size) > nbytes) 121 if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
120 goto out; 122 goto out;
121 size += sizeof(XDeviceResolutionState) + val_size; 123 size += sizeof(XDeviceResolutionState) + val_size;
122 break; 124 break;
123 } 125 }
124 case DEVICE_ABS_CALIB: 126 case DEVICE_ABS_CALIB:
125 { 127 {
126 if (sizeof(xDeviceAbsCalibState) > nbytes) 128 if (sizeof(xDeviceAbsCalibState) > nbytes)
127 goto out; 129 goto out;
128 size += sizeof(XDeviceAbsCalibState); 130 size += sizeof(XDeviceAbsCalibState);
129 break; 131 break;
cvs diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXi/dist/src/XGetKMap.c (expand / switch to unified diff)

--- xsrc/external/mit/libXi/dist/src/XGetKMap.c 2010/05/22 01:04:37 1.1.1.2
+++ xsrc/external/mit/libXi/dist/src/XGetKMap.c 2016/10/05 10:47:17 1.1.1.2.2.1
@@ -40,26 +40,27 @@ HEWLETT-PACKARD BE LIABLE FOR ANY SPECIA @@ -40,26 +40,27 @@ HEWLETT-PACKARD BE LIABLE FOR ANY SPECIA
40ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, 40ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
41WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 41WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
42ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS 42ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
43SOFTWARE. 43SOFTWARE.
44 44
45********************************************************/ 45********************************************************/
46 46
47/*********************************************************************** 47/***********************************************************************
48 * 48 *
49 * XGetDeviceKeyMapping - get the keymap of an extension device. 49 * XGetDeviceKeyMapping - get the keymap of an extension device.
50 * 50 *
51 */ 51 */
52 52
 53#include <limits.h>
53#include <X11/extensions/XI.h> 54#include <X11/extensions/XI.h>
54#include <X11/extensions/XIproto.h> 55#include <X11/extensions/XIproto.h>
55#include <X11/Xlibint.h> 56#include <X11/Xlibint.h>
56#include <X11/extensions/XInput.h> 57#include <X11/extensions/XInput.h>
57#include <X11/extensions/extutil.h> 58#include <X11/extensions/extutil.h>
58#include "XIint.h" 59#include "XIint.h"
59 60
60KeySym * 61KeySym *
61XGetDeviceKeyMapping(register Display * dpy, XDevice * dev, 62XGetDeviceKeyMapping(register Display * dpy, XDevice * dev,
62#if NeedWidePrototypes 63#if NeedWidePrototypes
63 unsigned int first, 64 unsigned int first,
64#else 65#else
65 KeyCode first, 66 KeyCode first,
@@ -79,26 +80,33 @@ XGetDeviceKeyMapping(register Display *  @@ -79,26 +80,33 @@ XGetDeviceKeyMapping(register Display *
79 GetReq(GetDeviceKeyMapping, req); 80 GetReq(GetDeviceKeyMapping, req);
80 req->reqType = info->codes->major_opcode; 81 req->reqType = info->codes->major_opcode;
81 req->ReqType = X_GetDeviceKeyMapping; 82 req->ReqType = X_GetDeviceKeyMapping;
82 req->deviceid = dev->device_id; 83 req->deviceid = dev->device_id;
83 req->firstKeyCode = first; 84 req->firstKeyCode = first;
84 req->count = keycount; 85 req->count = keycount;
85 86
86 if (!_XReply(dpy, (xReply *) & rep, 0, xFalse)) { 87 if (!_XReply(dpy, (xReply *) & rep, 0, xFalse)) {
87 UnlockDisplay(dpy); 88 UnlockDisplay(dpy);
88 SyncHandle(); 89 SyncHandle();
89 return (KeySym *) NULL; 90 return (KeySym *) NULL;
90 } 91 }
91 if (rep.length > 0) { 92 if (rep.length > 0) {
92 *syms_per_code = rep.keySymsPerKeyCode; 93 if (rep.length < INT_MAX >> 2 &&
93 nbytes = (long)rep.length << 2; 94 rep.length == rep.keySymsPerKeyCode * keycount) {
94 mapping = (KeySym *) Xmalloc((unsigned)nbytes); 95 *syms_per_code = rep.keySymsPerKeyCode;
 96 nbytes = (long)rep.length << 2;
 97 mapping = (KeySym *) Xmalloc((unsigned)nbytes);
 98 } else {
 99 *syms_per_code = 0;
 100 nbytes = 0;
 101 mapping = NULL;
 102 }
95 if (mapping) 103 if (mapping)
96 _XRead(dpy, (char *)mapping, nbytes); 104 _XRead(dpy, (char *)mapping, nbytes);
97 else 105 else
98 _XEatData(dpy, (unsigned long)nbytes); 106 _XEatData(dpy, (unsigned long)nbytes);
99 } 107 }
100 108
101 UnlockDisplay(dpy); 109 UnlockDisplay(dpy);
102 SyncHandle(); 110 SyncHandle();
103 return (mapping); 111 return (mapping);
104} 112}
cvs diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXi/dist/src/XGetMMap.c (expand / switch to unified diff)

--- xsrc/external/mit/libXi/dist/src/XGetMMap.c 2010/05/22 01:04:37 1.1.1.2
+++ xsrc/external/mit/libXi/dist/src/XGetMMap.c 2016/10/05 10:47:17 1.1.1.2.2.1
@@ -40,26 +40,27 @@ HEWLETT-PACKARD BE LIABLE FOR ANY SPECIA @@ -40,26 +40,27 @@ HEWLETT-PACKARD BE LIABLE FOR ANY SPECIA
40ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, 40ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
41WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 41WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
42ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS 42ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
43SOFTWARE. 43SOFTWARE.
44 44
45********************************************************/ 45********************************************************/
46 46
47/*********************************************************************** 47/***********************************************************************
48 * 48 *
49 * XGetDeviceModifierMapping - get the modifier map of an extension device. 49 * XGetDeviceModifierMapping - get the modifier map of an extension device.
50 * 50 *
51 */ 51 */
52 52
 53#include <limits.h>
53#include <X11/extensions/XI.h> 54#include <X11/extensions/XI.h>
54#include <X11/extensions/XIproto.h> 55#include <X11/extensions/XIproto.h>
55#include <X11/Xlibint.h> 56#include <X11/Xlibint.h>
56#include <X11/extensions/XInput.h> 57#include <X11/extensions/XInput.h>
57#include <X11/extensions/extutil.h> 58#include <X11/extensions/extutil.h>
58#include "XIint.h" 59#include "XIint.h"
59 60
60XModifierKeymap * 61XModifierKeymap *
61XGetDeviceModifierMapping( 62XGetDeviceModifierMapping(
62 register Display *dpy, 63 register Display *dpy,
63 XDevice *dev) 64 XDevice *dev)
64{ 65{
65 unsigned long nbytes; 66 unsigned long nbytes;
@@ -72,28 +73,34 @@ XGetDeviceModifierMapping( @@ -72,28 +73,34 @@ XGetDeviceModifierMapping(
72 if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1) 73 if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1)
73 return ((XModifierKeymap *) NoSuchExtension); 74 return ((XModifierKeymap *) NoSuchExtension);
74 75
75 GetReq(GetDeviceModifierMapping, req); 76 GetReq(GetDeviceModifierMapping, req);
76 req->reqType = info->codes->major_opcode; 77 req->reqType = info->codes->major_opcode;
77 req->ReqType = X_GetDeviceModifierMapping; 78 req->ReqType = X_GetDeviceModifierMapping;
78 req->deviceid = dev->device_id; 79 req->deviceid = dev->device_id;
79 80
80 if (!_XReply(dpy, (xReply *) & rep, 0, xFalse)) { 81 if (!_XReply(dpy, (xReply *) & rep, 0, xFalse)) {
81 UnlockDisplay(dpy); 82 UnlockDisplay(dpy);
82 SyncHandle(); 83 SyncHandle();
83 return (XModifierKeymap *) NULL; 84 return (XModifierKeymap *) NULL;
84 } 85 }
85 nbytes = (unsigned long)rep.length << 2; 86 if (rep.length < (INT_MAX >> 2) &&
86 res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap)); 87 rep.numKeyPerModifier == rep.length >> 1) {
 88 nbytes = (unsigned long)rep.length << 2;
 89 res = (XModifierKeymap *) Xmalloc(sizeof(XModifierKeymap));
 90 } else {
 91 nbytes = 0;
 92 res = NULL;
 93 }
87 if (res) { 94 if (res) {
88 res->modifiermap = (KeyCode *) Xmalloc(nbytes); 95 res->modifiermap = (KeyCode *) Xmalloc(nbytes);
89 if (res->modifiermap) 96 if (res->modifiermap)
90 _XReadPad(dpy, (char *)res->modifiermap, nbytes); 97 _XReadPad(dpy, (char *)res->modifiermap, nbytes);
91 else 98 else
92 _XEatData(dpy, (unsigned long)nbytes); 99 _XEatData(dpy, (unsigned long)nbytes);
93 res->max_keypermod = rep.numKeyPerModifier; 100 res->max_keypermod = rep.numKeyPerModifier;
94 } 101 }
95 102
96 UnlockDisplay(dpy); 103 UnlockDisplay(dpy);
97 SyncHandle(); 104 SyncHandle();
98 return (res); 105 return (res);
99} 106}
cvs diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXi/dist/src/XIQueryDevice.c (expand / switch to unified diff)

--- xsrc/external/mit/libXi/dist/src/XIQueryDevice.c 2011/07/23 12:22:26 1.1.1.2
+++ xsrc/external/mit/libXi/dist/src/XIQueryDevice.c 2016/10/05 10:47:17 1.1.1.2.2.1
@@ -12,99 +12,131 @@ @@ -12,99 +12,131 @@
12 * paragraph) shall be included in all copies or substantial portions of the 12 * paragraph) shall be included in all copies or substantial portions of the
13 * Software. 13 * Software.
14 * 14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
21 * DEALINGS IN THE SOFTWARE. 21 * DEALINGS IN THE SOFTWARE.
