Wed Oct 5 10:48:27 2016 UTC ()
Apply patch, requested my mrg in ticket 1411:
	xsrc/xfree/xc/lib/X11/FontNames.c		patch
	xsrc/xfree/xc/lib/X11/GetImage.c		patch
	xsrc/xfree/xc/lib/X11/ListExt.c			patch
	xsrc/xfree/xc/lib/X11/ModMap.c			patch
	xsrc/xfree/xc/lib/X11/Xlibint.h			patch
	xsrc/xfree/xc/lib/Xi/XGMotion.c			patch
	xsrc/xfree/xc/lib/Xi/XGetBMap.c			patch
	xsrc/xfree/xc/lib/Xi/XGetDCtl.c			patch
	xsrc/xfree/xc/lib/Xi/XGetFCtl.c			patch
	xsrc/xfree/xc/lib/Xi/XGetKMap.c			patch
	xsrc/xfree/xc/lib/Xi/XGetMMap.c			patch
	xsrc/xfree/xc/lib/Xi/XOpenDev.c			patch
	xsrc/xfree/xc/lib/Xi/XQueryDv.c			patch
	xsrc/xfree/xc/lib/Xrender/Filter.c		patch
	xsrc/xfree/xc/lib/Xrender/Xrender.c		patch
	xsrc/xfree/xc/lib/Xtst/XRecord.c		patch
	xsrc/xfree/xc/lib/Xv/Xv.c			patch
	xsrc/xfree/xc/programs/Xserver/include/dix.h	patch

Fix (backported from upstream) the following issues in X client
libraries:
libX11 - insufficient validation of data from the X server
	 can cause out of boundary memory read (XGetImage())
	 or write (XListFonts()).
	 Affected versions libX11 <= 1.6.3

libXfixes - insufficient validation of data from the X server
	can cause an integer overflow on 32 bit architectures.
	Affected versions : libXfixes <= 5.0.2

libXi - insufficient validation of data from the X server
	can cause out of boundary memory access or
	endless loops (Denial of Service).
	Affected versions libXi <= 1.7.6

libXrandr - insufficient validation of data from the X server
	can cause out of boundary memory writes.
	Affected versions: libXrandr <= 1.5.0

libXrender - insufficient validation of data from the X server
	can cause out of boundary memory writes.
	Affected version: libXrender <= 0.9.9

XRecord - insufficient validation of data from the X server
	can cause out of boundary memory access or
	endless loops (Denial of Service).
	 Affected version libXtst <= 1.2.2

libXv - insufficient validation of data from the X server
	can cause out of boundary memory and memory corruption.
	CVE-2016-5407
	affected versions libXv <= 1.0.10

libXvMC - insufficient validation of data from the X server
	can cause a one byte buffer read underrun.
	Affected versions: libXvMC <= 1.0.9


(bouyer)
diff -r1.1.1.5 -r1.1.1.5.26.1 xsrc/xfree/xc/lib/X11/FontNames.c
diff -r1.1.1.5 -r1.1.1.5.26.1 xsrc/xfree/xc/lib/X11/GetImage.c
diff -r1.1.1.5 -r1.1.1.5.26.1 xsrc/xfree/xc/lib/X11/ModMap.c
diff -r1.1.1.4 -r1.1.1.4.28.1 xsrc/xfree/xc/lib/X11/ListExt.c
diff -r1.1.1.7.14.1 -r1.1.1.7.14.2 xsrc/xfree/xc/lib/X11/Xlibint.h
diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/XGMotion.c
diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/XGetBMap.c
diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/XGetDCtl.c
diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/XGetFCtl.c
diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/XGetMMap.c
diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/XOpenDev.c
diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/XQueryDv.c
diff -r1.1.1.6 -r1.1.1.6.26.1 xsrc/xfree/xc/lib/Xi/XGetKMap.c
diff -r1.1.1.1 -r1.1.1.1.28.1 xsrc/xfree/xc/lib/Xrender/Filter.c
diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xrender/Xrender.c
diff -r1.1.1.6 -r1.1.1.6.14.1 xsrc/xfree/xc/lib/Xtst/XRecord.c
diff -r1.1.1.6 -r1.1.1.6.14.1 xsrc/xfree/xc/lib/Xv/Xv.c
diff -r1.1.1.6.26.1 -r1.1.1.6.26.2 xsrc/xfree/xc/programs/Xserver/include/dix.h
cvs diff -r1.1.1.5 -r1.1.1.5.26.1 xsrc/xfree/xc/lib/X11/Attic/FontNames.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/X11/Attic/FontNames.c 2004/03/05 14:24:07 1.1.1.5
+++ xsrc/xfree/xc/lib/X11/Attic/FontNames.c 2016/10/05 10:48:27 1.1.1.5.26.1
@@ -19,89 +19,110 @@ OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMA @@ -19,89 +19,110 @@ OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMA
19AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 19AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 20CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
22Except as contained in this notice, the name of The Open Group shall not be 22Except as contained in this notice, the name of The Open Group shall not be
23used in advertising or otherwise to promote the sale, use or other dealings 23used in advertising or otherwise to promote the sale, use or other dealings
24in this Software without prior written authorization from The Open Group. 24in this Software without prior written authorization from The Open Group.
25 25
26*/ 26*/
27 27
28/* $XFree86: xc/lib/X11/FontNames.c,v 1.7 2003/11/17 22:20:06 dawes Exp $ */ 28/* $XFree86: xc/lib/X11/FontNames.c,v 1.7 2003/11/17 22:20:06 dawes Exp $ */
29 29
30#define NEED_REPLIES 30#define NEED_REPLIES
31#include "Xlibint.h" 31#include "Xlibint.h"
 32#include <limits.h>
32 33
33char ** 34char **
34XListFonts( 35XListFonts(
35register Display *dpy, 36register Display *dpy,
36_Xconst char *pattern, /* null-terminated */ 37_Xconst char *pattern, /* null-terminated */
37int maxNames, 38int maxNames,
38int *actualCount) /* RETURN */ 39int *actualCount) /* RETURN */
39{  40{
40 register long nbytes; 41 register long nbytes;
41 register unsigned i; 42 register unsigned i;
42 register int length; 43 register int length;
43 char **flist; 44 char **flist;
44 char *ch; 45 char *ch = NULL;
 46 char *chend;
 47 int count = 0;
45 xListFontsReply rep; 48 xListFontsReply rep;
46 register xListFontsReq *req; 49 register xListFontsReq *req;
47 register long rlen; 50 register long rlen;
48 51
49 LockDisplay(dpy); 52 LockDisplay(dpy);
50 GetReq(ListFonts, req); 53 GetReq(ListFonts, req);
51 req->maxNames = maxNames; 54 req->maxNames = maxNames;
52 nbytes = req->nbytes = pattern ? strlen (pattern) : 0; 55 nbytes = req->nbytes = pattern ? strlen (pattern) : 0;
53 req->length += (nbytes + 3) >> 2; 56 req->length += (nbytes + 3) >> 2;
54 _XSend (dpy, pattern, nbytes); 57 _XSend (dpy, pattern, nbytes);
55 /* use _XSend instead of Data, since following _XReply will flush buffer */ 58 /* use _XSend instead of Data, since following _XReply will flush buffer */
56 59
57 if (!_XReply (dpy, (xReply *)&rep, 0, xFalse)) { 60 if (!_XReply (dpy, (xReply *)&rep, 0, xFalse)) {
58 *actualCount = 0; 61 *actualCount = 0;
59 UnlockDisplay(dpy); 62 UnlockDisplay(dpy);
60 SyncHandle(); 63 SyncHandle();
61 return (char **) NULL; 64 return (char **) NULL;
62 } 65 }
63 66
64 if (rep.nFonts) { 67 if (rep.nFonts) {
65 flist = (char **)Xmalloc ((unsigned)rep.nFonts * sizeof(char *)); 68 flist = (char **)Xmalloc ((unsigned)rep.nFonts * sizeof(char *));
66 rlen = rep.length << 2; 69 if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
67 ch = (char *) Xmalloc((unsigned) (rlen + 1)); 70 rlen = rep.length << 2;
68 /* +1 to leave room for last null-terminator */ 71 ch = (char *) Xmalloc((unsigned) (rlen + 1));
 72 /* +1 to leave room for last null-terminator */
 73 }
69 74
70 if ((! flist) || (! ch)) { 75 if ((! flist) || (! ch)) {
71 if (flist) Xfree((char *) flist); 76 if (flist) Xfree((char *) flist);
72 if (ch) Xfree(ch); 77 if (ch) Xfree(ch);
73 _XEatData(dpy, (unsigned long) rlen); 78 _XEatData(dpy, (unsigned long) rlen);
74 *actualCount = 0; 79 *actualCount = 0;
75 UnlockDisplay(dpy); 80 UnlockDisplay(dpy);
76 SyncHandle(); 81 SyncHandle();
77 return (char **) NULL; 82 return (char **) NULL;
78 } 83 }
79 84
80 _XReadPad (dpy, ch, rlen); 85 _XReadPad (dpy, ch, rlen);
81 /* 86 /*
82 * unpack into null terminated strings. 87 * unpack into null terminated strings.