22 * 22 *
23 */ 23 */
24 24
 25#include <limits.h>
25#include <stdint.h> 26#include <stdint.h>
26#include <X11/Xlibint.h> 27#include <X11/Xlibint.h>
27#include <X11/extensions/XI2proto.h> 28#include <X11/extensions/XI2proto.h>
28#include <X11/extensions/XInput2.h> 29#include <X11/extensions/XInput2.h>
29#include <X11/extensions/extutil.h> 30#include <X11/extensions/extutil.h>
30#include "XIint.h" 31#include "XIint.h"
31 32
32extern int copy_classes(XIDeviceInfo* to, xXIAnyInfo* from, int nclasses); 33extern int copy_classes(XIDeviceInfo* to, xXIAnyInfo* from, int nclasses);
33extern int size_classes(xXIAnyInfo* from, int nclasses); 34extern int size_classes(xXIAnyInfo* from, int nclasses);
34 35
35XIDeviceInfo* 36XIDeviceInfo*
36XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return) 37XIQueryDevice(Display *dpy, int deviceid, int *ndevices_return)
37{ 38{
38 XIDeviceInfo *info = NULL; 39 XIDeviceInfo *info = NULL;
39 xXIQueryDeviceReq *req; 40 xXIQueryDeviceReq *req;
40 xXIQueryDeviceReply reply; 41 xXIQueryDeviceReply reply;
41 char *ptr; 42 char *ptr;
 43 char *end;
42 int i; 44 int i;
43 char *buf; 45 char *buf;
44 46
45 XExtDisplayInfo *extinfo = XInput_find_display(dpy); 47 XExtDisplayInfo *extinfo = XInput_find_display(dpy);
46 48
47 LockDisplay(dpy); 49 LockDisplay(dpy);
48 if (_XiCheckExtInit(dpy, XInput_2_0, extinfo) == -1) 50 if (_XiCheckExtInit(dpy, XInput_2_0, extinfo) == -1)
49 goto error; 51 goto error;
50 52
51 GetReq(XIQueryDevice, req); 53 GetReq(XIQueryDevice, req);
52 req->reqType = extinfo->codes->major_opcode; 54 req->reqType = extinfo->codes->major_opcode;
53 req->ReqType = X_XIQueryDevice; 55 req->ReqType = X_XIQueryDevice;
54 req->deviceid = deviceid; 56 req->deviceid = deviceid;
55 57
56 if (!_XReply(dpy, (xReply*) &reply, 0, xFalse)) 58 if (!_XReply(dpy, (xReply*) &reply, 0, xFalse))
57 goto error; 59 goto error;
58 60
59 *ndevices_return = reply.num_devices; 61 if (reply.length < INT_MAX / 4)
60 info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo)); 62 {
 63 *ndevices_return = reply.num_devices;
 64 info = Xmalloc((reply.num_devices + 1) * sizeof(XIDeviceInfo));
 65 }
 66 else
 67 {
 68 *ndevices_return = 0;
 69 info = NULL;
 70 }
 71
61 if (!info) 72 if (!info)
62 goto error; 73 goto error;
63 74
64 buf = Xmalloc(reply.length * 4); 75 buf = Xmalloc(reply.length * 4);
65 _XRead(dpy, buf, reply.length * 4); 76 _XRead(dpy, buf, reply.length * 4);
66 ptr = buf; 77 ptr = buf;
 78 end = buf + reply.length * 4;
67 79
68 /* info is a null-terminated array */ 80 /* info is a null-terminated array */
69 info[reply.num_devices].name = NULL; 81 info[reply.num_devices].name = NULL;
70 82
71 for (i = 0; i < reply.num_devices; i++) 83 for (i = 0; i < reply.num_devices; i++)
72 { 84 {
73 XIDeviceInfo *lib = &info[i]; 85 XIDeviceInfo *lib = &info[i];
74 xXIDeviceInfo *wire = (xXIDeviceInfo*)ptr; 86 xXIDeviceInfo *wire = (xXIDeviceInfo*)ptr;
75 87
 88 if (ptr + sizeof(xXIDeviceInfo) > end)
 89 goto error_loop;
 90
76 lib->deviceid = wire->deviceid; 91 lib->deviceid = wire->deviceid;
77 lib->use = wire->use; 92 lib->use = wire->use;
78 lib->attachment = wire->attachment; 93 lib->attachment = wire->attachment;
79 lib->enabled = wire->enabled; 94 lib->enabled = wire->enabled;
80 lib->num_classes = wire->num_classes; 95 lib->num_classes = wire->num_classes;
81 lib->classes = (XIAnyClassInfo**)&lib[1]; 96 lib->classes = (XIAnyClassInfo**)&lib[1];
82 97
83 ptr += sizeof(xXIDeviceInfo); 98 ptr += sizeof(xXIDeviceInfo);
84 99
 100 if (ptr + wire->name_len > end)
 101 goto error_loop;
 102
85 lib->name = Xcalloc(wire->name_len + 1, 1); 103 lib->name = Xcalloc(wire->name_len + 1, 1);
 104 if (lib->name == NULL)
 105 goto error_loop;
86 strncpy(lib->name, ptr, wire->name_len); 106 strncpy(lib->name, ptr, wire->name_len);
 107 lib->name[wire->name_len] = '\0';
87 ptr += ((wire->name_len + 3)/4) * 4; 108 ptr += ((wire->name_len + 3)/4) * 4;
88 109
89 lib->classes = Xmalloc(size_classes((xXIAnyInfo*)ptr, lib->num_classes)); 110 lib->classes = Xmalloc(size_classes((xXIAnyInfo*)ptr, lib->num_classes));
 111 if (lib->classes == NULL)
 112 {
 113 Xfree(lib->name);
 114 goto error_loop;
 115 }
90 ptr += copy_classes(lib, (xXIAnyInfo*)ptr, lib->num_classes); 116 ptr += copy_classes(lib, (xXIAnyInfo*)ptr, lib->num_classes);
91 } 117 }
92 118
93 Xfree(buf); 119 Xfree(buf);
94 UnlockDisplay(dpy); 120 UnlockDisplay(dpy);
95 SyncHandle(); 121 SyncHandle();
96 return info; 122 return info;
97 123
 124error_loop:
 125 while (--i >= 0)
 126 {
 127 Xfree(info[i].name);
 128 Xfree(info[i].classes);
 129 }
98error: 130error:
99 UnlockDisplay(dpy); 131 UnlockDisplay(dpy);
100 SyncHandle(); 132 SyncHandle();
101 *ndevices_return = -1; 133 *ndevices_return = -1;
102 return NULL; 134 return NULL;
103} 135}
104 136
105void 137void
106XIFreeDeviceInfo(XIDeviceInfo* info) 138XIFreeDeviceInfo(XIDeviceInfo* info)
107{ 139{
108 XIDeviceInfo *ptr = info; 140 XIDeviceInfo *ptr = info;
109 while(ptr->name) 141 while(ptr->name)
110 { 142 {
cvs diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXi/dist/src/XOpenDev.c (expand / switch to unified diff)

--- xsrc/external/mit/libXi/dist/src/XOpenDev.c 2010/05/22 01:04:37 1.1.1.2
+++ xsrc/external/mit/libXi/dist/src/XOpenDev.c 2016/10/05 10:47:17 1.1.1.2.2.1
@@ -40,26 +40,27 @@ HEWLETT-PACKARD BE LIABLE FOR ANY SPECIA @@ -40,26 +40,27 @@ HEWLETT-PACKARD BE LIABLE FOR ANY SPECIA
40ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, 40ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
41WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 41WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
42ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS 42ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
43SOFTWARE. 43SOFTWARE.
44 44
45********************************************************/ 45********************************************************/
46 46
47/*********************************************************************** 47/***********************************************************************
48 * 48 *
49 * XOpenDevice - Request the server to open and extension input device. 49 * XOpenDevice - Request the server to open and extension input device.
50 * 50 *
51 */ 51 */
52 52
 53#include <limits.h>
53#include <X11/extensions/XI.h> 54#include <X11/extensions/XI.h>
54#include <X11/extensions/XIproto.h> 55#include <X11/extensions/XIproto.h>
55#include <X11/Xlibint.h> 56#include <X11/Xlibint.h>
56#include <X11/extensions/XInput.h> 57#include <X11/extensions/XInput.h>
57#include <X11/extensions/extutil.h> 58#include <X11/extensions/extutil.h>
58#include "XIint.h" 59#include "XIint.h"
59 60
60XDevice * 61XDevice *
61XOpenDevice( 62XOpenDevice(
62 register Display *dpy, 63 register Display *dpy,
63 register XID id) 64 register XID id)
64{ 65{
65 register long rlen; /* raw length */ 66 register long rlen; /* raw length */
@@ -73,29 +74,35 @@ XOpenDevice( @@ -73,29 +74,35 @@ XOpenDevice(
73 return ((XDevice *) NoSuchExtension); 74 return ((XDevice *) NoSuchExtension);
74 75
75 GetReq(OpenDevice, req); 76 GetReq(OpenDevice, req);
76 req->reqType = info->codes->major_opcode; 77 req->reqType = info->codes->major_opcode;
77 req->ReqType = X_OpenDevice; 78 req->ReqType = X_OpenDevice;
78 req->deviceid = id; 79 req->deviceid = id;
79 80
80 if (!_XReply(dpy, (xReply *) & rep, 0, xFalse)) { 81 if (!_XReply(dpy, (xReply *) & rep, 0, xFalse)) {
81 UnlockDisplay(dpy); 82 UnlockDisplay(dpy);
82 SyncHandle(); 83 SyncHandle();
83 return (XDevice *) NULL; 84 return (XDevice *) NULL;
84 } 85 }
85 86
86 rlen = rep.length << 2; 87 if (rep.length < INT_MAX >> 2 &&
87 dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes * 88 (rep.length << 2) >= rep.num_classes * sizeof(xInputClassInfo)) {
88 sizeof(XInputClassInfo)); 89 rlen = rep.length << 2;
 90 dev = (XDevice *) Xmalloc(sizeof(XDevice) + rep.num_classes *
 91 sizeof(XInputClassInfo));
 92 } else {
 93 rlen = 0;
 94 dev = NULL;
 95 }
89 if (dev) { 96 if (dev) {
90 int dlen; /* data length */ 97 int dlen; /* data length */
91 98
92 dev->device_id = req->deviceid; 99 dev->device_id = req->deviceid;
93 dev->num_classes = rep.num_classes; 100 dev->num_classes = rep.num_classes;
94 dev->classes = (XInputClassInfo *) ((char *)dev + sizeof(XDevice)); 101 dev->classes = (XInputClassInfo *) ((char *)dev + sizeof(XDevice));
95 dlen = rep.num_classes * sizeof(xInputClassInfo); 102 dlen = rep.num_classes * sizeof(xInputClassInfo);
96 _XRead(dpy, (char *)dev->classes, dlen); 103 _XRead(dpy, (char *)dev->classes, dlen);
97 /* could be padding that we still need to eat (yummy!) */ 104 /* could be padding that we still need to eat (yummy!) */
98 if (rlen - dlen > 0) 105 if (rlen - dlen > 0)
99 _XEatData(dpy, (unsigned long)rlen - dlen); 106 _XEatData(dpy, (unsigned long)rlen - dlen);
100 } else 107 } else
101 _XEatData(dpy, (unsigned long)rlen); 108 _XEatData(dpy, (unsigned long)rlen);
cvs diff -r1.1.1.3 -r1.1.1.3.2.1 xsrc/external/mit/libXrandr/dist/src/XrrConfig.c (expand / switch to unified diff)

--- xsrc/external/mit/libXrandr/dist/src/XrrConfig.c 2010/11/21 05:48:25 1.1.1.3
+++ xsrc/external/mit/libXrandr/dist/src/XrrConfig.c 2016/10/05 10:47:17 1.1.1.3.2.1
@@ -19,26 +19,27 @@ @@ -19,26 +19,27 @@
19 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, 19 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
20 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 20 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
21 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE 21 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
22 * OF THIS SOFTWARE. 22 * OF THIS SOFTWARE.
23 * 23 *
24 * Author: Jim Gettys, HP Labs, HP. 24 * Author: Jim Gettys, HP Labs, HP.
25 * Author: Keith Packard, Intel Corporation 25 * Author: Keith Packard, Intel Corporation
26 */ 26 */
27 27
28#ifdef HAVE_CONFIG_H 28#ifdef HAVE_CONFIG_H
29#include <config.h> 29#include <config.h>
30#endif 30#endif
31 31
 32#include <limits.h>
32#include <stdio.h> 33#include <stdio.h>
33#include <X11/Xlib.h> 34#include <X11/Xlib.h>
34/* we need to be able to manipulate the Display structure on events */ 35/* we need to be able to manipulate the Display structure on events */
35#include <X11/Xlibint.h> 36#include <X11/Xlibint.h>
36#include <X11/extensions/render.h> 37#include <X11/extensions/render.h>
37#include <X11/extensions/Xrender.h> 38#include <X11/extensions/Xrender.h>
38#include "Xrandrint.h" 39#include "Xrandrint.h"
39 40
40static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy, 41static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy,
41 XExtDisplayInfo *info, 42 XExtDisplayInfo *info,
42 Window window); 43 Window window);
43 44
44Rotation XRRConfigRotations(XRRScreenConfiguration *config, Rotation *current_rotation) 45Rotation XRRConfigRotations(XRRScreenConfiguration *config, Rotation *current_rotation)
@@ -263,42 +264,52 @@ static XRRScreenConfiguration *_XRRGetSc @@ -263,42 +264,52 @@ static XRRScreenConfiguration *_XRRGetSc
263 xrri->minor_version = async_state.minor_version; 264 xrri->minor_version = async_state.minor_version;
264 xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version); 265 xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version);
265 } 266 }
266 267
267 /* 268 /*
268 * Make the reply compatible with v1.1 269 * Make the reply compatible with v1.1
269 */ 270 */
270 if (!xrri->has_rates) 271 if (!xrri->has_rates)
271 { 272 {
272 rep.rate = 0; 273 rep.rate = 0;
273 rep.nrateEnts = 0; 274 rep.nrateEnts = 0;
274 } 275 }
275  276
276 nbytes = (long) rep.length << 2; 277 if (rep.length < INT_MAX >> 2) {
 278 nbytes = (long) rep.length << 2;
 279
 280 nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
 281 ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */);
277 282
278 nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + 283 nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
279 ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */); 284 ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */);
280  285 /*
281 /*  286 * first we must compute how much space to allocate for
282 * first we must compute how much space to allocate for  287 * randr library's use; we'll allocate the structures in a single
283 * randr library's use; we'll allocate the structures in a single 288 * allocation, on cleanlyness grounds.
284 * allocation, on cleanlyness grounds. 289 */
285 */ 290
286 291 rbytes = sizeof (XRRScreenConfiguration) +
287 rbytes = sizeof (XRRScreenConfiguration) + 292 (rep.nSizes * sizeof (XRRScreenSize) +
288 (rep.nSizes * sizeof (XRRScreenSize) + 293 rep.nrateEnts * sizeof (int));
289 rep.nrateEnts * sizeof (int)); 
290 294
291 scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); 295 scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
 296 } else {
 297 nbytes = 0;
 298 nbytesRead = 0;
 299 rbytes = 0;
 300 scp = NULL;
 301 }
 302
292 if (scp == NULL) { 303 if (scp == NULL) {
293 _XEatData (dpy, (unsigned long) nbytes); 304 _XEatData (dpy, (unsigned long) nbytes);
294 return NULL; 305 return NULL;
295 } 306 }
296 307
297 308
298 ssp = (XRRScreenSize *)(scp + 1); 309 ssp = (XRRScreenSize *)(scp + 1);
299 rates = (short *) (ssp + rep.nSizes); 310 rates = (short *) (ssp + rep.nSizes);
300 311
301 /* set up the screen configuration structure */ 312 /* set up the screen configuration structure */
302 scp->screen =  313 scp->screen =
303 ScreenOfDisplay (dpy, XRRRootToScreen(dpy, rep.root)); 314 ScreenOfDisplay (dpy, XRRRootToScreen(dpy, rep.root));
304 315
cvs diff -r1.1.1.3 -r1.1.1.3.2.1 xsrc/external/mit/libXrandr/dist/src/XrrCrtc.c (expand / switch to unified diff)

--- xsrc/external/mit/libXrandr/dist/src/XrrCrtc.c 2010/11/21 05:48:25 1.1.1.3
+++ xsrc/external/mit/libXrandr/dist/src/XrrCrtc.c 2016/10/05 10:47:17 1.1.1.3.2.1
@@ -14,26 +14,27 @@ @@ -14,26 +14,27 @@
14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR 16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, 17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE 19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
20 * OF THIS SOFTWARE. 20 * OF THIS SOFTWARE.
21 */ 21 */
22 22
23#ifdef HAVE_CONFIG_H 23#ifdef HAVE_CONFIG_H
24#include <config.h> 24#include <config.h>
25#endif 25#endif
26 26
 27#include <limits.h>
27#include <stdio.h> 28#include <stdio.h>
28#include <X11/Xlib.h> 29#include <X11/Xlib.h>
29/* we need to be able to manipulate the Display structure on events */ 30/* we need to be able to manipulate the Display structure on events */
30#include <X11/Xlibint.h> 31#include <X11/Xlibint.h>
31#include <X11/extensions/render.h> 32#include <X11/extensions/render.h>
32#include <X11/extensions/Xrender.h> 33#include <X11/extensions/Xrender.h>
33#include "Xrandrint.h" 34#include "Xrandrint.h"
34 35
35XRRCrtcInfo * 36XRRCrtcInfo *
36XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc) 37XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc)
37{ 38{
38 XExtDisplayInfo *info = XRRFindDisplay(dpy); 39 XExtDisplayInfo *info = XRRFindDisplay(dpy);
39 xRRGetCrtcInfoReply rep; 40 xRRGetCrtcInfoReply rep;
@@ -47,42 +48,53 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenR @@ -47,42 +48,53 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenR
47 GetReq (RRGetCrtcInfo, req); 48 GetReq (RRGetCrtcInfo, req);
48 req->reqType = info->codes->major_opcode; 49 req->reqType = info->codes->major_opcode;
49 req->randrReqType = X_RRGetCrtcInfo; 50 req->randrReqType = X_RRGetCrtcInfo;
50 req->crtc = crtc; 51 req->crtc = crtc;
51 req->configTimestamp = resources->configTimestamp; 52 req->configTimestamp = resources->configTimestamp;
52 53
53 if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) 54 if (!_XReply (dpy, (xReply *) &rep, 0, xFalse))
54 { 55 {
55 UnlockDisplay (dpy); 56 UnlockDisplay (dpy);
56 SyncHandle (); 57 SyncHandle ();
57 return NULL; 58 return NULL;
58 } 59 }
59 60
60 nbytes = (long) rep.length << 2; 61 if (rep.length < INT_MAX >> 2)
 62 {
 63 nbytes = (long) rep.length << 2;
61 64
62 nbytesRead = (long) (rep.nOutput * 4 + 65 nbytesRead = (long) (rep.nOutput * 4 +
63 rep.nPossibleOutput * 4); 66 rep.nPossibleOutput * 4);
64 67
65 /*  68 /*
66 * first we must compute how much space to allocate for  69 * first we must compute how much space to allocate for
67 * randr library's use; we'll allocate the structures in a single 70 * randr library's use; we'll allocate the structures in a single
68 * allocation, on cleanlyness grounds. 71 * allocation, on cleanlyness grounds.
69 */ 72 */
 73
 74 rbytes = (sizeof (XRRCrtcInfo) +
 75 rep.nOutput * sizeof (RROutput) +
 76 rep.nPossibleOutput * sizeof (RROutput));
70 77
71 rbytes = (sizeof (XRRCrtcInfo) + 78 xci = (XRRCrtcInfo *) Xmalloc(rbytes);
72 rep.nOutput * sizeof (RROutput) + 79 }
73 rep.nPossibleOutput * sizeof (RROutput)); 80 else
 81 {
 82 nbytes = 0;
 83 nbytesRead = 0;
 84 rbytes = 0;
 85 xci = NULL;
 86 }
74 87
75 xci = (XRRCrtcInfo *) Xmalloc(rbytes); 
76 if (xci == NULL) { 88 if (xci == NULL) {
77 _XEatData (dpy, (unsigned long) nbytes); 89 _XEatData (dpy, (unsigned long) nbytes);
78 UnlockDisplay (dpy); 90 UnlockDisplay (dpy);
79 SyncHandle (); 91 SyncHandle ();
80 return NULL; 92 return NULL;
81 } 93 }
82 94
83 xci->timestamp = rep.timestamp; 95 xci->timestamp = rep.timestamp;
84 xci->x = rep.x; 96 xci->x = rep.x;
85 xci->y = rep.y; 97 xci->y = rep.y;
86 xci->width = rep.width; 98 xci->width = rep.width;
87 xci->height = rep.height; 99 xci->height = rep.height;
88 xci->mode = rep.mode; 100 xci->mode = rep.mode;
@@ -184,32 +196,41 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc cr @@ -184,32 +196,41 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc cr
184 long nbytesRead; 196 long nbytesRead;
185 197
186 RRCheckExtension (dpy, info, NULL); 198 RRCheckExtension (dpy, info, NULL);
187 199
188 LockDisplay(dpy); 200 LockDisplay(dpy);
189 GetReq (RRGetCrtcGamma, req); 201 GetReq (RRGetCrtcGamma, req);
190 req->reqType = info->codes->major_opcode; 202 req->reqType = info->codes->major_opcode;
191 req->randrReqType = X_RRGetCrtcGamma; 203 req->randrReqType = X_RRGetCrtcGamma;
192 req->crtc = crtc; 204 req->crtc = crtc;
193 205
194 if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) 206 if (!_XReply (dpy, (xReply *) &rep, 0, xFalse))
195 goto out; 207 goto out;
196 208
197 nbytes = (long) rep.length << 2; 209 if (rep.length < INT_MAX >> 2)
 210 {
 211 nbytes = (long) rep.length << 2;
198  212
199 /* three channels of CARD16 data */ 213 /* three channels of CARD16 data */
200 nbytesRead = (rep.size * 2 * 3); 214 nbytesRead = (rep.size * 2 * 3);
201 215
202 crtc_gamma = XRRAllocGamma (rep.size); 216 crtc_gamma = XRRAllocGamma (rep.size);
 217 }
 218 else
 219 {
 220 nbytes = 0;
 221 nbytesRead = 0;
 222 crtc_gamma = NULL;
 223 }
203  224
204 if (!crtc_gamma) 225 if (!crtc_gamma)
205 { 226 {
206 _XEatData (dpy, (unsigned long) nbytes); 227 _XEatData (dpy, (unsigned long) nbytes);
207 goto out; 228 goto out;
208 } 229 }
209 _XRead16 (dpy, crtc_gamma->red, rep.size * 2); 230 _XRead16 (dpy, crtc_gamma->red, rep.size * 2);
210 _XRead16 (dpy, crtc_gamma->green, rep.size * 2); 231 _XRead16 (dpy, crtc_gamma->green, rep.size * 2);
211 _XRead16 (dpy, crtc_gamma->blue, rep.size * 2); 232 _XRead16 (dpy, crtc_gamma->blue, rep.size * 2);
212  233
213 if (nbytes > nbytesRead) 234 if (nbytes > nbytesRead)
214 _XEatData (dpy, (unsigned long) (nbytes - nbytesRead)); 235 _XEatData (dpy, (unsigned long) (nbytes - nbytesRead));
215 236
@@ -347,27 +368,27 @@ _XRRHasTransform (int major, int minor) @@ -347,27 +368,27 @@ _XRRHasTransform (int major, int minor)
347 return major > 1 || (major == 1 && minor >= 3); 368 return major > 1 || (major == 1 && minor >= 3);
348} 369}
349 370
350Status 371Status
351XRRGetCrtcTransform (Display *dpy, 372XRRGetCrtcTransform (Display *dpy,
352 RRCrtc crtc, 373 RRCrtc crtc,
353 XRRCrtcTransformAttributes **attributes) 374 XRRCrtcTransformAttributes **attributes)
354{ 375{
355 XExtDisplayInfo *info = XRRFindDisplay(dpy); 376 XExtDisplayInfo *info = XRRFindDisplay(dpy);
356 xRRGetCrtcTransformReply rep; 377 xRRGetCrtcTransformReply rep;
357 xRRGetCrtcTransformReq *req; 378 xRRGetCrtcTransformReq *req;
358 int major_version, minor_version; 379 int major_version, minor_version;
359 XRRCrtcTransformAttributes *attr; 380 XRRCrtcTransformAttributes *attr;
360 char *extra = NULL, *e; 381 char *extra = NULL, *end = NULL, *e;
361 int p; 382 int p;
362 383
363 *attributes = NULL; 384 *attributes = NULL;
364 385
365 RRCheckExtension (dpy, info, False); 386 RRCheckExtension (dpy, info, False);
366 387
367 if (!XRRQueryVersion (dpy, &major_version, &minor_version) ||  388 if (!XRRQueryVersion (dpy, &major_version, &minor_version) ||
368 !_XRRHasTransform (major_version, minor_version)) 389 !_XRRHasTransform (major_version, minor_version))
369 { 390 {
370 /* For pre-1.3 servers, just report identity matrices everywhere */ 391 /* For pre-1.3 servers, just report identity matrices everywhere */
371 rep.pendingTransform = identity; 392 rep.pendingTransform = identity;
372 rep.pendingNbytesFilter = 0; 393 rep.pendingNbytesFilter = 0;
373 rep.pendingNparamsFilter = 0; 394 rep.pendingNparamsFilter = 0;
@@ -385,29 +406,33 @@ XRRGetCrtcTransform (Display *dpy, @@ -385,29 +406,33 @@ XRRGetCrtcTransform (Display *dpy,
385  406