83 */ 88 */
 89 chend = ch + (rlen + 1);
84 length = *(unsigned char *)ch; 90 length = *(unsigned char *)ch;
85 *ch = 1; /* make sure it is non-zero for XFreeFontNames */ 91 *ch = 1; /* make sure it is non-zero for XFreeFontNames */
86 for (i = 0; i < rep.nFonts; i++) { 92 for (i = 0; i < rep.nFonts; i++) {
87 flist[i] = ch + 1; /* skip over length */ 93 if (ch + length < chend) {
88 ch += length + 1; /* find next length ... */ 94 flist[i] = ch + 1; /* skip over length */
89 length = *(unsigned char *)ch; 95 ch += length + 1; /* find next length ... */
90 *ch = '\0'; /* and replace with null-termination */ 96 if (ch <= chend) {
 97 length = *(unsigned char *)ch;
 98 *ch = '\0'; /* and replace with null-termination */
 99 count++;
 100 } else {
 101 Xfree(flist);
 102 flist = NULL;
 103 count = 0;
 104 break;
 105 }
 106 } else {
 107 Xfree(flist);
 108 flist = NULL;
 109 count = 0;
 110 break;
 111 }
91 } 112 }
92 } 113 }
93 else flist = (char **) NULL; 114 else flist = (char **) NULL;
94 *actualCount = rep.nFonts; 115 *actualCount = count;
95 UnlockDisplay(dpy); 116 UnlockDisplay(dpy);
96 SyncHandle(); 117 SyncHandle();
97 return (flist); 118 return (flist);
98} 119}
99 120
100int 121int
101XFreeFontNames(list) 122XFreeFontNames(list)
102char **list; 123char **list;
103{  124{
104 if (list) { 125 if (list) {
105 if (!*(list[0]-1)) { /* from ListFontsWithInfo */ 126 if (!*(list[0]-1)) { /* from ListFontsWithInfo */
106 register char **names; 127 register char **names;
107 for (names = list+1; *names; names++) 128 for (names = list+1; *names; names++)
cvs diff -r1.1.1.5 -r1.1.1.5.26.1 xsrc/xfree/xc/lib/X11/Attic/GetImage.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/X11/Attic/GetImage.c 2004/03/05 14:24:07 1.1.1.5
+++ xsrc/xfree/xc/lib/X11/Attic/GetImage.c 2016/10/05 10:48:27 1.1.1.5.26.1
@@ -20,52 +20,54 @@ AN ACTION OF CONTRACT, TORT OR OTHERWISE @@ -20,52 +20,54 @@ AN ACTION OF CONTRACT, TORT OR OTHERWISE
20CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 20CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
22Except as contained in this notice, the name of The Open Group shall not be 22Except as contained in this notice, the name of The Open Group shall not be
23used in advertising or otherwise to promote the sale, use or other dealings 23used in advertising or otherwise to promote the sale, use or other dealings
24in this Software without prior written authorization from The Open Group. 24in this Software without prior written authorization from The Open Group.
25 25
26*/ 26*/
27/* $XFree86: xc/lib/X11/GetImage.c,v 1.5 2003/04/13 19:22:16 dawes Exp $ */ 27/* $XFree86: xc/lib/X11/GetImage.c,v 1.5 2003/04/13 19:22:16 dawes Exp $ */
28 28
29#define NEED_REPLIES 29#define NEED_REPLIES
30#include "Xlibint.h" 30#include "Xlibint.h"
31#include <X11/Xutil.h> /* for XDestroyImage */ 31#include <X11/Xutil.h> /* for XDestroyImage */
32#include "ImUtil.h" 32#include "ImUtil.h"
 33#include <limits.h>
33 34
34#define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad)) 35#define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad))
35 36
36static unsigned int Ones( /* HACKMEM 169 */ 37static unsigned int Ones( /* HACKMEM 169 */
37 unsigned long mask) 38 unsigned long mask)
38{ 39{
39 register unsigned long y; 40 register unsigned long y;
40 41
41 y = (mask >> 1) &033333333333; 42 y = (mask >> 1) &033333333333;
42 y = mask - y - ((y >>1) & 033333333333); 43 y = mask - y - ((y >>1) & 033333333333);
43 return ((unsigned int) (((y + (y >> 3)) & 030707070707) % 077)); 44 return ((unsigned int) (((y + (y >> 3)) & 030707070707) % 077));
44} 45}
45 46
46XImage *XGetImage (dpy, d, x, y, width, height, plane_mask, format) 47XImage *XGetImage (dpy, d, x, y, width, height, plane_mask, format)
47 register Display *dpy; 48 register Display *dpy;
48 Drawable d; 49 Drawable d;
49 int x, y; 50 int x, y;
50 unsigned int width, height; 51 unsigned int width, height;
51 unsigned long plane_mask; 52 unsigned long plane_mask;
52 int format; /* either XYPixmap or ZPixmap */ 53 int format; /* either XYPixmap or ZPixmap */
53{ 54{
54 xGetImageReply rep; 55 xGetImageReply rep;
55 register xGetImageReq *req; 56 register xGetImageReq *req;
56 char *data; 57 char *data;
57 long nbytes; 58 long nbytes;
58 XImage *image; 59 XImage *image;
 60 int planes;
59 LockDisplay(dpy); 61 LockDisplay(dpy);
60 GetReq (GetImage, req); 62 GetReq (GetImage, req);
61 /* 63 /*
62 * first set up the standard stuff in the request 64 * first set up the standard stuff in the request
63 */ 65 */
64 req->drawable = d; 66 req->drawable = d;
65 req->x = x; 67 req->x = x;
66 req->y = y; 68 req->y = y;
67 req->width = width; 69 req->width = width;
68 req->height = height; 70 req->height = height;
69 req->planeMask = plane_mask; 71 req->planeMask = plane_mask;
70 req->format = format; 72 req->format = format;
71  73
@@ -75,38 +77,48 @@ XImage *XGetImage (dpy, d, x, y, width,  @@ -75,38 +77,48 @@ XImage *XGetImage (dpy, d, x, y, width,
75 SyncHandle(); 77 SyncHandle();
76 return (XImage *)NULL; 78 return (XImage *)NULL;
77 } 79 }
78  80
79 nbytes = (long)rep.length << 2; 81 nbytes = (long)rep.length << 2;
80 data = (char *) Xmalloc((unsigned) nbytes); 82 data = (char *) Xmalloc((unsigned) nbytes);
81 if (! data) { 83 if (! data) {
82 _XEatData(dpy, (unsigned long) nbytes); 84 _XEatData(dpy, (unsigned long) nbytes);
83 UnlockDisplay(dpy); 85 UnlockDisplay(dpy);
84 SyncHandle(); 86 SyncHandle();
85 return (XImage *) NULL; 87 return (XImage *) NULL;
86 } 88 }
87 _XReadPad (dpy, data, nbytes); 89 _XReadPad (dpy, data, nbytes);
88 if (format == XYPixmap) 90 if (format == XYPixmap) {
89 image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), 91 image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
90 Ones (plane_mask & 92 Ones (plane_mask &
91 (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), 93 (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
92 format, 0, data, width, height, dpy->bitmap_pad, 0); 94 format, 0, data, width, height, dpy->bitmap_pad, 0);
93 else /* format == ZPixmap */ 95 planes = image->depth;
94 image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), 96 } else { /* format == ZPixmap */
95 rep.depth, ZPixmap, 0, data, width, height, 97 image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
96 _XGetScanlinePad(dpy, (int) rep.depth), 0); 98 rep.depth, ZPixmap, 0, data, width, height,
 99 _XGetScanlinePad(dpy, (int) rep.depth), 0);
 100 planes = 1;
 101 }
97 102
98 if (!image) 103 if (!image)
99 Xfree(data); 104 Xfree(data);
 105 if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
 106 INT_MAX / image->height <= image->bytes_per_line ||
 107 INT_MAX / planes <= image->height * image->bytes_per_line ||
 108 nbytes < planes * image->height * image->bytes_per_line) {
 109 XDestroyImage(image);
 110 image = NULL;
 111 }
100 UnlockDisplay(dpy); 112 UnlockDisplay(dpy);
101 SyncHandle(); 113 SyncHandle();
102 return (image); 114 return (image);
103} 115}
104 116
105XImage *XGetSubImage(dpy, d, x, y, width, height, plane_mask, format, 117XImage *XGetSubImage(dpy, d, x, y, width, height, plane_mask, format,
106 dest_image, dest_x, dest_y) 118 dest_image, dest_x, dest_y)
107 register Display *dpy; 119 register Display *dpy;
108 Drawable d; 120 Drawable d;
109 int x, y; 121 int x, y;
110 unsigned int width, height; 122 unsigned int width, height;
111 unsigned long plane_mask; 123 unsigned long plane_mask;
112 int format; /* either XYPixmap or ZPixmap */ 124 int format; /* either XYPixmap or ZPixmap */
cvs diff -r1.1.1.5 -r1.1.1.5.26.1 xsrc/xfree/xc/lib/X11/Attic/ModMap.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/X11/Attic/ModMap.c 2004/03/05 14:24:08 1.1.1.5
+++ xsrc/xfree/xc/lib/X11/Attic/ModMap.c 2016/10/05 10:48:27 1.1.1.5.26.1
@@ -18,42 +18,48 @@ FITNESS FOR A PARTICULAR PURPOSE AND NON @@ -18,42 +18,48 @@ FITNESS FOR A PARTICULAR PURPOSE AND NON
18OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN 18OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
19AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 19AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 20CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
22Except as contained in this notice, the name of The Open Group shall not be 22Except as contained in this notice, the name of The Open Group shall not be
23used in advertising or otherwise to promote the sale, use or other dealings 23used in advertising or otherwise to promote the sale, use or other dealings
24in this Software without prior written authorization from The Open Group. 24in this Software without prior written authorization from The Open Group.
25 25
26*/ 26*/
27/* $XFree86: xc/lib/X11/ModMap.c,v 1.5 2003/11/17 22:20:08 dawes Exp $ */ 27/* $XFree86: xc/lib/X11/ModMap.c,v 1.5 2003/11/17 22:20:08 dawes Exp $ */
28 28
29#define NEED_REPLIES 29#define NEED_REPLIES
30#include "Xlibint.h" 30#include "Xlibint.h"
 31#include <limits.h>
31 32
32XModifierKeymap * 33XModifierKeymap *
33XGetModifierMapping(dpy) 34XGetModifierMapping(dpy)
34 register Display *dpy; 35 register Display *dpy;
35{  36{
36 xGetModifierMappingReply rep; 37 xGetModifierMappingReply rep;
37 register xReq *req; 38 register xReq *req;
38 unsigned long nbytes; 39 unsigned long nbytes;
39 XModifierKeymap *res; 40 XModifierKeymap *res;
40 41
41 LockDisplay(dpy); 42 LockDisplay(dpy);
42 GetEmptyReq(GetModifierMapping, req); 43 GetEmptyReq(GetModifierMapping, req);
43 (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); 44 (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
44 45
45 nbytes = (unsigned long)rep.length << 2; 46 if (rep.length < (INT_MAX >> 2) &&
46 res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); 47 (rep.length >> 1) == rep.numKeyPerModifier) {
 48 nbytes = (unsigned long)rep.length << 2;
 49 res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap));
 50 } else
 51 res = NULL;
 52
47 if (res) res->modifiermap = (KeyCode *) Xmalloc ((unsigned) nbytes); 53 if (res) res->modifiermap = (KeyCode *) Xmalloc ((unsigned) nbytes);
48 if ((! res) || (! res->modifiermap)) { 54 if ((! res) || (! res->modifiermap)) {
49 if (res) Xfree((char *) res); 55 if (res) Xfree((char *) res);
50 res = (XModifierKeymap *) NULL; 56 res = (XModifierKeymap *) NULL;
51 _XEatData(dpy, nbytes); 57 _XEatData(dpy, nbytes);
52 } else { 58 } else {
53 _XReadPad(dpy, (char *) res->modifiermap, (long) nbytes); 59 _XReadPad(dpy, (char *) res->modifiermap, (long) nbytes);
54 res->max_keypermod = rep.numKeyPerModifier; 60 res->max_keypermod = rep.numKeyPerModifier;
55 } 61 }
56 62
57 UnlockDisplay(dpy); 63 UnlockDisplay(dpy);
58 SyncHandle(); 64 SyncHandle();
59 return (res); 65 return (res);
cvs diff -r1.1.1.4 -r1.1.1.4.28.1 xsrc/xfree/xc/lib/X11/Attic/ListExt.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/X11/Attic/ListExt.c 2002/01/19 14:55:27 1.1.1.4
+++ xsrc/xfree/xc/lib/X11/Attic/ListExt.c 2016/10/05 10:48:27 1.1.1.4.28.1
@@ -18,79 +18,93 @@ FITNESS FOR A PARTICULAR PURPOSE AND NON @@ -18,79 +18,93 @@ FITNESS FOR A PARTICULAR PURPOSE AND NON
18OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN 18OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
19AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 19AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 20CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 21
22Except as contained in this notice, the name of The Open Group shall not be 22Except as contained in this notice, the name of The Open Group shall not be
23used in advertising or otherwise to promote the sale, use or other dealings 23used in advertising or otherwise to promote the sale, use or other dealings
24in this Software without prior written authorization from The Open Group. 24in this Software without prior written authorization from The Open Group.
25 25
26*/ 26*/
27/* $XFree86: xc/lib/X11/ListExt.c,v 1.4 2001/12/14 19:54:02 dawes Exp $ */ 27/* $XFree86: xc/lib/X11/ListExt.c,v 1.4 2001/12/14 19:54:02 dawes Exp $ */
28 28
29#define NEED_REPLIES 29#define NEED_REPLIES
30#include "Xlibint.h" 30#include "Xlibint.h"
 31#include <limits.h>
31 32
32char **XListExtensions(dpy, nextensions) 33char **XListExtensions(dpy, nextensions)
33register Display *dpy; 34register Display *dpy;
34int *nextensions; /* RETURN */ 35int *nextensions; /* RETURN */
35{ 36{
36 xListExtensionsReply rep; 37 xListExtensionsReply rep;
37 char **list; 38 char **list;
38 char *ch; 39 char *ch = NULL;
 40 char *chend;
 41 int count = 0;
39 register unsigned i; 42 register unsigned i;
40 register int length; 43 register int length;
41 register xReq *req; 44 register xReq *req;
42 register long rlen; 45 register long rlen;
43 46
44 LockDisplay(dpy); 47 LockDisplay(dpy);
45 GetEmptyReq (ListExtensions, req); 48 GetEmptyReq (ListExtensions, req);
46 49
47 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) { 50 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) {
48 UnlockDisplay(dpy); 51 UnlockDisplay(dpy);
49 SyncHandle(); 52 SyncHandle();
50 return (char **) NULL; 53 return (char **) NULL;
51 } 54 }
52 55
53 if (rep.nExtensions) { 56 if (rep.nExtensions) {
54 list = (char **) Xmalloc ( 57 list = (char **) Xmalloc (
55 (unsigned)(rep.nExtensions * sizeof (char *))); 58 (unsigned)(rep.nExtensions * sizeof (char *)));
56 rlen = rep.length << 2; 59 if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
57 ch = (char *) Xmalloc ((unsigned) rlen + 1); 60 rlen = rep.length << 2;
58 /* +1 to leave room for last null-terminator */ 61 ch = (char *) Xmalloc ((unsigned) rlen + 1);
 62 /* +1 to leave room for last null-terminator */
 63 }
59 64
60 if ((!list) || (!ch)) { 65 if ((!list) || (!ch)) {
61 if (list) Xfree((char *) list); 66 if (list) Xfree((char *) list);
62 if (ch) Xfree((char *) ch); 67 if (ch) Xfree((char *) ch);
63 _XEatData(dpy, (unsigned long) rlen); 68 _XEatData(dpy, (unsigned long) rlen);
64 UnlockDisplay(dpy); 69 UnlockDisplay(dpy);
65 SyncHandle(); 70 SyncHandle();
66 return (char **) NULL; 71 return (char **) NULL;
67 } 72 }
68 73
69 _XReadPad (dpy, ch, rlen); 74 _XReadPad (dpy, ch, rlen);
70 /* 75 /*
71 * unpack into null terminated strings. 76 * unpack into null terminated strings.
72 */ 77 */
 78 chend = ch + (rlen + 1);
73 length = *ch; 79 length = *ch;
74 for (i = 0; i < rep.nExtensions; i++) { 80 for (i = 0; i < rep.nExtensions; i++) {
75 list[i] = ch+1; /* skip over length */ 81 if (ch + length < chend) {
76 ch += length + 1; /* find next length ... */ 82 list[i] = ch+1; /* skip over length */
77 length = *ch; 83 ch += length + 1; /* find next length ... */
78 *ch = '\0'; /* and replace with null-termination */ 84 if (ch <= chend) {
 85 length = *ch;
 86 *ch = '\0'; /* and replace with null-termination */
 87 count++;
 88 } else {
 89 list[i] = NULL;
 90 }
 91 } else
 92 list[i] = NULL;
79 } 93 }
80 } 94 }
81 else list = (char **) NULL; 95 else list = (char **) NULL;
82 96
83 *nextensions = rep.nExtensions; 97 *nextensions = count;
84 UnlockDisplay(dpy); 98 UnlockDisplay(dpy);
85 SyncHandle(); 99 SyncHandle();
86 return (list); 100 return (list);
87} 101}
88 102
89int 103int
90XFreeExtensionList (list) 104XFreeExtensionList (list)
91char **list; 105char **list;
92{ 106{
93 if (list != NULL) { 107 if (list != NULL) {
94 Xfree (list[0]-1); 108 Xfree (list[0]-1);
95 Xfree ((char *)list); 109 Xfree ((char *)list);
96 } 110 }
cvs diff -r1.1.1.7.14.1 -r1.1.1.7.14.2 xsrc/xfree/xc/lib/X11/Attic/Xlibint.h (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/X11/Attic/Xlibint.h 2015/04/19 05:48:29 1.1.1.7.14.1
+++ xsrc/xfree/xc/lib/X11/Attic/Xlibint.h 2016/10/05 10:48:27 1.1.1.7.14.2
@@ -532,27 +532,27 @@ extern LockInfoPtr _Xglobal_lock; @@ -532,27 +532,27 @@ extern LockInfoPtr _Xglobal_lock;
532 * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32 532 * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32
533 * length, after req->length, before the data in the request. The new length 533 * length, after req->length, before the data in the request. The new length
534 * includes the "n" extra 32-bit words. 534 * includes the "n" extra 32-bit words.
535 * 535 *
536 * Do not use MakeBigReq if there is no data already in the request. 536 * Do not use MakeBigReq if there is no data already in the request.
537 * req->length must already be >= 2. 537 * req->length must already be >= 2.