386 if (!_XReply (dpy, (xReply *) &rep, CrtcTransformExtra >> 2, xFalse)) 407 if (!_XReply (dpy, (xReply *) &rep, CrtcTransformExtra >> 2, xFalse))
387 { 408 {
388 rep.pendingTransform = identity; 409 rep.pendingTransform = identity;
389 rep.pendingNbytesFilter = 0; 410 rep.pendingNbytesFilter = 0;
390 rep.pendingNparamsFilter = 0; 411 rep.pendingNparamsFilter = 0;
391 rep.currentTransform = identity; 412 rep.currentTransform = identity;
392 rep.currentNbytesFilter = 0; 413 rep.currentNbytesFilter = 0;
393 rep.currentNparamsFilter = 0; 414 rep.currentNparamsFilter = 0;
394 } 415 }
395 else 416 else
396 { 417 {
397 int extraBytes = rep.length * 4 - CrtcTransformExtra; 418 int extraBytes = rep.length * 4 - CrtcTransformExtra;
398 extra = Xmalloc (extraBytes); 419 if (rep.length < INT_MAX / 4 &&
 420 rep.length * 4 >= CrtcTransformExtra) {
 421 extra = Xmalloc (extraBytes);
 422 end = extra + extraBytes;
 423 } else
 424 extra = NULL;
399 if (!extra) { 425 if (!extra) {
400 _XEatData (dpy, extraBytes); 
401 UnlockDisplay (dpy); 426 UnlockDisplay (dpy);
402 SyncHandle (); 427 SyncHandle ();
403 return False; 428 return False;
404 } 429 }
405 _XRead (dpy, extra, extraBytes); 430 _XRead (dpy, extra, extraBytes);
406 } 431 }
407 432
408 UnlockDisplay (dpy); 433 UnlockDisplay (dpy);
409 SyncHandle (); 434 SyncHandle ();
410 } 435 }
411 436
412 attr = Xmalloc (sizeof (XRRCrtcTransformAttributes) + 437 attr = Xmalloc (sizeof (XRRCrtcTransformAttributes) +
413 rep.pendingNparamsFilter * sizeof (XFixed) + 438 rep.pendingNparamsFilter * sizeof (XFixed) +
@@ -419,42 +444,58 @@ XRRGetCrtcTransform (Display *dpy, @@ -419,42 +444,58 @@ XRRGetCrtcTransform (Display *dpy,
419 XFree (extra); 444 XFree (extra);
420 return False; 445 return False;
421 } 446 }
422 XTransform_from_xRenderTransform (&attr->pendingTransform, &rep.pendingTransform); 447 XTransform_from_xRenderTransform (&attr->pendingTransform, &rep.pendingTransform);
423 XTransform_from_xRenderTransform (&attr->currentTransform, &rep.currentTransform); 448 XTransform_from_xRenderTransform (&attr->currentTransform, &rep.currentTransform);
424 449
425 attr->pendingParams = (XFixed *) (attr + 1); 450 attr->pendingParams = (XFixed *) (attr + 1);
426 attr->currentParams = attr->pendingParams + rep.pendingNparamsFilter; 451 attr->currentParams = attr->pendingParams + rep.pendingNparamsFilter;
427 attr->pendingFilter = (char *) (attr->currentParams + rep.currentNparamsFilter); 452 attr->pendingFilter = (char *) (attr->currentParams + rep.currentNparamsFilter);
428 attr->currentFilter = attr->pendingFilter + rep.pendingNbytesFilter + 1; 453 attr->currentFilter = attr->pendingFilter + rep.pendingNbytesFilter + 1;
429 454
430 e = extra; 455 e = extra;
431 456
 457 if (e + rep.pendingNbytesFilter > end) {
 458 XFree (extra);
 459 return False;
 460 }
432 memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter); 461 memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter);
433 attr->pendingFilter[rep.pendingNbytesFilter] = '\0'; 462 attr->pendingFilter[rep.pendingNbytesFilter] = '\0';
434 e += (rep.pendingNbytesFilter + 3) & ~3; 463 e += (rep.pendingNbytesFilter + 3) & ~3;
435 for (p = 0; p < rep.pendingNparamsFilter; p++) { 464 for (p = 0; p < rep.pendingNparamsFilter; p++) {
436 INT32 f; 465 INT32 f;
 466 if (e + 4 > end) {
 467 XFree (extra);
 468 return False;
 469 }
437 memcpy (&f, e, 4); 470 memcpy (&f, e, 4);
438 e += 4; 471 e += 4;
439 attr->pendingParams[p] = (XFixed) f; 472 attr->pendingParams[p] = (XFixed) f;
440 } 473 }
441 attr->pendingNparams = rep.pendingNparamsFilter; 474 attr->pendingNparams = rep.pendingNparamsFilter;
442 475
 476 if (e + rep.currentNbytesFilter > end) {
 477 XFree (extra);
 478 return False;
 479 }
443 memcpy (attr->currentFilter, e, rep.currentNbytesFilter); 480 memcpy (attr->currentFilter, e, rep.currentNbytesFilter);
444 attr->currentFilter[rep.currentNbytesFilter] = '\0'; 481 attr->currentFilter[rep.currentNbytesFilter] = '\0';
445 e += (rep.currentNbytesFilter + 3) & ~3; 482 e += (rep.currentNbytesFilter + 3) & ~3;
446 for (p = 0; p < rep.currentNparamsFilter; p++) { 483 for (p = 0; p < rep.currentNparamsFilter; p++) {
447 INT32 f; 484 INT32 f;
 485 if (e + 4 > end) {
 486 XFree (extra);
 487 return False;
 488 }
448 memcpy (&f, e, 4); 489 memcpy (&f, e, 4);
449 e += 4; 490 e += 4;
450 attr->currentParams[p] = (XFixed) f; 491 attr->currentParams[p] = (XFixed) f;
451 } 492 }
452 attr->currentNparams = rep.currentNparamsFilter; 493 attr->currentNparams = rep.currentNparamsFilter;
453 494
454 if (extra) 495 if (extra)
455 XFree (extra); 496 XFree (extra);
456 *attributes = attr; 497 *attributes = attr;
457 498
458 return True; 499 return True;
459} 500}
460 501
cvs diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXrandr/dist/src/XrrOutput.c (expand / switch to unified diff)

--- xsrc/external/mit/libXrandr/dist/src/XrrOutput.c 2009/03/10 04:20:44 1.1.1.2
+++ xsrc/external/mit/libXrandr/dist/src/XrrOutput.c 2016/10/05 10:47:17 1.1.1.2.2.1
@@ -15,26 +15,27 @@ @@ -15,26 +15,27 @@
15 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 15 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
16 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 16 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
17 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR 17 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
18 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, 18 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
19 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 19 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
20 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE 20 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
21 * OF THIS SOFTWARE. 21 * OF THIS SOFTWARE.
22 */ 22 */
23 23
24#ifdef HAVE_CONFIG_H 24#ifdef HAVE_CONFIG_H
25#include <config.h> 25#include <config.h>
26#endif 26#endif
27 27
 28#include <limits.h>
28#include <stdio.h> 29#include <stdio.h>
29#include <X11/Xlib.h> 30#include <X11/Xlib.h>
30/* we need to be able to manipulate the Display structure on events */ 31/* we need to be able to manipulate the Display structure on events */
31#include <X11/Xlibint.h> 32#include <X11/Xlibint.h>
32#include <X11/extensions/render.h> 33#include <X11/extensions/render.h>
33#include <X11/extensions/Xrender.h> 34#include <X11/extensions/Xrender.h>
34#include "Xrandrint.h" 35#include "Xrandrint.h"
35 36
36#define OutputInfoExtra (SIZEOF(xRRGetOutputInfoReply) - 32) 37#define OutputInfoExtra (SIZEOF(xRRGetOutputInfoReply) - 32)
37  38
38XRROutputInfo * 39XRROutputInfo *
39XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output) 40XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
40{ 41{
@@ -50,26 +51,32 @@ XRRGetOutputInfo (Display *dpy, XRRScree @@ -50,26 +51,32 @@ XRRGetOutputInfo (Display *dpy, XRRScree
50 GetReq (RRGetOutputInfo, req); 51 GetReq (RRGetOutputInfo, req);
51 req->reqType = info->codes->major_opcode; 52 req->reqType = info->codes->major_opcode;
52 req->randrReqType = X_RRGetOutputInfo; 53 req->randrReqType = X_RRGetOutputInfo;
53 req->output = output; 54 req->output = output;
54 req->configTimestamp = resources->configTimestamp; 55 req->configTimestamp = resources->configTimestamp;
55 56
56 if (!_XReply (dpy, (xReply *) &rep, OutputInfoExtra >> 2, xFalse)) 57 if (!_XReply (dpy, (xReply *) &rep, OutputInfoExtra >> 2, xFalse))
57 { 58 {
58 UnlockDisplay (dpy); 59 UnlockDisplay (dpy);
59 SyncHandle (); 60 SyncHandle ();
60 return NULL; 61 return NULL;
61 } 62 }
62 63
 64 if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2))
 65 {
 66 UnlockDisplay (dpy);
 67 SyncHandle ();
 68 return NULL;
 69 }
63 nbytes = ((long) (rep.length) << 2) - OutputInfoExtra; 70 nbytes = ((long) (rep.length) << 2) - OutputInfoExtra;
64 71
65 nbytesRead = (long) (rep.nCrtcs * 4 + 72 nbytesRead = (long) (rep.nCrtcs * 4 +
66 rep.nModes * 4 + 73 rep.nModes * 4 +
67 rep.nClones * 4 + 74 rep.nClones * 4 +
68 ((rep.nameLength + 3) & ~3)); 75 ((rep.nameLength + 3) & ~3));
69 76
70 /*  77 /*
71 * first we must compute how much space to allocate for  78 * first we must compute how much space to allocate for
72 * randr library's use; we'll allocate the structures in a single 79 * randr library's use; we'll allocate the structures in a single
73 * allocation, on cleanlyness grounds. 80 * allocation, on cleanlyness grounds.
74 */ 81 */
75 82
cvs diff -r1.1.1.2 -r1.1.1.2.2.1 xsrc/external/mit/libXrandr/dist/src/XrrScreen.c (expand / switch to unified diff)

--- xsrc/external/mit/libXrandr/dist/src/XrrScreen.c 2009/03/10 04:20:44 1.1.1.2
+++ xsrc/external/mit/libXrandr/dist/src/XrrScreen.c 2016/10/05 10:47:17 1.1.1.2.2.1
@@ -14,26 +14,27 @@ @@ -14,26 +14,27 @@
14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR 16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, 17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE 19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
20 * OF THIS SOFTWARE. 20 * OF THIS SOFTWARE.