538 */ 538 */
539#define MakeBigReq(req,n) \ 539#define MakeBigReq(req,n) \
540 { \ 540 { \
541 char _BRdat[4]; \ 541 char _BRdat[4]; \
542 unsigned long _BRlen = req->length - 1; \ 542 unsigned long _BRlen = req->length - 1; \
543 req->length = 0; \ 543 req->length = 0; \
544 memcpy(_BRdat, ((char *)req) + (_BRlen << 2), 4); \ 544 memcpy(_BRdat, ((char *)req) + (_BRlen << 2), 4); \
545 memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ 545 memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
546 memcpy(((char *)req) + 4, _BRdat, 4); \ 546 memcpy(((char *)req) + 4, _BRdat, 4); \
547 Data32(dpy, (long *)&_BRdat, 4); \ 547 Data32(dpy, (long *)&_BRdat, 4); \
548 } 548 }
549#else 549#else
550#ifdef LONG64 550#ifdef LONG64
551#define MakeBigReq(req,n) \ 551#define MakeBigReq(req,n) \
552 { \ 552 { \
553 CARD64 _BRdat; \ 553 CARD64 _BRdat; \
554 CARD32 _BRlen = req->length - 1; \ 554 CARD32 _BRlen = req->length - 1; \
555 req->length = 0; \ 555 req->length = 0; \
556 _BRdat = ((CARD32 *)req)[_BRlen]; \ 556 _BRdat = ((CARD32 *)req)[_BRlen]; \
557 memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ 557 memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
558 ((CARD32 *)req)[1] = _BRlen + n + 2; \ 558 ((CARD32 *)req)[1] = _BRlen + n + 2; \
cvs diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/Attic/XGMotion.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/Xi/Attic/XGMotion.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XGMotion.c 2016/10/05 10:48:27 1.1.1.5.28.1
@@ -49,42 +49,43 @@ SOFTWARE. @@ -49,42 +49,43 @@ SOFTWARE.
49 49
50/*********************************************************************** 50/***********************************************************************
51 * 51 *
52 * XGetDeviceMotionEvents - Get the motion history of an input device. 52 * XGetDeviceMotionEvents - Get the motion history of an input device.
53 * 53 *
54 */ 54 */
55 55
56#include <X11/extensions/XI.h> 56#include <X11/extensions/XI.h>
57#include <X11/extensions/XIproto.h> 57#include <X11/extensions/XIproto.h>
58#include <X11/Xlibint.h> 58#include <X11/Xlibint.h>
59#include <X11/extensions/XInput.h> 59#include <X11/extensions/XInput.h>
60#include <X11/extensions/extutil.h> 60#include <X11/extensions/extutil.h>
61#include "XIint.h" 61#include "XIint.h"
 62#include <limits.h>
62 63
63XDeviceTimeCoord 64XDeviceTimeCoord
64*XGetDeviceMotionEvents (dpy, dev, start, stop, nEvents, mode, axis_count) 65*XGetDeviceMotionEvents (dpy, dev, start, stop, nEvents, mode, axis_count)
65 register Display *dpy; 66 register Display *dpy;
66 XDevice *dev; 67 XDevice *dev;
67 Time start; 68 Time start;
68 Time stop; 69 Time stop;
69 int *nEvents; 70 int *nEvents;
70 int *mode; 71 int *mode;
71 int *axis_count; 72 int *axis_count;
72 {  73 {
73 xGetDeviceMotionEventsReq *req; 74 xGetDeviceMotionEventsReq *req;
74 xGetDeviceMotionEventsReply rep; 75 xGetDeviceMotionEventsReply rep;
75 XDeviceTimeCoord *tc; 76 XDeviceTimeCoord *tc;
76 int *data, *bufp, *readp, *savp; 77 int *data, *bufp, *readp, *savp;
77 long size, size2; 78 long size;
78 int i, j; 79 int i, j;
79 XExtDisplayInfo *info = XInput_find_display (dpy); 80 XExtDisplayInfo *info = XInput_find_display (dpy);
80 81
81 LockDisplay (dpy); 82 LockDisplay (dpy);
82 if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1) 83 if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1)
83 return ((XDeviceTimeCoord *) NoSuchExtension); 84 return ((XDeviceTimeCoord *) NoSuchExtension);
84 85
85 GetReq(GetDeviceMotionEvents,req);  86 GetReq(GetDeviceMotionEvents,req);
86 req->reqType = info->codes->major_opcode; 87 req->reqType = info->codes->major_opcode;
87 req->ReqType = X_GetDeviceMotionEvents; 88 req->ReqType = X_GetDeviceMotionEvents;
88 req->start = start; 89 req->start = start;
89 req->stop = stop; 90 req->stop = stop;
90 req->deviceid = dev->device_id; 91 req->deviceid = dev->device_id;
@@ -95,31 +96,43 @@ XDeviceTimeCoord @@ -95,31 +96,43 @@ XDeviceTimeCoord
95 *nEvents = 0; 96 *nEvents = 0;
96 return (NULL); 97 return (NULL);
97 } 98 }
98 99
99 *mode = rep.mode; 100 *mode = rep.mode;
100 *axis_count = rep.axes; 101 *axis_count = rep.axes;
101 *nEvents = rep.nEvents; 102 *nEvents = rep.nEvents;
102 if (!rep.nEvents) 103 if (!rep.nEvents)
103 { 104 {
104 UnlockDisplay(dpy); 105 UnlockDisplay(dpy);
105 SyncHandle(); 106 SyncHandle();
106 return (NULL); 107 return (NULL);
107 } 108 }
108 size = rep.length << 2; 109 if (rep.length < (INT_MAX >> 2)) {
109 size2 = rep.nEvents *  110 size = rep.length << 2;
110 (sizeof (XDeviceTimeCoord) + (rep.axes * sizeof (int))); 111 savp = readp = Xmalloc(size);
111 savp = readp = (int *) Xmalloc (size); 112 } else {
112 bufp = (int *) Xmalloc (size2); 113 size = 0;
 114 savp = readp = NULL;
 115 }
 116 /* rep.axes is a CARD8, so assume max number of axes for bounds check */
 117 if (rep.nEvents <
 118 (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int)))) &&
 119 rep.nEvents * (rep.axes + 1) <= rep.length) {
 120 size_t bsize = rep.nEvents *
 121 (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
 122 bufp = Xmalloc(bsize);
 123 } else
 124 bufp = NULL;
 125
113 if (!bufp || !savp) 126 if (!bufp || !savp)
114 { 127 {
115 *nEvents = 0; 128 *nEvents = 0;
116 _XEatData (dpy, (unsigned long) size); 129 _XEatData (dpy, (unsigned long) size);
117 UnlockDisplay(dpy); 130 UnlockDisplay(dpy);
118 SyncHandle(); 131 SyncHandle();
119 return (NULL); 132 return (NULL);
120 } 133 }
121 _XRead (dpy, (char *) readp, size); 134 _XRead (dpy, (char *) readp, size);
122 135
123 tc = (XDeviceTimeCoord *) bufp; 136 tc = (XDeviceTimeCoord *) bufp;
124 data = (int *) (tc + rep.nEvents); 137 data = (int *) (tc + rep.nEvents);
125 for (i=0; i<*nEvents; i++,tc++) 138 for (i=0; i<*nEvents; i++,tc++)
cvs diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/Attic/XGetBMap.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/Xi/Attic/XGetBMap.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XGetBMap.c 2016/10/05 10:48:27 1.1.1.5.28.1
@@ -80,29 +80,33 @@ XGetDeviceButtonMapping (dpy, device, ma @@ -80,29 +80,33 @@ XGetDeviceButtonMapping (dpy, device, ma
80 register xGetDeviceButtonMappingReq *req; 80 register xGetDeviceButtonMappingReq *req;
81 xGetDeviceButtonMappingReply rep; 81 xGetDeviceButtonMappingReply rep;
82 82
83 LockDisplay(dpy); 83 LockDisplay(dpy);
84 if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1) 84 if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1)
85 return (NoSuchExtension); 85 return (NoSuchExtension);
86 GetReq(GetDeviceButtonMapping, req); 86 GetReq(GetDeviceButtonMapping, req);
87 87
88 req->reqType = info->codes->major_opcode; 88 req->reqType = info->codes->major_opcode;
89 req->ReqType = X_GetDeviceButtonMapping; 89 req->ReqType = X_GetDeviceButtonMapping;
90 req->deviceid = device->device_id; 90 req->deviceid = device->device_id;
91 91
92 status = _XReply (dpy, (xReply *)&rep, 0, xFalse); 92 status = _XReply (dpy, (xReply *)&rep, 0, xFalse);
93 if (status == 1) 93 if (status == 1) {
94 { 94 if (rep.length <= (sizeof(mapping) >> 2) &&
95 nbytes = (long)rep.length << 2; 95 rep.nElts <= (rep.length << 2)) {
96 _XRead (dpy, (char *)mapping, nbytes); 96 nbytes = (long)rep.length << 2;
 97 _XRead (dpy, (char *)mapping, nbytes);
97 98
98 /* don't return more data than the user asked for. */ 99 /* don't return more data than the user asked for. */
99 if (rep.nElts)  100 if (rep.nElts)
100 memcpy ((char *) map, (char *) mapping, MIN((int)rep.nElts, nmap)); 101 memcpy ((char *) map, (char *) mapping, MIN((int)rep.nElts, nmap));
101 status = rep.nElts; 102 status = rep.nElts;
 103 } else {
 104 status = 0;
102 } 105 }
 106 }
103 else 107 else
104 status = 0; 108 status = 0;
105 UnlockDisplay(dpy); 109 UnlockDisplay(dpy);
106 SyncHandle(); 110 SyncHandle();
107 return (status); 111 return (status);
108 } 112 }
cvs diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/Attic/XGetDCtl.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/Xi/Attic/XGetDCtl.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XGetDCtl.c 2016/10/05 10:48:27 1.1.1.5.28.1
@@ -50,26 +50,27 @@ SOFTWARE. @@ -50,26 +50,27 @@ SOFTWARE.