21 */ 21 */
22 22
23#ifdef HAVE_CONFIG_H 23#ifdef HAVE_CONFIG_H
24#include <config.h> 24#include <config.h>
25#endif 25#endif
26 26
 27#include <limits.h>
27#include <stdio.h> 28#include <stdio.h>
28#include <X11/Xlib.h> 29#include <X11/Xlib.h>
29/* we need to be able to manipulate the Display structure on events */ 30/* we need to be able to manipulate the Display structure on events */
30#include <X11/Xlibint.h> 31#include <X11/Xlibint.h>
31#include <X11/extensions/render.h> 32#include <X11/extensions/render.h>
32#include <X11/extensions/Xrender.h> 33#include <X11/extensions/Xrender.h>
33#include "Xrandrint.h" 34#include "Xrandrint.h"
34 35
35/* 36/*
36 * this is cheating on the knowledge that the two requests are identical 37 * this is cheating on the knowledge that the two requests are identical
37 * but for the request number. 38 * but for the request number.
38 */ 39 */
39static XRRScreenResources * 40static XRRScreenResources *
@@ -95,47 +96,56 @@ doGetScreenResources (Display *dpy, Wind @@ -95,47 +96,56 @@ doGetScreenResources (Display *dpy, Wind
95 { 96 {
96 DeqAsyncHandler (dpy, &async); 97 DeqAsyncHandler (dpy, &async);
97 if (async_state.error) 98 if (async_state.error)
98 { 99 {
99 UnlockDisplay (dpy); 100 UnlockDisplay (dpy);
100 SyncHandle(); 101 SyncHandle();
101 LockDisplay (dpy); 102 LockDisplay (dpy);
102 } 103 }
103 xrri->major_version = async_state.major_version; 104 xrri->major_version = async_state.major_version;
104 xrri->minor_version = async_state.minor_version; 105 xrri->minor_version = async_state.minor_version;
105 xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version); 106 xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version);
106 } 107 }
107 108
108 nbytes = (long) rep.length << 2; 109 if (rep.length < INT_MAX >> 2) {
 110 nbytes = (long) rep.length << 2;
109 111
110 nbytesRead = (long) (rep.nCrtcs * 4 + 112 nbytesRead = (long) (rep.nCrtcs * 4 +
111 rep.nOutputs * 4 + 113 rep.nOutputs * 4 +
112 rep.nModes * SIZEOF (xRRModeInfo) + 114 rep.nModes * SIZEOF (xRRModeInfo) +
113 ((rep.nbytesNames + 3) & ~3)); 115 ((rep.nbytesNames + 3) & ~3));
114 116
115 /*  117 /*
116 * first we must compute how much space to allocate for  118 * first we must compute how much space to allocate for
117 * randr library's use; we'll allocate the structures in a single 119 * randr library's use; we'll allocate the structures in a single
118 * allocation, on cleanlyness grounds. 120 * allocation, on cleanlyness grounds.
119 */ 121 */
120 122
121 rbytes = (sizeof (XRRScreenResources) + 123 rbytes = (sizeof (XRRScreenResources) +
122 rep.nCrtcs * sizeof (RRCrtc) + 124 rep.nCrtcs * sizeof (RRCrtc) +
123 rep.nOutputs * sizeof (RROutput) + 125 rep.nOutputs * sizeof (RROutput) +
124 rep.nModes * sizeof (XRRModeInfo) + 126 rep.nModes * sizeof (XRRModeInfo) +
125 rep.nbytesNames + rep.nModes); /* '\0' terminate names */ 127 rep.nbytesNames + rep.nModes); /* '\0' terminate names */
 128
 129 xrsr = (XRRScreenResources *) Xmalloc(rbytes);
 130 wire_names = (char *) Xmalloc (rep.nbytesNames);
 131 } else {
 132 nbytes = 0;
 133 nbytesRead = 0;
 134 rbytes = 0;
 135 xrsr = NULL;
 136 wire_names = NULL;
 137 }
126 138
127 xrsr = (XRRScreenResources *) Xmalloc(rbytes); 
128 wire_names = (char *) Xmalloc (rep.nbytesNames); 
129 if (xrsr == NULL || wire_names == NULL) { 139 if (xrsr == NULL || wire_names == NULL) {
130 if (xrsr) Xfree (xrsr); 140 if (xrsr) Xfree (xrsr);
131 if (wire_names) Xfree (wire_names); 141 if (wire_names) Xfree (wire_names);
132 _XEatData (dpy, (unsigned long) nbytes); 142 _XEatData (dpy, (unsigned long) nbytes);
133 UnlockDisplay (dpy); 143 UnlockDisplay (dpy);
134 SyncHandle (); 144 SyncHandle ();
135 return NULL; 145 return NULL;
136 } 146 }
137 147
138 xrsr->timestamp = rep.timestamp; 148 xrsr->timestamp = rep.timestamp;
139 xrsr->configTimestamp = rep.configTimestamp; 149 xrsr->configTimestamp = rep.configTimestamp;
140 xrsr->ncrtc = rep.nCrtcs; 150 xrsr->ncrtc = rep.nCrtcs;
141 xrsr->crtcs = (RRCrtc *) (xrsr + 1); 151 xrsr->crtcs = (RRCrtc *) (xrsr + 1);
@@ -164,26 +174,34 @@ doGetScreenResources (Display *dpy, Wind @@ -164,26 +174,34 @@ doGetScreenResources (Display *dpy, Wind
164 xrsr->modes[i].vSyncEnd = modeInfo.vSyncEnd; 174 xrsr->modes[i].vSyncEnd = modeInfo.vSyncEnd;
165 xrsr->modes[i].vTotal = modeInfo.vTotal; 175 xrsr->modes[i].vTotal = modeInfo.vTotal;
166 xrsr->modes[i].nameLength = modeInfo.nameLength; 176 xrsr->modes[i].nameLength = modeInfo.nameLength;
167 xrsr->modes[i].modeFlags = modeInfo.modeFlags; 177 xrsr->modes[i].modeFlags = modeInfo.modeFlags;
168 } 178 }
169 179
170 /* 180 /*
171 * Read names and '\0' pad each one 181 * Read names and '\0' pad each one
172 */ 182 */
173 _XReadPad (dpy, wire_names, rep.nbytesNames); 183 _XReadPad (dpy, wire_names, rep.nbytesNames);
174 wire_name = wire_names; 184 wire_name = wire_names;
175 for (i = 0; i < rep.nModes; i++) { 185 for (i = 0; i < rep.nModes; i++) {
176 xrsr->modes[i].name = names; 186 xrsr->modes[i].name = names;
 187 if (xrsr->modes[i].nameLength > rep.nbytesNames) {
 188 Xfree (xrsr);
 189 Xfree (wire_names);
 190 UnlockDisplay (dpy);
 191 SyncHandle ();
 192 return NULL;
 193 }
 194 rep.nbytesNames -= xrsr->modes[i].nameLength;
177 memcpy (names, wire_name, xrsr->modes[i].nameLength); 195 memcpy (names, wire_name, xrsr->modes[i].nameLength);
178 names[xrsr->modes[i].nameLength] = '\0'; 196 names[xrsr->modes[i].nameLength] = '\0';
179 names += xrsr->modes[i].nameLength + 1; 197 names += xrsr->modes[i].nameLength + 1;
180 wire_name += xrsr->modes[i].nameLength; 198 wire_name += xrsr->modes[i].nameLength;
181 } 199 }
182 Xfree (wire_names); 200 Xfree (wire_names);
183  201
184 /* 202 /*
185 * Skip any extra data 203 * Skip any extra data
186 */ 204 */
187 if (nbytes > nbytesRead) 205 if (nbytes > nbytesRead)
188 _XEatData (dpy, (unsigned long) (nbytes - nbytesRead)); 206 _XEatData (dpy, (unsigned long) (nbytes - nbytesRead));
189  207
cvs diff -r1.1.1.3.2.1 -r1.1.1.3.2.2 xsrc/external/mit/libXrender/dist/src/Filter.c (expand / switch to unified diff)

--- xsrc/external/mit/libXrender/dist/src/Filter.c 2013/06/06 03:44:26 1.1.1.3.2.1
+++ xsrc/external/mit/libXrender/dist/src/Filter.c 2016/10/05 10:47:18 1.1.1.3.2.2
@@ -28,27 +28,27 @@ @@ -28,27 +28,27 @@
28#include <limits.h> 28#include <limits.h>
29  29
30XFilters * 30XFilters *
31XRenderQueryFilters (Display *dpy, Drawable drawable) 31XRenderQueryFilters (Display *dpy, Drawable drawable)
32{ 32{
33 XRenderExtDisplayInfo *info = XRenderFindDisplay (dpy); 33 XRenderExtDisplayInfo *info = XRenderFindDisplay (dpy);
34 XRenderInfo *xri; 34 XRenderInfo *xri;
35 xRenderQueryFiltersReq *req; 35 xRenderQueryFiltersReq *req;
36 xRenderQueryFiltersReply rep; 36 xRenderQueryFiltersReply rep;
37 XFilters *filters; 37 XFilters *filters;
38 char *name; 38 char *name;
39 char len; 39 char len;
40 int i; 40 int i;
41 unsigned long nbytes, nbytesAlias, nbytesName; 41 unsigned long nbytes, nbytesAlias, nbytesName, reply_left;
42  42
43 if (!RenderHasExtension (info)) 43 if (!RenderHasExtension (info))
44 return NULL; 44 return NULL;
45 45
46 if (!XRenderQueryFormats (dpy)) 46 if (!XRenderQueryFormats (dpy))
47 return NULL; 47 return NULL;
48 48
49 xri = info->info; 49 xri = info->info;
50 if (xri->minor_version < 6) 50 if (xri->minor_version < 6)
51 return NULL; 51 return NULL;
52  52
53 LockDisplay (dpy); 53 LockDisplay (dpy);
54 GetReq (RenderQueryFilters, req); 54 GetReq (RenderQueryFilters, req);
@@ -104,37 +104,47 @@ XRenderQueryFilters (Display *dpy, Drawa @@ -104,37 +104,47 @@ XRenderQueryFilters (Display *dpy, Drawa
104 * nbytesName char strings 104 * nbytesName char strings
105 */ 105 */
106  106
107 filters->nfilter = rep.numFilters; 107 filters->nfilter = rep.numFilters;
108 filters->nalias = rep.numAliases; 108 filters->nalias = rep.numAliases;
109 filters->filter = (char **) (filters + 1); 109 filters->filter = (char **) (filters + 1);
110 filters->alias = (short *) (filters->filter + rep.numFilters); 110 filters->alias = (short *) (filters->filter + rep.numFilters);
111 name = (char *) (filters->alias + rep.numAliases); 111 name = (char *) (filters->alias + rep.numAliases);
112 112
113 /* 113 /*
114 * Read the filter aliases 114 * Read the filter aliases
115 */ 115 */
116 _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases); 116 _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
 117 reply_left = 8 + rep.length - 2 * rep.numAliases;;
117 118
118 /* 119 /*
119 * Read the filter names 120 * Read the filter names
120 */ 121 */
121 for (i = 0; i < rep.numFilters; i++) 122 for (i = 0; i < rep.numFilters; i++)
122 { 123 {
123 int l; 124 int l;
124 _XRead (dpy, &len, 1); 125 _XRead (dpy, &len, 1);
 126 reply_left--;
125 l = len & 0xff; 127 l = len & 0xff;
 128 if ((unsigned long)l + 1 > nbytesName) {
 129 Xfree(filters);
 130 UnlockDisplay (dpy);
 131 SyncHandle ();
 132 return NULL;
 133 }
 134 nbytesName -= l + 1;
126 filters->filter[i] = name; 135 filters->filter[i] = name;
127 _XRead (dpy, name, l); 136 _XRead (dpy, name, l);
 137 reply_left -= l;
128 name[l] = '\0'; 138 name[l] = '\0';
129 name += l + 1; 139 name += l + 1;
130 } 140 }
131 i = name - (char *) (filters->alias + rep.numAliases); 141 i = name - (char *) (filters->alias + rep.numAliases);
132 142
133 if (i & 3) 143 if (i & 3)
134 _XEatData (dpy, 4 - (i & 3)); 144 _XEatData (dpy, 4 - (i & 3));
135  145
136 UnlockDisplay (dpy); 146 UnlockDisplay (dpy);
137 SyncHandle (); 147 SyncHandle ();
138 return filters; 148 return filters;
139} 149}
140 150
cvs diff -r1.1.1.2.2.1 -r1.1.1.2.2.2 xsrc/external/mit/libXrender/dist/src/Xrender.c (expand / switch to unified diff)

--- xsrc/external/mit/libXrender/dist/src/Xrender.c 2013/06/06 03:44:26 1.1.1.2.2.1
+++ xsrc/external/mit/libXrender/dist/src/Xrender.c 2016/10/05 10:47:18 1.1.1.2.2.2
@@ -522,32 +522,48 @@ XRenderQueryFormats (Display *dpy) @@ -522,32 +522,48 @@ XRenderQueryFormats (Display *dpy)
522 xFormat++; 522 xFormat++;
523 } 523 }
524 xScreen = (xPictScreen *) xFormat; 524 xScreen = (xPictScreen *) xFormat;
525 screen = xri->screen; 525 screen = xri->screen;
526 depth = xri->depth; 526 depth = xri->depth;
527 visual = xri->visual; 527 visual = xri->visual;
528 for (ns = 0; ns < xri->nscreen; ns++) 528 for (ns = 0; ns < xri->nscreen; ns++)
529 { 529 {
530 screen->depths = depth; 530 screen->depths = depth;
531 screen->ndepths = xScreen->nDepth; 531 screen->ndepths = xScreen->nDepth;
532 screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); 532 screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
533 screen->subpixel = SubPixelUnknown; 533 screen->subpixel = SubPixelUnknown;
534 xDepth = (xPictDepth *) (xScreen + 1); 534 xDepth = (xPictDepth *) (xScreen + 1);
 535 if (screen->ndepths > rep.numDepths) {
 536 Xfree (xri);
 537 Xfree (xData);
 538 UnlockDisplay (dpy);
 539 SyncHandle ();
 540 return 0;
 541 }
 542 rep.numDepths -= screen->ndepths;
535 for (nd = 0; nd < screen->ndepths; nd++) 543 for (nd = 0; nd < screen->ndepths; nd++)
536 { 544 {
537 depth->depth = xDepth->depth; 545 depth->depth = xDepth->depth;
538 depth->nvisuals = xDepth->nPictVisuals; 546 depth->nvisuals = xDepth->nPictVisuals;
539 depth->visuals = visual; 547 depth->visuals = visual;
540 xVisual = (xPictVisual *) (xDepth + 1); 548 xVisual = (xPictVisual *) (xDepth + 1);
 549 if (depth->nvisuals > rep.numVisuals) {
 550 Xfree (xri);
 551 Xfree (xData);
 552 UnlockDisplay (dpy);
 553 SyncHandle ();
 554 return 0;
 555 }
 556 rep.numVisuals -= depth->nvisuals;
541 for (nv = 0; nv < depth->nvisuals; nv++) 557 for (nv = 0; nv < depth->nvisuals; nv++)
542 { 558 {
543 visual->visual = _XRenderFindVisual (dpy, xVisual->visual); 559 visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
544 visual->format = _XRenderFindFormat (xri, xVisual->format); 560 visual->format = _XRenderFindFormat (xri, xVisual->format);
545 visual++; 561 visual++;
546 xVisual++; 562 xVisual++;
547 } 563 }
548 depth++; 564 depth++;
549 xDepth = (xPictDepth *) xVisual; 565 xDepth = (xPictDepth *) xVisual;
550 } 566 }
551 screen++; 567 screen++;
552 xScreen = (xPictScreen *) xDepth;  568 xScreen = (xPictScreen *) xDepth;
553 } 569 }
cvs diff -r1.1.1.3 -r1.1.1.3.2.1 xsrc/external/mit/libXtst/dist/src/XRecord.c (expand / switch to unified diff)

--- xsrc/external/mit/libXtst/dist/src/XRecord.c 2010/11/21 05:48:49 1.1.1.3
+++ xsrc/external/mit/libXtst/dist/src/XRecord.c 2016/10/05 10:47:18 1.1.1.3.2.1
@@ -40,26 +40,27 @@ from The Open Group. @@ -40,26 +40,27 @@ from The Open Group.
40 * NETWORK COMPUTING DEVICES DISCLAIMs ALL WARRANTIES WITH REGARD TO 40 * NETWORK COMPUTING DEVICES DISCLAIMs ALL WARRANTIES WITH REGARD TO
41 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 41 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
42 * AND FITNESS, IN NO EVENT SHALL NETWORK COMPUTING DEVICES BE LIABLE 42 * AND FITNESS, IN NO EVENT SHALL NETWORK COMPUTING DEVICES BE LIABLE
43 * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 43 * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
44 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN 44 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
45 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 45 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
46 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 46 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
47 **************************************************************************/ 47 **************************************************************************/
48/* 48/*
49 * By Stephen Gildea, X Consortium, and Martha Zimet, NCD. 49 * By Stephen Gildea, X Consortium, and Martha Zimet, NCD.
50 */ 50 */
51 51
52#include <stdio.h> 52#include <stdio.h>
 53#include <limits.h>
53#include <assert.h> 54#include <assert.h>
54#include <X11/Xlibint.h> 55#include <X11/Xlibint.h>
55#include <X11/extensions/Xext.h> 56#include <X11/extensions/Xext.h>
56#include <X11/extensions/extutil.h> 57#include <X11/extensions/extutil.h>
57#include <X11/extensions/recordproto.h> 58#include <X11/extensions/recordproto.h>
58#include <X11/extensions/record.h> 59#include <X11/extensions/record.h>
59 60
60static XExtensionInfo _xrecord_info_data; 61static XExtensionInfo _xrecord_info_data;
61static XExtensionInfo *xrecord_info = &_xrecord_info_data; 62static XExtensionInfo *xrecord_info = &_xrecord_info_data;
62static /* const */ char *xrecord_extension_name = RECORD_NAME; 63static /* const */ char *xrecord_extension_name = RECORD_NAME;
63 64
64#define XRecordCheckExtension(dpy,i,val) \ 65#define XRecordCheckExtension(dpy,i,val) \
65 XextCheckExtension(dpy, i, xrecord_extension_name, val) 66 XextCheckExtension(dpy, i, xrecord_extension_name, val)
@@ -729,89 +730,118 @@ parse_reply_call_callback( @@ -729,89 +730,118 @@ parse_reply_call_callback(
729 return Error; 730 return Error;
730  731
731 data->id_base = rep->idBase; 732 data->id_base = rep->idBase;
732 data->category = rep->category; 733 data->category = rep->category;
733 data->client_swapped = rep->clientSwapped; 734 data->client_swapped = rep->clientSwapped;
734 data->server_time = rep->serverTime; 735 data->server_time = rep->serverTime;
735 data->client_seq = rep->recordedSequenceNumber; 736 data->client_seq = rep->recordedSequenceNumber;
736 /* 737 /*
737 * compute the size of this protocol element. 738 * compute the size of this protocol element.
738 */ 739 */
739 switch (rep->category) { 740 switch (rep->category) {
740 case XRecordFromServer: 741 case XRecordFromServer:
741 if (rep->elementHeader&XRecordFromServerTime) { 742 if (rep->elementHeader&XRecordFromServerTime) {
 743 if (current_index + 4 > rep->length << 2)
 744 return Error;
742 EXTRACT_CARD32(rep->clientSwapped, 745 EXTRACT_CARD32(rep->clientSwapped,
743 reply->buf+current_index, 746 reply->buf+current_index,
744 data->server_time); 747 data->server_time);
745 current_index += 4; 748 current_index += 4;
746 } 749 }
 750 if (current_index + 1 > rep->length << 2)
 751 return Error;
747 switch (reply->buf[current_index]) { 752 switch (reply->buf[current_index]) {
748 case X_Reply: /* reply */ 753 case X_Reply: /* reply */
 754 if (current_index + 8 > rep->length << 2)
 755 return Error;
749 EXTRACT_CARD32(rep->clientSwapped, 756 EXTRACT_CARD32(rep->clientSwapped,
750 reply->buf+current_index+4, datum_bytes); 757 reply->buf+current_index+4, datum_bytes);
 758 if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8))
 759 return Error;
751 datum_bytes = (datum_bytes+8) << 2; 760 datum_bytes = (datum_bytes+8) << 2;
752 break; 761 break;
753 default: /* error or event */ 762 default: /* error or event */
754 datum_bytes = 32; 763 datum_bytes = 32;
755 } 764 }
756 break; 765 break;
757 case XRecordFromClient: 766 case XRecordFromClient:
758 if (rep->elementHeader&XRecordFromClientTime) { 767 if (rep->elementHeader&XRecordFromClientTime) {
 768 if (current_index + 4 > rep->length << 2)
 769 return Error;
759 EXTRACT_CARD32(rep->clientSwapped, 770 EXTRACT_CARD32(rep->clientSwapped,
760 reply->buf+current_index, 771 reply->buf+current_index,
761 data->server_time); 772 data->server_time);
762 current_index += 4; 773 current_index += 4;
763 } 774 }
764 if (rep->elementHeader&XRecordFromClientSequence) { 775 if (rep->elementHeader&XRecordFromClientSequence) {
 776 if (current_index + 4 > rep->length << 2)
 777 return Error;
765 EXTRACT_CARD32(rep->clientSwapped, 778 EXTRACT_CARD32(rep->clientSwapped,
766 reply->buf+current_index, 779 reply->buf+current_index,
767 data->client_seq); 780 data->client_seq);
768 current_index += 4; 781 current_index += 4;
769 } 782 }
 783 if (current_index + 4 > rep->length<<2)
 784 return Error;
770 if (reply->buf[current_index+2] == 0 785 if (reply->buf[current_index+2] == 0
771 && reply->buf[current_index+3] == 0) /* needn't swap 0 */ 786 && reply->buf[current_index+3] == 0) /* needn't swap 0 */
772 { /* BIG-REQUESTS */ 787 { /* BIG-REQUESTS */
 788 if (current_index + 8 > rep->length << 2)
 789 return Error;
773 EXTRACT_CARD32(rep->clientSwapped, 790 EXTRACT_CARD32(rep->clientSwapped,
774 reply->buf+current_index+4, datum_bytes); 791 reply->buf+current_index+4, datum_bytes);
775 } else { 792 } else {
776 EXTRACT_CARD16(rep->clientSwapped, 793 EXTRACT_CARD16(rep->clientSwapped,
777 reply->buf+current_index+2, datum_bytes); 794 reply->buf+current_index+2, datum_bytes);
778 } 795 }
 796 if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2)
 797 return Error;
779 datum_bytes <<= 2; 798 datum_bytes <<= 2;
780 break; 799 break;
781 case XRecordClientStarted: 800 case XRecordClientStarted:
 801 if (current_index + 8 > rep->length << 2)
 802 return Error;
782 EXTRACT_CARD16(rep->clientSwapped, 803 EXTRACT_CARD16(rep->clientSwapped,
783 reply->buf+current_index+6, datum_bytes); 804 reply->buf+current_index+6, datum_bytes);
784 datum_bytes = (datum_bytes+2) << 2; 805 datum_bytes = (datum_bytes+2) << 2;
785 break; 806 break;
786 case XRecordClientDied: 807 case XRecordClientDied:
787 if (rep->elementHeader&XRecordFromClientSequence) { 808 if (rep->elementHeader&XRecordFromClientSequence) {
 809 if (current_index + 4 > rep->length << 2)
 810 return Error;
788 EXTRACT_CARD32(rep->clientSwapped, 811 EXTRACT_CARD32(rep->clientSwapped,
789 reply->buf+current_index, 812 reply->buf+current_index,
790 data->client_seq); 813 data->client_seq);
791 current_index += 4; 814 current_index += 4;
792 } 815 } else if (current_index < rep->length << 2)
793 /* fall through */ 816 return Error;
 817 datum_bytes = 0;
 818 break;
794 case XRecordStartOfData: 819 case XRecordStartOfData:
795 case XRecordEndOfData: 820 case XRecordEndOfData:
 821 if (current_index < rep->length << 2)
 822 return Error;
796 datum_bytes = 0; 823 datum_bytes = 0;
 824 break;
797 } 825 }
798  826
799 if (datum_bytes > 0) { 827 if (datum_bytes > 0) {
800 if (current_index + datum_bytes > rep->length << 2) 828 if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) {
801 fprintf(stderr, 829 fprintf(stderr,
802 "XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n", 830 "XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n",
803 (long)rep->length << 2, current_index + datum_bytes, 831 (unsigned long)rep->length << 2, current_index + datum_bytes,
804 dpy->last_request_read); 832 dpy->last_request_read);
 833 return Error;
 834 }
805 /* 835 /*
806 * This assignment (and indeed the whole buffer sharing 836 * This assignment (and indeed the whole buffer sharing
807 * scheme) assumes arbitrary 4-byte boundaries are 837 * scheme) assumes arbitrary 4-byte boundaries are
808 * addressable.  838 * addressable.