50/*********************************************************************** 50/***********************************************************************
51 * 51 *
52 * XGetDeviceControl - get the Device control state of an extension device. 52 * XGetDeviceControl - get the Device control state of an extension device.
53 * 53 *
54 */ 54 */
55 55
56#include <X11/extensions/XI.h> 56#include <X11/extensions/XI.h>
57#include <X11/extensions/XIproto.h> 57#include <X11/extensions/XIproto.h>
58#include <X11/Xlibint.h> 58#include <X11/Xlibint.h>
59#include <X11/Xlib.h> 59#include <X11/Xlib.h>
60#include <X11/extensions/XInput.h> 60#include <X11/extensions/XInput.h>
61#include <X11/extensions/extutil.h> 61#include <X11/extensions/extutil.h>
62#include "XIint.h" 62#include "XIint.h"
 63#include <limits.h>
63 64
64XDeviceControl 65XDeviceControl
65*XGetDeviceControl (dpy, dev, control) 66*XGetDeviceControl (dpy, dev, control)
66 register Display *dpy; 67 register Display *dpy;
67 XDevice *dev; 68 XDevice *dev;
68 int control; 69 int control;
69 { 70 {
70 int size = 0; 71 int size = 0;
71 int nbytes, i; 72 int nbytes, i;
72 XDeviceControl *Device = NULL; 73 XDeviceControl *Device = NULL;
73 XDeviceControl *Sav = NULL; 74 XDeviceControl *Sav = NULL;
74 xDeviceState *d = NULL; 75 xDeviceState *d = NULL;
75 xDeviceState *sav = NULL; 76 xDeviceState *sav = NULL;
@@ -85,47 +86,56 @@ XDeviceControl @@ -85,47 +86,56 @@ XDeviceControl
85 req->reqType = info->codes->major_opcode; 86 req->reqType = info->codes->major_opcode;
86 req->ReqType = X_GetDeviceControl; 87 req->ReqType = X_GetDeviceControl;
87 req->deviceid = dev->device_id; 88 req->deviceid = dev->device_id;
88 req->control = control; 89 req->control = control;
89 90
90 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse))  91 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse))
91 { 92 {
92 UnlockDisplay(dpy); 93 UnlockDisplay(dpy);
93 SyncHandle(); 94 SyncHandle();
94 return (XDeviceControl *) NULL; 95 return (XDeviceControl *) NULL;
95 } 96 }
96 if (rep.length > 0)  97 if (rep.length > 0)
97 { 98 {
98 nbytes = (long)rep.length << 2; 99 if (rep.length < (INT_MAX >> 2) &&
99 d = (xDeviceState *) Xmalloc((unsigned) nbytes); 100 (rep.length << 2) >= sizeof(xDeviceState)) {
 101 nbytes = (long)rep.length << 2;
 102 d = (xDeviceState *) Xmalloc((unsigned) nbytes);
 103 }
100 if (!d) 104 if (!d)
101 { 105 {
102 _XEatData (dpy, (unsigned long) nbytes); 106 _XEatData (dpy, (unsigned long) nbytes);
103 UnlockDisplay(dpy); 107 UnlockDisplay(dpy);
104 SyncHandle(); 108 SyncHandle();
105 return (XDeviceControl *) NULL; 109 return (XDeviceControl *) NULL;
106 } 110 }
107 sav = d; 111 sav = d;
108 _XRead (dpy, (char *) d, nbytes); 112 _XRead (dpy, (char *) d, nbytes);
109 113
110 switch (d->control) 114 switch (d->control)
111 { 115 {
112 case DEVICE_RESOLUTION: 116 case DEVICE_RESOLUTION:
113 { 117 {
114 xDeviceResolutionState *r; 118 xDeviceResolutionState *r;
 119 size_t val_size;
115 120
116 r = (xDeviceResolutionState *) d; 121 r = (xDeviceResolutionState *) d;
117 size += sizeof (XDeviceResolutionState) +  122 if (sizeof(xDeviceResolutionState) > nbytes ||
118 (3 * sizeof(int) * r->num_valuators); 123 r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
 124 goto out;
 125 val_size = 3 * sizeof(int) * r->num_valuators;
 126 if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
 127 goto out;
 128 size = sizeof(XDeviceResolutionState) + val_size;
119 break; 129 break;
120 } 130 }
121 default: 131 default:
122 size += d->length; 132 size += d->length;
123 break; 133 break;
124 } 134 }
125 135
126 Device = (XDeviceControl *) Xmalloc((unsigned) size); 136 Device = (XDeviceControl *) Xmalloc((unsigned) size);
127 if (!Device) 137 if (!Device)
128 { 138 {
129 UnlockDisplay(dpy); 139 UnlockDisplay(dpy);
130 SyncHandle(); 140 SyncHandle();
131 return (XDeviceControl *) NULL; 141 return (XDeviceControl *) NULL;
@@ -148,26 +158,27 @@ XDeviceControl @@ -148,26 +158,27 @@ XDeviceControl
148 R->num_valuators = r->num_valuators; 158 R->num_valuators = r->num_valuators;
149 iptr = (int *) (R+1); 159 iptr = (int *) (R+1);
150 iptr2 = (int *) (r+1); 160 iptr2 = (int *) (r+1);
151 R->resolutions = iptr; 161 R->resolutions = iptr;
152 R->min_resolutions = iptr + R->num_valuators; 162 R->min_resolutions = iptr + R->num_valuators;
153 R->max_resolutions = iptr + (2 * R->num_valuators); 163 R->max_resolutions = iptr + (2 * R->num_valuators);
154 for (i=0; i < (3 * R->num_valuators); i++) 164 for (i=0; i < (3 * R->num_valuators); i++)
155 *iptr++ = *iptr2++; 165 *iptr++ = *iptr2++;
156 break; 166 break;
157 } 167 }
158 default: 168 default:
159 break; 169 break;
160 } 170 }
 171out:
161 XFree (sav); 172 XFree (sav);
162 } 173 }
163 174
164 UnlockDisplay(dpy); 175 UnlockDisplay(dpy);
165 SyncHandle(); 176 SyncHandle();
166 return (Sav); 177 return (Sav);
167 } 178 }
168 179
169void XFreeDeviceControl (control) 180void XFreeDeviceControl (control)
170 XDeviceControl *control; 181 XDeviceControl *control;
171 { 182 {
172 XFree (control); 183 XFree (control);
173 } 184 }
cvs diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/Attic/XGetFCtl.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/Xi/Attic/XGetFCtl.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XGetFCtl.c 2016/10/05 10:48:27 1.1.1.5.28.1
@@ -50,75 +50,84 @@ SOFTWARE. @@ -50,75 +50,84 @@ SOFTWARE.
50/*********************************************************************** 50/***********************************************************************
51 * 51 *
52 * XGetFeedbackControl - get the feedback attributes of an extension device. 52 * XGetFeedbackControl - get the feedback attributes of an extension device.