809 */ 839 */
810 data->data = reply->buf+current_index; 840 data->data = reply->buf+current_index;
811 reply->ref_count++; 841 reply->ref_count++;
812 } else { 842 } else {
813 data->data = NULL; 843 data->data = NULL;
814 } 844 }
815 data->data_len = datum_bytes >> 2; 845 data->data_len = datum_bytes >> 2;
816  846
817 (*callback)(closure, data); 847 (*callback)(closure, data);
@@ -843,26 +873,32 @@ XRecordEnableContext(Display *dpy, XReco @@ -843,26 +873,32 @@ XRecordEnableContext(Display *dpy, XReco
843 req->recordReqType = X_RecordEnableContext; 873 req->recordReqType = X_RecordEnableContext;
844 req->context = context; 874 req->context = context;
845 875
846 while (1) 876 while (1)
847 { 877 {
848 /* This code should match that in XRecordEnableContextAsync */ 878 /* This code should match that in XRecordEnableContextAsync */
849 if (!_XReply (dpy, (xReply *)&rep, 0, xFalse)) 879 if (!_XReply (dpy, (xReply *)&rep, 0, xFalse))
850 { 880 {
851 UnlockDisplay(dpy); 881 UnlockDisplay(dpy);
852 SyncHandle(); 882 SyncHandle();
853 return 0; 883 return 0;
854 } 884 }
855 885
 886 if (rep.length > INT_MAX >> 2) {
 887 UnlockDisplay(dpy);
 888 SyncHandle();
 889 return 0;
 890 }
 891
856 if (rep.length > 0) { 892 if (rep.length > 0) {
857 reply = alloc_reply_buffer(info, rep.length<<2); 893 reply = alloc_reply_buffer(info, rep.length<<2);
858 if (!reply) { 894 if (!reply) {
859 UnlockDisplay(dpy); 895 UnlockDisplay(dpy);
860 SyncHandle(); 896 SyncHandle();
861 return 0; 897 return 0;
862 } 898 }
863 _XRead (dpy, (char *)reply->buf, rep.length<<2); 899 _XRead (dpy, (char *)reply->buf, rep.length<<2);
864 } else { 900 } else {
865 reply = NULL; 901 reply = NULL;
866 } 902 }
867 903
868 status = parse_reply_call_callback(dpy, info, &rep, reply, 904 status = parse_reply_call_callback(dpy, info, &rep, reply,
cvs diff -r1.1.1.2.2.1 -r1.1.1.2.2.2 xsrc/external/mit/libXv/dist/src/Xv.c (expand / switch to unified diff)

--- xsrc/external/mit/libXv/dist/src/Xv.c 2013/06/06 03:44:26 1.1.1.2.2.1
+++ xsrc/external/mit/libXv/dist/src/Xv.c 2016/10/05 10:47:18 1.1.1.2.2.2
@@ -142,61 +142,66 @@ XvQueryExtension( @@ -142,61 +142,66 @@ XvQueryExtension(
142 142
143int 143int
144XvQueryAdaptors( 144XvQueryAdaptors(
145 Display *dpy, 145 Display *dpy,
146 Window window, 146 Window window,
147 unsigned int *p_nAdaptors, 147 unsigned int *p_nAdaptors,
148 XvAdaptorInfo **p_pAdaptors 148 XvAdaptorInfo **p_pAdaptors
149){ 149){
150 XExtDisplayInfo *info = xv_find_display(dpy); 150 XExtDisplayInfo *info = xv_find_display(dpy);
151 xvQueryAdaptorsReq *req; 151 xvQueryAdaptorsReq *req;
152 xvQueryAdaptorsReply rep; 152 xvQueryAdaptorsReply rep;
153 int size,ii,jj; 153 int size,ii,jj;
154 char *name; 154 char *name;
 155 char *end;
155 XvAdaptorInfo *pas, *pa; 156 XvAdaptorInfo *pas, *pa;
156 XvFormat *pfs, *pf; 157 XvFormat *pfs, *pf;
157 char *buffer; 158 char *buffer;
 159 int status;
158 union  160 union
159 { 161 {
160 char *buffer; 162 char *buffer;
161 char *string; 163 char *string;
162 xvAdaptorInfo *pa; 164 xvAdaptorInfo *pa;
163 xvFormat *pf; 165 xvFormat *pf;
164 } u; 166 } u;
165  167
166 XvCheckExtension(dpy, info, XvBadExtension); 168 XvCheckExtension(dpy, info, XvBadExtension);
167 169
168 LockDisplay(dpy); 170 LockDisplay(dpy);
169 171
170 XvGetReq(QueryAdaptors, req); 172 XvGetReq(QueryAdaptors, req);
171 req->window = window; 173 req->window = window;
172 174
173 /* READ THE REPLY */ 175 /* READ THE REPLY */
174 176
175 if (_XReply(dpy, (xReply *)&rep, 0, xFalse) == 0) { 177 if (_XReply(dpy, (xReply *)&rep, 0, xFalse) == 0) {
176 UnlockDisplay(dpy); 178 UnlockDisplay(dpy);
177 SyncHandle(); 179 SyncHandle();
178 return(XvBadReply); 180 return(XvBadReply);
179 } 181 }
180 182
181 size = rep.length << 2; 183 size = rep.length << 2;
182 if ( (buffer = (char *)Xmalloc ((unsigned) size)) == NULL) { 184 if (size > 0) {
 185 if ((buffer = Xmalloc(size)) == NULL) {
183 UnlockDisplay(dpy); 186 UnlockDisplay(dpy);
184 SyncHandle(); 187 SyncHandle();
185 return(XvBadAlloc); 188 return(XvBadAlloc);
 189 }
 190 _XRead(dpy, buffer, (long) size);
186 } 191 }
187 _XRead (dpy, buffer, size); 
188 192
189 u.buffer = buffer; 193 u.buffer = buffer;
 194 end = buffer + size;
190 195
191 /* GET INPUT ADAPTORS */ 196 /* GET INPUT ADAPTORS */
192 197
193 if (rep.num_adaptors == 0) { 198 if (rep.num_adaptors == 0) {
194 pas = NULL; 199 pas = NULL;
195 } else { 200 } else {
196 size = rep.num_adaptors*sizeof(XvAdaptorInfo); 201 size = rep.num_adaptors*sizeof(XvAdaptorInfo);
197 if ((pas=(XvAdaptorInfo *)Xmalloc(size))==NULL) { 202 if ((pas=(XvAdaptorInfo *)Xmalloc(size))==NULL) {
198 Xfree(buffer); 203 Xfree(buffer);
199 UnlockDisplay(dpy); 204 UnlockDisplay(dpy);
200 SyncHandle(); 205 SyncHandle();
201 return(XvBadAlloc); 206 return(XvBadAlloc);
202 } 207 }
@@ -204,37 +209,46 @@ XvQueryAdaptors( @@ -204,37 +209,46 @@ XvQueryAdaptors(
204 209
205 /* INIT ADAPTOR FIELDS */ 210 /* INIT ADAPTOR FIELDS */
206 211
207 pa = pas; 212 pa = pas;
208 for (ii=0; ii<rep.num_adaptors; ii++) { 213 for (ii=0; ii<rep.num_adaptors; ii++) {
209 pa->num_adaptors = 0; 214 pa->num_adaptors = 0;
210 pa->name = (char *)NULL; 215 pa->name = (char *)NULL;
211 pa->formats = (XvFormat *)NULL; 216 pa->formats = (XvFormat *)NULL;
212 pa++; 217 pa++;
213 } 218 }
214 219
215 pa = pas; 220 pa = pas;
216 for (ii=0; ii<rep.num_adaptors; ii++) { 221 for (ii=0; ii<rep.num_adaptors; ii++) {
 222 if (u.buffer + sz_xvAdaptorInfo > end) {
 223 status = XvBadReply;
 224 goto out;
 225 }
217 pa->type = u.pa->type; 226 pa->type = u.pa->type;
218 pa->base_id = u.pa->base_id; 227 pa->base_id = u.pa->base_id;
219 pa->num_ports = u.pa->num_ports; 228 pa->num_ports = u.pa->num_ports;
220 pa->num_formats = u.pa->num_formats; 229 pa->num_formats = u.pa->num_formats;
221 pa->num_adaptors = rep.num_adaptors - ii; 230 pa->num_adaptors = rep.num_adaptors - ii;
222 231
223 /* GET ADAPTOR NAME */ 232 /* GET ADAPTOR NAME */
224 233
225 size = u.pa->name_size; 234 size = u.pa->name_size;
226 u.buffer += (sz_xvAdaptorInfo + 3) & ~3; 235 u.buffer += (sz_xvAdaptorInfo + 3) & ~3;
227 236
 237 if (u.buffer + size > end) {
 238 status = XvBadReply;
 239 goto out;
 240 }
 241
228 if ( (name = (char *)Xmalloc(size+1)) == NULL) 242 if ( (name = (char *)Xmalloc(size+1)) == NULL)
229 { 243 {
230 XvFreeAdaptorInfo(pas); 244 XvFreeAdaptorInfo(pas);
231 Xfree(buffer); 245 Xfree(buffer);
232 UnlockDisplay(dpy); 246 UnlockDisplay(dpy);
233 SyncHandle(); 247 SyncHandle();
234 return(XvBadAlloc); 248 return(XvBadAlloc);
235 } 249 }
236 (void)strncpy(name, u.string, size); 250 (void)strncpy(name, u.string, size);
237 name[size] = '\0'; 251 name[size] = '\0';
238 pa->name = name; 252 pa->name = name;
239 253
240 u.buffer += (size + 3) & ~3; 254 u.buffer += (size + 3) & ~3;
@@ -242,47 +256,55 @@ XvQueryAdaptors( @@ -242,47 +256,55 @@ XvQueryAdaptors(
242 /* GET FORMATS */ 256 /* GET FORMATS */
243 257
244 size = pa->num_formats*sizeof(XvFormat); 258 size = pa->num_formats*sizeof(XvFormat);
245 if ((pfs=(XvFormat *)Xmalloc(size))==NULL) { 259 if ((pfs=(XvFormat *)Xmalloc(size))==NULL) {
246 XvFreeAdaptorInfo(pas); 260 XvFreeAdaptorInfo(pas);
247 Xfree(buffer); 261 Xfree(buffer);
248 UnlockDisplay(dpy); 262 UnlockDisplay(dpy);
249 SyncHandle(); 263 SyncHandle();
250 return(XvBadAlloc); 264 return(XvBadAlloc);
251 } 265 }
252 266
253 pf = pfs; 267 pf = pfs;
254 for (jj=0; jj<pa->num_formats; jj++) { 268 for (jj=0; jj<pa->num_formats; jj++) {
 269 if (u.buffer + sz_xvFormat > end) {
 270 Xfree(pfs);
 271 status = XvBadReply;
 272 goto out;
 273 }
255 pf->depth = u.pf->depth; 274 pf->depth = u.pf->depth;
256 pf->visual_id = u.pf->visual; 275 pf->visual_id = u.pf->visual;
257 pf++; 276 pf++;
258  277
259 u.buffer += (sz_xvFormat + 3) & ~3; 278 u.buffer += (sz_xvFormat + 3) & ~3;
260 } 279 }
261 280