53 * 53 *
54 */ 54 */
55 55
56#include <X11/extensions/XI.h> 56#include <X11/extensions/XI.h>
57#include <X11/extensions/XIproto.h> 57#include <X11/extensions/XIproto.h>
58#include <X11/Xlibint.h> 58#include <X11/Xlibint.h>
59#include <X11/Xlib.h> 59#include <X11/Xlib.h>
60#include <X11/extensions/XInput.h> 60#include <X11/extensions/XInput.h>
61#include <X11/extensions/extutil.h> 61#include <X11/extensions/extutil.h>
62#include "XIint.h" 62#include "XIint.h"
 63#include <limits.h>
63 64
64XFeedbackState 65XFeedbackState
65*XGetFeedbackControl (dpy, dev, num_feedbacks) 66*XGetFeedbackControl (dpy, dev, num_feedbacks)
66 register Display *dpy; 67 register Display *dpy;
67 XDevice *dev; 68 XDevice *dev;
68 int *num_feedbacks; 69 int *num_feedbacks;
69 { 70 {
70 int size = 0; 71 int size = 0;
71 int nbytes, i; 72 int nbytes, i;
72 XFeedbackState *Feedback = NULL; 73 XFeedbackState *Feedback = NULL;
73 XFeedbackState *Sav = NULL; 74 XFeedbackState *Sav = NULL;
74 xFeedbackState *f = NULL; 75 xFeedbackState *f = NULL;
75 xFeedbackState *sav = NULL; 76 xFeedbackState *sav = NULL;
 77 char *end = NULL;
76 xGetFeedbackControlReq *req; 78 xGetFeedbackControlReq *req;
77 xGetFeedbackControlReply rep; 79 xGetFeedbackControlReply rep;
78 XExtDisplayInfo *info = XInput_find_display (dpy); 80 XExtDisplayInfo *info = XInput_find_display (dpy);
79 81
80 LockDisplay (dpy); 82 LockDisplay (dpy);
81 if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1) 83 if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1)
82 return ((XFeedbackState *) NoSuchExtension); 84 return ((XFeedbackState *) NoSuchExtension);
83 85
84 GetReq(GetFeedbackControl,req); 86 GetReq(GetFeedbackControl,req);
85 req->reqType = info->codes->major_opcode; 87 req->reqType = info->codes->major_opcode;
86 req->ReqType = X_GetFeedbackControl; 88 req->ReqType = X_GetFeedbackControl;
87 req->deviceid = dev->device_id; 89 req->deviceid = dev->device_id;
88 90
89 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse))  91 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse))
90 { 92 {
91 UnlockDisplay(dpy); 93 UnlockDisplay(dpy);
92 SyncHandle(); 94 SyncHandle();
93 return (XFeedbackState *) NULL; 95 return (XFeedbackState *) NULL;
94 } 96 }
95 if (rep.length > 0)  97 if (rep.length > 0)
96 { 98 {
97 *num_feedbacks = rep.num_feedbacks; 99 *num_feedbacks = rep.num_feedbacks;
98 nbytes = (long)rep.length << 2; 100
99 f = (xFeedbackState *) Xmalloc((unsigned) nbytes); 101 if (rep.length < (INT_MAX >> 2)) {
 102 nbytes = (long)rep.length << 2;
 103 f = (xFeedbackState *) Xmalloc((unsigned) nbytes);
 104 }
100 if (!f) 105 if (!f)
101 { 106 {
102 _XEatData (dpy, (unsigned long) nbytes); 107 _XEatData (dpy, (unsigned long) nbytes);
103 UnlockDisplay(dpy); 108 UnlockDisplay(dpy);
104 SyncHandle(); 109 SyncHandle();
105 return (XFeedbackState *) NULL; 110 return (XFeedbackState *) NULL;
106 } 111 }
107 sav = f; 112 sav = f;
 113 end = (char *)f + nbytes;
108 _XRead (dpy, (char *) f, nbytes); 114 _XRead (dpy, (char *) f, nbytes);
109 115
110 for (i=0; i<*num_feedbacks; i++) 116 for (i=0; i<*num_feedbacks; i++)
111 { 117 {
 118 if ((char *)f + sizeof(*f) > end ||
 119 f->length == 0 || f->length > nbytes)
 120 goto out;
112 switch (f->class) 121 switch (f->class)
113 { 122 {
114 case KbdFeedbackClass: 123 case KbdFeedbackClass:
115 size += sizeof (XKbdFeedbackState); 124 size += sizeof (XKbdFeedbackState);
116 break; 125 break;
117 case PtrFeedbackClass: 126 case PtrFeedbackClass:
118 size += sizeof (XPtrFeedbackState); 127 size += sizeof (XPtrFeedbackState);
119 break; 128 break;
120 case IntegerFeedbackClass: 129 case IntegerFeedbackClass:
121 size += sizeof (XIntegerFeedbackState); 130 size += sizeof (XIntegerFeedbackState);
122 break; 131 break;
123 case StringFeedbackClass: 132 case StringFeedbackClass:
124 { 133 {
@@ -248,26 +257,27 @@ XFeedbackState @@ -248,26 +257,27 @@ XFeedbackState
248 B->length = sizeof (XBellFeedbackState); 257 B->length = sizeof (XBellFeedbackState);
249 B->id = b->id; 258 B->id = b->id;
250 B->percent = b->percent; 259 B->percent = b->percent;
251 B->pitch = b->pitch; 260 B->pitch = b->pitch;
252 B->duration = b->duration; 261 B->duration = b->duration;
253 break; 262 break;
254 } 263 }
255 default: 264 default:
256 break; 265 break;
257 } 266 }
258 f = (xFeedbackState *) ((char *) f + f->length); 267 f = (xFeedbackState *) ((char *) f + f->length);
259 Feedback = (XFeedbackState *) ((char *) Feedback+Feedback->length); 268 Feedback = (XFeedbackState *) ((char *) Feedback+Feedback->length);
260 } 269 }
 270out:
261 XFree ((char *)sav); 271 XFree ((char *)sav);
262 } 272 }
263 273
264 UnlockDisplay(dpy); 274 UnlockDisplay(dpy);
265 SyncHandle(); 275 SyncHandle();
266 return (Sav); 276 return (Sav);
267 } 277 }
268 278
269void XFreeFeedbackList (list) 279void XFreeFeedbackList (list)
270 XFeedbackState *list; 280 XFeedbackState *list;
271 { 281 {
272 XFree ((char *)list); 282 XFree ((char *)list);
273 } 283 }
cvs diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/Attic/XGetMMap.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/Xi/Attic/XGetMMap.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XGetMMap.c 2016/10/05 10:48:27 1.1.1.5.28.1
@@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO @@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO
43WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 43WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
44ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS 44ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
45SOFTWARE. 45SOFTWARE.
46 46
47********************************************************/ 47********************************************************/
48/* $XFree86: xc/lib/Xi/XGetMMap.c,v 3.4 2002/10/16 00:37:29 dawes Exp $ */ 48/* $XFree86: xc/lib/Xi/XGetMMap.c,v 3.4 2002/10/16 00:37:29 dawes Exp $ */
49 49
50/*********************************************************************** 50/***********************************************************************
51 * 51 *
52 * XGetDeviceModifierMapping - get the modifier map of an extension device. 52 * XGetDeviceModifierMapping - get the modifier map of an extension device.
53 * 53 *
54 */ 54 */
55 55
 56#include <limits.h>
56#include <X11/extensions/XI.h> 57#include <X11/extensions/XI.h>
57#include <X11/extensions/XIproto.h> 58#include <X11/extensions/XIproto.h>
58#include <X11/Xlibint.h> 59#include <X11/Xlibint.h>
59#include <X11/extensions/XInput.h> 60#include <X11/extensions/XInput.h>
60#include <X11/extensions/extutil.h> 61#include <X11/extensions/extutil.h>
61#include "XIint.h" 62#include "XIint.h"
62 63
63XModifierKeymap  64XModifierKeymap
64*XGetDeviceModifierMapping (dpy, dev) 65*XGetDeviceModifierMapping (dpy, dev)
65 register Display *dpy; 66 register Display *dpy;
66 XDevice *dev; 67 XDevice *dev;
67 { 68 {
68 unsigned long nbytes; 69 unsigned long nbytes;
@@ -76,28 +77,34 @@ XModifierKeymap  @@ -76,28 +77,34 @@ XModifierKeymap
76 return ((XModifierKeymap *) NoSuchExtension); 77 return ((XModifierKeymap *) NoSuchExtension);
77 78
78 GetReq(GetDeviceModifierMapping,req); 79 GetReq(GetDeviceModifierMapping,req);
79 req->reqType = info->codes->major_opcode; 80 req->reqType = info->codes->major_opcode;
80 req->ReqType = X_GetDeviceModifierMapping; 81 req->ReqType = X_GetDeviceModifierMapping;
81 req->deviceid = dev->device_id; 82 req->deviceid = dev->device_id;
82 83
83 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse))  84 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse))
84 { 85 {
85 UnlockDisplay(dpy); 86 UnlockDisplay(dpy);
86 SyncHandle(); 87 SyncHandle();
87 return (XModifierKeymap *) NULL; 88 return (XModifierKeymap *) NULL;
88 } 89 }
89 nbytes = (unsigned long)rep.length << 2; 90 if (rep.length < (INT_MAX >> 2) &&
90 res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); 91 rep.numKeyPerModifier == rep.length >> 1) {
 92 nbytes = (unsigned long)rep.length << 2;
 93 res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap));
 94 } else {
 95 nbytes = 0;
 96 res = NULL;
 97 }
91 if (res) 98 if (res)
92 { 99 {
93 res->modifiermap = (KeyCode *) Xmalloc (nbytes); 100 res->modifiermap = (KeyCode *) Xmalloc (nbytes);
94 if (res->modifiermap) 101 if (res->modifiermap)
95 _XReadPad(dpy, (char *) res->modifiermap, nbytes); 102 _XReadPad(dpy, (char *) res->modifiermap, nbytes);
96 else 103 else
97 _XEatData (dpy, (unsigned long) nbytes); 104 _XEatData (dpy, (unsigned long) nbytes);
98 res->max_keypermod = rep.numKeyPerModifier; 105 res->max_keypermod = rep.numKeyPerModifier;
99 } 106 }
100 107
101 UnlockDisplay(dpy); 108 UnlockDisplay(dpy);
102 SyncHandle(); 109 SyncHandle();
103 return (res); 110 return (res);
cvs diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/Attic/XOpenDev.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/Xi/Attic/XOpenDev.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XOpenDev.c 2016/10/05 10:48:27 1.1.1.5.28.1
@@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO @@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO
43WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 43WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
44ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS 44ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
45SOFTWARE. 45SOFTWARE.
46 46
47********************************************************/ 47********************************************************/
48/* $XFree86: xc/lib/Xi/XOpenDev.c,v 3.4 2002/10/16 00:37:29 dawes Exp $ */ 48/* $XFree86: xc/lib/Xi/XOpenDev.c,v 3.4 2002/10/16 00:37:29 dawes Exp $ */
49 49
50/*********************************************************************** 50/***********************************************************************
51 * 51 *
52 * XOpenDevice - Request the server to open and extension input device. 52 * XOpenDevice - Request the server to open and extension input device.