262 pa->formats = pfs; 281 pa->formats = pfs;
263 282
264 pa++; 283 pa++;
265 284
266 } 285 }
267 286
268 *p_nAdaptors = rep.num_adaptors; 287 *p_nAdaptors = rep.num_adaptors;
269 *p_pAdaptors = pas; 288 *p_pAdaptors = pas;
270 289
 290 status = Success;
 291
 292out:
271 Xfree(buffer); 293 Xfree(buffer);
272 UnlockDisplay(dpy); 294 UnlockDisplay(dpy);
273 SyncHandle(); 295 SyncHandle();
274 296
275 return (Success); 297 return (status);
276} 298}
277 299
278 300
279void 301void
280XvFreeAdaptorInfo(XvAdaptorInfo *pAdaptors) 302XvFreeAdaptorInfo(XvAdaptorInfo *pAdaptors)
281{ 303{
282 304
283 XvAdaptorInfo *pa; 305 XvAdaptorInfo *pa;
284 int ii; 306 int ii;
285 307
286 if (!pAdaptors) return; 308 if (!pAdaptors) return;
287 309
288 pa = pAdaptors; 310 pa = pAdaptors;
@@ -304,114 +326,130 @@ XvFreeAdaptorInfo(XvAdaptorInfo *pAdapto @@ -304,114 +326,130 @@ XvFreeAdaptorInfo(XvAdaptorInfo *pAdapto
304 326
305int 327int
306XvQueryEncodings( 328XvQueryEncodings(
307 Display *dpy, 329 Display *dpy,
308 XvPortID port, 330 XvPortID port,
309 unsigned int *p_nEncodings, 331 unsigned int *p_nEncodings,
310 XvEncodingInfo **p_pEncodings 332 XvEncodingInfo **p_pEncodings
311){ 333){
312 XExtDisplayInfo *info = xv_find_display(dpy); 334 XExtDisplayInfo *info = xv_find_display(dpy);
313 xvQueryEncodingsReq *req; 335 xvQueryEncodingsReq *req;
314 xvQueryEncodingsReply rep; 336 xvQueryEncodingsReply rep;
315 int size, jj; 337 int size, jj;
316 char *name; 338 char *name;
 339 char *end;
 340 int status;
317 XvEncodingInfo *pes, *pe; 341 XvEncodingInfo *pes, *pe;
318 char *buffer; 342 char *buffer;
319 union  343 union
320 { 344 {
321 char *buffer; 345 char *buffer;
322 char *string; 346 char *string;
323 xvEncodingInfo *pe; 347 xvEncodingInfo *pe;
324 } u; 348 } u;
325  349
326 XvCheckExtension(dpy, info, XvBadExtension); 350 XvCheckExtension(dpy, info, XvBadExtension);
327 351
328 LockDisplay(dpy); 352 LockDisplay(dpy);
329 353
330 XvGetReq(QueryEncodings, req); 354 XvGetReq(QueryEncodings, req);
331 req->port = port; 355 req->port = port;
332 356
333 /* READ THE REPLY */ 357 /* READ THE REPLY */
334 358
335 if (_XReply(dpy, (xReply *)&rep, 0, xFalse) == 0) { 359 if (_XReply(dpy, (xReply *)&rep, 0, xFalse) == 0) {
336 UnlockDisplay(dpy); 360 UnlockDisplay(dpy);
337 SyncHandle(); 361 SyncHandle();
338 return(XvBadReply); 362 return(XvBadReply);
339 } 363 }
340 364
341 size = rep.length << 2; 365 size = rep.length << 2;
342 if ( (buffer = (char *)Xmalloc ((unsigned) size)) == NULL) { 366 if (size > 0) {
 367 if ( (buffer = (char *)Xmalloc ((unsigned) size)) == NULL) {
343 UnlockDisplay(dpy); 368 UnlockDisplay(dpy);
344 SyncHandle(); 369 SyncHandle();
345 return(XvBadAlloc); 370 return(XvBadAlloc);
 371 }
 372 _XRead (dpy, buffer, size);
346 } 373 }
347 _XRead (dpy, buffer, size); 
348 374
349 u.buffer = buffer; 375 u.buffer = buffer;
 376 end = buffer + size;
350 377
351 /* GET ENCODINGS */ 378 /* GET ENCODINGS */
352 379
353 size = rep.num_encodings*sizeof(XvEncodingInfo); 380 size = rep.num_encodings*sizeof(XvEncodingInfo);
354 if ( (pes = (XvEncodingInfo *)Xmalloc(size)) == NULL) { 381 if ( (pes = (XvEncodingInfo *)Xmalloc(size)) == NULL) {
355 Xfree(buffer); 382 Xfree(buffer);
356 UnlockDisplay(dpy); 383 UnlockDisplay(dpy);
357 SyncHandle(); 384 SyncHandle();
358 return(XvBadAlloc); 385 return(XvBadAlloc);
359 } 386 }
360 387
361 /* INITIALIZE THE ENCODING POINTER */ 388 /* INITIALIZE THE ENCODING POINTER */
362 389
363 pe = pes; 390 pe = pes;
364 for (jj=0; jj<rep.num_encodings; jj++) { 391 for (jj=0; jj<rep.num_encodings; jj++) {
365 pe->name = (char *)NULL; 392 pe->name = (char *)NULL;
366 pe->num_encodings = 0; 393 pe->num_encodings = 0;
367 pe++; 394 pe++;
368 } 395 }
369 396
370 pe = pes; 397 pe = pes;
371 for (jj=0; jj<rep.num_encodings; jj++) { 398 for (jj=0; jj<rep.num_encodings; jj++) {
 399 if (u.buffer + sz_xvEncodingInfo > end) {
 400 status = XvBadReply;
 401 goto out;
 402 }
372 pe->encoding_id = u.pe->encoding; 403 pe->encoding_id = u.pe->encoding;
373 pe->width = u.pe->width; 404 pe->width = u.pe->width;
374 pe->height = u.pe->height; 405 pe->height = u.pe->height;
375 pe->rate.numerator = u.pe->rate.numerator; 406 pe->rate.numerator = u.pe->rate.numerator;
376 pe->rate.denominator = u.pe->rate.denominator; 407 pe->rate.denominator = u.pe->rate.denominator;
377 pe->num_encodings = rep.num_encodings - jj; 408 pe->num_encodings = rep.num_encodings - jj;
378 409
379 size = u.pe->name_size; 410 size = u.pe->name_size;
380 u.buffer += (sz_xvEncodingInfo + 3) & ~3; 411 u.buffer += (sz_xvEncodingInfo + 3) & ~3;
381 412
 413 if (u.buffer + size > end) {
 414 status = XvBadReply;
 415 goto out;
 416 }
382 if ( (name = (char *)Xmalloc(size+1)) == NULL) { 417 if ( (name = (char *)Xmalloc(size+1)) == NULL) {
383 XvFreeEncodingInfo(pes); 418 XvFreeEncodingInfo(pes);
384 Xfree(buffer); 419 Xfree(buffer);
385 UnlockDisplay(dpy); 420 UnlockDisplay(dpy);
386 SyncHandle(); 421 SyncHandle();
387 return(XvBadAlloc); 422 return(XvBadAlloc);
388 } 423 }
389 strncpy(name, u.string, size); 424 strncpy(name, u.string, size);
390 name[size] = '\0'; 425 name[size] = '\0';
391 pe->name = name; 426 pe->name = name;
392 pe++; 427 pe++;
393 428
394 u.buffer += (size + 3) & ~3; 429 u.buffer += (size + 3) & ~3;
395 } 430 }
396 431
397 *p_nEncodings = rep.num_encodings; 432 *p_nEncodings = rep.num_encodings;
398 *p_pEncodings = pes; 433 *p_pEncodings = pes;
399 434
 435 status = Success;
 436
 437out:
400 Xfree(buffer); 438 Xfree(buffer);
401 UnlockDisplay(dpy); 439 UnlockDisplay(dpy);
402 SyncHandle(); 440 SyncHandle();
403 441
404 return (Success); 442 return (status);
405} 443}
406 444
407void 445void
408XvFreeEncodingInfo(XvEncodingInfo *pEncodings) 446XvFreeEncodingInfo(XvEncodingInfo *pEncodings)
409{ 447{
410 448
411 XvEncodingInfo *pe; 449 XvEncodingInfo *pe;
412 int ii; 450 int ii;
413 451
414 if (!pEncodings) return; 452 if (!pEncodings) return;
415 453
416 pe = pEncodings; 454 pe = pEncodings;
417 455
cvs diff -r1.1.1.2.2.1 -r1.1.1.2.2.2 xsrc/external/mit/libXvMC/dist/src/XvMC.c (expand / switch to unified diff)

--- xsrc/external/mit/libXvMC/dist/src/XvMC.c 2013/06/06 03:44:26 1.1.1.2.2.1
+++ xsrc/external/mit/libXvMC/dist/src/XvMC.c 2016/10/05 10:47:18 1.1.1.2.2.2
@@ -562,29 +562,29 @@ Status XvMCGetDRInfo(Display *dpy, XvPor @@ -562,29 +562,29 @@ Status XvMCGetDRInfo(Display *dpy, XvPor
562 if (rep.length < (INT_MAX >> 2)) { 562 if (rep.length < (INT_MAX >> 2)) {
563 realSize = rep.length << 2; 563 realSize = rep.length << 2;
564 if (realSize >= (rep.nameLen + rep.busIDLen)) { 564 if (realSize >= (rep.nameLen + rep.busIDLen)) {
565 tmpBuf = Xmalloc(realSize); 565 tmpBuf = Xmalloc(realSize);
566 *name = Xmalloc(rep.nameLen); 566 *name = Xmalloc(rep.nameLen);
567 *busID = Xmalloc(rep.busIDLen); 567 *busID = Xmalloc(rep.busIDLen);
568 568
569 }  569 }
570 } 570 }
571 571
572 if (*name && *busID && tmpBuf) { 572 if (*name && *busID && tmpBuf) {
573 _XRead(dpy, tmpBuf, realSize); 573 _XRead(dpy, tmpBuf, realSize);
574 strncpy(*name,tmpBuf,rep.nameLen); 574 strncpy(*name,tmpBuf,rep.nameLen);
575 name[rep.nameLen - 1] = '\0'; 575 (*name)[rep.nameLen == 0 ? 0 : rep.nameLen - 1] = '\0';
576 strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen); 576 strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
577 busID[rep.busIDLen - 1] = '\0'; 577 busID[rep.busIDLen == 0 ? 0 : rep.busIDLen - 1] = '\0';
578 XFree(tmpBuf); 578 XFree(tmpBuf);
579 } else { 579 } else {
580 XFree(*name); 580 XFree(*name);
581 *name = NULL; 581 *name = NULL;
582 XFree(*busID); 582 XFree(*busID);
583 *name = NULL; 583 *name = NULL;
584 XFree(tmpBuf); 584 XFree(tmpBuf);
585 585
586 _XEatData(dpy, realSize); 586 _XEatData(dpy, realSize);
587 UnlockDisplay (dpy); 587 UnlockDisplay (dpy);
588 SyncHandle (); 588 SyncHandle ();
589 return -1; 589 return -1;
590 590