53 * 53 *
54 */ 54 */
55 55
 56#include <limits.h>
56#include <X11/extensions/XI.h> 57#include <X11/extensions/XI.h>
57#include <X11/extensions/XIproto.h> 58#include <X11/extensions/XIproto.h>
58#include <X11/Xlibint.h> 59#include <X11/Xlibint.h>
59#include <X11/extensions/XInput.h> 60#include <X11/extensions/XInput.h>
60#include <X11/extensions/extutil.h> 61#include <X11/extensions/extutil.h>
61#include "XIint.h" 62#include "XIint.h"
62 63
63XDevice 64XDevice
64*XOpenDevice(dpy, id) 65*XOpenDevice(dpy, id)
65 register Display *dpy; 66 register Display *dpy;
66 register XID id; 67 register XID id;
67 {  68 {
68 register long rlen; /* raw length */ 69 register long rlen; /* raw length */
@@ -77,29 +78,35 @@ XDevice @@ -77,29 +78,35 @@ XDevice
77 78
78 GetReq(OpenDevice,req);  79 GetReq(OpenDevice,req);
79 req->reqType = info->codes->major_opcode; 80 req->reqType = info->codes->major_opcode;
80 req->ReqType = X_OpenDevice; 81 req->ReqType = X_OpenDevice;
81 req->deviceid = id; 82 req->deviceid = id;
82 83
83 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse))  84 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse))
84 { 85 {
85 UnlockDisplay(dpy); 86 UnlockDisplay(dpy);
86 SyncHandle(); 87 SyncHandle();
87 return (XDevice *) NULL; 88 return (XDevice *) NULL;
88 } 89 }
89 90
90 rlen = rep.length << 2; 91 if (rep.length < INT_MAX >> 2 &&
91 dev = (XDevice *) Xmalloc (sizeof(XDevice) + rep.num_classes *  92 (rep.length << 2) >= rep.num_classes * sizeof(xInputClassInfo)) {
92 sizeof (XInputClassInfo)); 93 rlen = rep.length << 2;
 94 dev = (XDevice *) Xmalloc (sizeof(XDevice) + rep.num_classes *
 95 sizeof (XInputClassInfo));
 96 } else {
 97 rlen = 0;
 98 dev = NULL;
 99 }
93 if (dev) 100 if (dev)
94 { 101 {
95 int dlen; /* data length */ 102 int dlen; /* data length */
96 103
97 dev->device_id = req->deviceid; 104 dev->device_id = req->deviceid;
98 dev->num_classes = rep.num_classes; 105 dev->num_classes = rep.num_classes;
99 dev->classes = (XInputClassInfo *) ((char *) dev + sizeof (XDevice)); 106 dev->classes = (XInputClassInfo *) ((char *) dev + sizeof (XDevice));
100 dlen = rep.num_classes * sizeof(xInputClassInfo); 107 dlen = rep.num_classes * sizeof(xInputClassInfo);
101 _XRead (dpy, (char *)dev->classes, dlen); 108 _XRead (dpy, (char *)dev->classes, dlen);
102 /* could be padding that we still need to eat (yummy!) */ 109 /* could be padding that we still need to eat (yummy!) */
103 if(rlen - dlen > 0) 110 if(rlen - dlen > 0)
104 _XEatData (dpy, (unsigned long) rlen - dlen); 111 _XEatData (dpy, (unsigned long) rlen - dlen);
105 } 112 }
cvs diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xi/Attic/XQueryDv.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/Xi/Attic/XQueryDv.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XQueryDv.c 2016/10/05 10:48:27 1.1.1.5.28.1
@@ -49,84 +49,93 @@ SOFTWARE. @@ -49,84 +49,93 @@ SOFTWARE.
49 49
50/*********************************************************************** 50/***********************************************************************
51 * 51 *
52 * XQueryDeviceState - Query the state of an extension input device. 52 * XQueryDeviceState - Query the state of an extension input device.
53 * 53 *
54 */ 54 */
55 55
56#include <X11/extensions/XI.h> 56#include <X11/extensions/XI.h>
57#include <X11/extensions/XIproto.h> 57#include <X11/extensions/XIproto.h>
58#include <X11/Xlibint.h> 58#include <X11/Xlibint.h>
59#include <X11/extensions/XInput.h> 59#include <X11/extensions/XInput.h>
60#include <X11/extensions/extutil.h> 60#include <X11/extensions/extutil.h>
61#include "XIint.h" 61#include "XIint.h"
 62#include <limits.h>
62 63
63XDeviceState 64XDeviceState
64*XQueryDeviceState (dpy, dev) 65*XQueryDeviceState (dpy, dev)
65 register Display *dpy; 66 register Display *dpy;
66 XDevice *dev; 67 XDevice *dev;
67 {  68 {
68 int i,j; 69 int i,j;
69 int rlen; 70 int rlen = 0;
70 int size = 0; 71 int size = 0;
71 xQueryDeviceStateReq *req; 72 xQueryDeviceStateReq *req;
72 xQueryDeviceStateReply rep; 73 xQueryDeviceStateReply rep;
73 XDeviceState *state = NULL; 74 XDeviceState *state = NULL;
74 XInputClass *any, *Any; 75 XInputClass *any, *Any;
75 char *data; 76 char *data = NULL, *end = NULL;
76 XExtDisplayInfo *info = XInput_find_display (dpy); 77 XExtDisplayInfo *info = XInput_find_display (dpy);
77 78
78 LockDisplay (dpy); 79 LockDisplay (dpy);
79 if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1) 80 if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1)
80 return ((XDeviceState *) NoSuchExtension); 81 return ((XDeviceState *) NoSuchExtension);
81 82
82 GetReq(QueryDeviceState,req);  83 GetReq(QueryDeviceState,req);
83 req->reqType = info->codes->major_opcode; 84 req->reqType = info->codes->major_opcode;
84 req->ReqType = X_QueryDeviceState; 85 req->ReqType = X_QueryDeviceState;
85 req->deviceid = dev->device_id; 86 req->deviceid = dev->device_id;
86 87
87 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse))  88 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse))
88 { 89 {
89 UnlockDisplay(dpy); 90 UnlockDisplay(dpy);
90 SyncHandle(); 91 SyncHandle();
91 return (XDeviceState *) NULL; 92 return (XDeviceState *) NULL;
92 } 93 }
93 94
94 rlen = rep.length << 2; 95 if (rep.length > 0) {
95 if (rlen > 0) 96 if (rep.length < (INT_MAX >> 2)) {
96 { 97 rlen = (unsigned long) rep.length << 2;
97 data = Xmalloc (rlen); 98 data = Xmalloc(rlen);
 99 end = data + rlen;
 100 }
98 if (!data) 101 if (!data)
99 { 102 {
100 _XEatData (dpy, (unsigned long) rlen); 103 _XEatData (dpy, (unsigned long) rlen);
101 UnlockDisplay(dpy); 104 UnlockDisplay(dpy);
102 SyncHandle(); 105 SyncHandle();
103 return ((XDeviceState *) NULL); 106 return ((XDeviceState *) NULL);
104 } 107 }
 108 end = data + rlen;
105 _XRead (dpy, data, rlen); 109 _XRead (dpy, data, rlen);
106 110
107 for (i=0, any=(XInputClass *) data; i<(int)rep.num_classes; i++) 111 for (i=0, any=(XInputClass *) data; i<(int)rep.num_classes; i++)
108 { 112 {
 113 if ((char *)any + sizeof(XInputClass) > end ||
 114 any->length == 0 || any->length > rlen)
 115 goto out;
109 switch (any->class) 116 switch (any->class)
110 { 117 {
111 case KeyClass: 118 case KeyClass:
112 size += sizeof (XKeyState); 119 size += sizeof (XKeyState);
113 break; 120 break;
114 case ButtonClass: 121 case ButtonClass:
115 size += sizeof (XButtonState); 122 size += sizeof (XButtonState);
116 break; 123 break;
117 case ValuatorClass: 124 case ValuatorClass:
118 { 125 {
119 xValuatorState *v = (xValuatorState *) any; 126 xValuatorState *v = (xValuatorState *) any;
 127 if ((char *)any + sizeof(xValuatorState) > end)
 128 goto out;
120 size += (sizeof (XValuatorState) +  129 size += (sizeof (XValuatorState) +
121 (v->num_valuators * sizeof(int))); 130 (v->num_valuators * sizeof(int)));
122 } 131 }
123 break; 132 break;
124 } 133 }
125 any = (XInputClass *) ((char *) any + any->length); 134 any = (XInputClass *) ((char *) any + any->length);
126 } 135 }
127 state = (XDeviceState *) Xmalloc (size + sizeof(XDeviceState)); 136 state = (XDeviceState *) Xmalloc (size + sizeof(XDeviceState));
128 if (!state) 137 if (!state)
129 { 138 {
130 UnlockDisplay(dpy); 139 UnlockDisplay(dpy);
131 SyncHandle(); 140 SyncHandle();
132 return ((XDeviceState *) NULL); 141 return ((XDeviceState *) NULL);
@@ -176,23 +185,24 @@ XDeviceState @@ -176,23 +185,24 @@ XDeviceState
176 V->valuators = (int *) Any; 185 V->valuators = (int *) Any;
177 for (j=0; j<(int)V->num_valuators; j++) 186 for (j=0; j<(int)V->num_valuators; j++)
178 *(V->valuators + j) = *valuators++; 187 *(V->valuators + j) = *valuators++;
179 Any = (XInputClass *)((char *) Any +  188 Any = (XInputClass *)((char *) Any +
180 V->num_valuators * sizeof (int)); 189 V->num_valuators * sizeof (int));
181 } 190 }
182 break; 191 break;
183 } 192 }
184 any = (XInputClass *) ((char *) any + any->length); 193 any = (XInputClass *) ((char *) any + any->length);
185 } 194 }
186 Xfree(data); 195 Xfree(data);
187 } 196 }
188 197
 198out:
189 UnlockDisplay(dpy); 199 UnlockDisplay(dpy);
190 SyncHandle(); 200 SyncHandle();
191 return (state); 201 return (state);
192 } 202 }
193 203
194void XFreeDeviceState (list) 204void XFreeDeviceState (list)
195 XDeviceState *list; 205 XDeviceState *list;
196 { 206 {
197 XFree ((char *)list); 207 XFree ((char *)list);
198 } 208 }
cvs diff -r1.1.1.6 -r1.1.1.6.26.1 xsrc/xfree/xc/lib/Xi/Attic/XGetKMap.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/Xi/Attic/XGetKMap.c 2004/03/05 14:24:25 1.1.1.6
+++ xsrc/xfree/xc/lib/Xi/Attic/XGetKMap.c 2016/10/05 10:48:27 1.1.1.6.26.1
@@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO @@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO
43WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 43WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
44ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS 44ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
45SOFTWARE. 45SOFTWARE.
46 46
47********************************************************/ 47********************************************************/
48/* $XFree86: xc/lib/Xi/XGetKMap.c,v 3.5 2003/11/17 22:20:21 dawes Exp $ */ 48/* $XFree86: xc/lib/Xi/XGetKMap.c,v 3.5 2003/11/17 22:20:21 dawes Exp $ */
49 49
50/*********************************************************************** 50/***********************************************************************
51 * 51 *
52 * XGetDeviceKeyMapping - get the keymap of an extension device. 52 * XGetDeviceKeyMapping - get the keymap of an extension device.
53 * 53 *
54 */ 54 */
55 55
 56#include <limits.h>
56#include <X11/extensions/XI.h> 57#include <X11/extensions/XI.h>
57#include <X11/extensions/XIproto.h> 58#include <X11/extensions/XIproto.h>
58#include <X11/Xlibint.h> 59#include <X11/Xlibint.h>
59#include <X11/extensions/XInput.h> 60#include <X11/extensions/XInput.h>
60#include <X11/extensions/extutil.h> 61#include <X11/extensions/extutil.h>
61#include "XIint.h" 62#include "XIint.h"
62 63
63KeySym * 64KeySym *
64XGetDeviceKeyMapping ( 65XGetDeviceKeyMapping (
65 register Display *dpy, 66 register Display *dpy,
66 XDevice *dev, 67 XDevice *dev,
67#if NeedWidePrototypes 68#if NeedWidePrototypes
68 unsigned int first, 69 unsigned int first,
@@ -86,26 +87,33 @@ XGetDeviceKeyMapping ( @@ -86,26 +87,33 @@ XGetDeviceKeyMapping (
86 req->reqType = info->codes->major_opcode; 87 req->reqType = info->codes->major_opcode;
87 req->ReqType = X_GetDeviceKeyMapping; 88 req->ReqType = X_GetDeviceKeyMapping;
88 req->deviceid = dev->device_id; 89 req->deviceid = dev->device_id;
89 req->firstKeyCode = first; 90 req->firstKeyCode = first;
90 req->count = keycount; 91 req->count = keycount;
91 92
92 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse))  93 if (! _XReply (dpy, (xReply *) &rep, 0, xFalse))
93 { 94 {
94 UnlockDisplay(dpy); 95 UnlockDisplay(dpy);
95 SyncHandle(); 96 SyncHandle();
96 return (KeySym *) NULL; 97 return (KeySym *) NULL;
97 } 98 }
98 if (rep.length > 0) { 99 if (rep.length > 0) {
99 *syms_per_code = rep.keySymsPerKeyCode; 100 if (rep.length < INT_MAX >> 2 &&
100 nbytes = (long)rep.length << 2; 101 rep.length == rep.keySymsPerKeyCode * keycount) {
101 mapping = (KeySym *) Xmalloc((unsigned) nbytes); 102 *syms_per_code = rep.keySymsPerKeyCode;
 103 nbytes = (long)rep.length << 2;
 104 mapping = (KeySym *) Xmalloc((unsigned) nbytes);
 105 } else {
 106 *syms_per_code = 0;
 107 nbytes = 0;
 108 mapping = NULL;
 109 }
102 if (mapping) 110 if (mapping)
103 _XRead (dpy, (char *)mapping, nbytes); 111 _XRead (dpy, (char *)mapping, nbytes);
104 else 112 else
105 _XEatData (dpy, (unsigned long) nbytes); 113 _XEatData (dpy, (unsigned long) nbytes);
106 } 114 }
107 115
108 UnlockDisplay(dpy); 116 UnlockDisplay(dpy);
109 SyncHandle(); 117 SyncHandle();
110 return (mapping); 118 return (mapping);
111 } 119 }
cvs diff -r1.1.1.1 -r1.1.1.1.28.1 xsrc/xfree/xc/lib/Xrender/Attic/Filter.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/Xrender/Attic/Filter.c 2003/02/28 13:18:52 1.1.1.1
+++ xsrc/xfree/xc/lib/Xrender/Attic/Filter.c 2016/10/05 10:48:27 1.1.1.1.28.1
@@ -25,27 +25,27 @@ @@ -25,27 +25,27 @@
25#include "Xrenderint.h" 25#include "Xrenderint.h"
26  26
27XFilters * 27XFilters *
28XRenderQueryFilters (Display *dpy, Drawable drawable) 28XRenderQueryFilters (Display *dpy, Drawable drawable)
29{ 29{
30 XExtDisplayInfo *info = XRenderFindDisplay (dpy); 30 XExtDisplayInfo *info = XRenderFindDisplay (dpy);
31 XRenderInfo *xri; 31 XRenderInfo *xri;
32 xRenderQueryFiltersReq *req; 32 xRenderQueryFiltersReq *req;
33 xRenderQueryFiltersReply rep; 33 xRenderQueryFiltersReply rep;
34 XFilters *filters; 34 XFilters *filters;
35 char *name; 35 char *name;
36 char len; 36 char len;
37 int i; 37 int i;
38 long nbytes, nbytesAlias, nbytesName; 38 long nbytes, nbytesAlias, nbytesName, reply_left;
39  39
40 if (!XextHasExtension (info)) 40 if (!XextHasExtension (info))
41 return 0; 41 return 0;
42 42
43 if (!XRenderQueryFormats (dpy)) 43 if (!XRenderQueryFormats (dpy))
44 return 0; 44 return 0;
45 45
46 xri = (XRenderInfo *) info->data; 46 xri = (XRenderInfo *) info->data;
47 if (xri->minor_version < 6) 47 if (xri->minor_version < 6)
48 return 0; 48 return 0;
49  49
50 LockDisplay (dpy); 50 LockDisplay (dpy);
51 GetReq (RenderQueryFilters, req); 51 GetReq (RenderQueryFilters, req);
@@ -91,37 +91,47 @@ XRenderQueryFilters (Display *dpy, Drawa @@ -91,37 +91,47 @@ XRenderQueryFilters (Display *dpy, Drawa
91 * nbytesName char strings 91 * nbytesName char strings
92 */ 92 */
93  93
94 filters->nfilter = rep.numFilters; 94 filters->nfilter = rep.numFilters;
95 filters->nalias = rep.numAliases; 95 filters->nalias = rep.numAliases;
96 filters->filter = (char **) (filters + 1); 96 filters->filter = (char **) (filters + 1);
97 filters->alias = (short *) (filters->filter + rep.numFilters); 97 filters->alias = (short *) (filters->filter + rep.numFilters);
98 name = (char *) (filters->alias + rep.numAliases); 98 name = (char *) (filters->alias + rep.numAliases);
99 99
100 /* 100 /*
101 * Read the filter aliases 101 * Read the filter aliases
102 */ 102 */
103 _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases); 103 _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
 104 reply_left = 8 + rep.length - 2 * rep.numAliases;;
104 105
105 /* 106 /*
106 * Read the filter names 107 * Read the filter names
107 */ 108 */
108 for (i = 0; i < rep.numFilters; i++) 109 for (i = 0; i < rep.numFilters; i++)
109 { 110 {
110 int l; 111 int l;
111 _XRead (dpy, &len, 1); 112 _XRead (dpy, &len, 1);
 113 reply_left--;
112 l = len & 0xff; 114 l = len & 0xff;
 115 if ((unsigned long)l + 1 > nbytesName) {
 116 Xfree(filters);
 117 UnlockDisplay (dpy);
 118 SyncHandle ();
 119 return NULL;
 120 }
 121 nbytesName -= l + 1;
113 filters->filter[i] = name; 122 filters->filter[i] = name;
114 _XRead (dpy, name, l); 123 _XRead (dpy, name, l);
 124 reply_left -= l;
115 name[l] = '\0'; 125 name[l] = '\0';
116 name += l + 1; 126 name += l + 1;
117 } 127 }
118 i = name - (char *) (filters->alias + rep.numAliases); 128 i = name - (char *) (filters->alias + rep.numAliases);
119 129
120 if (i & 3) 130 if (i & 3)
121 _XEatData (dpy, 4 - (i & 3)); 131 _XEatData (dpy, 4 - (i & 3));
122  132
123 UnlockDisplay (dpy); 133 UnlockDisplay (dpy);
124 return filters; 134 return filters;
125} 135}
126 136
127void 137void
cvs diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/Xrender/Attic/Xrender.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/Xrender/Attic/Xrender.c 2003/02/28 13:18:52 1.1.1.5
+++ xsrc/xfree/xc/lib/Xrender/Attic/Xrender.c 2016/10/05 10:48:27 1.1.1.5.28.1
@@ -279,32 +279,48 @@ XRenderQueryFormats (Display *dpy) @@ -279,32 +279,48 @@ XRenderQueryFormats (Display *dpy)
279 xFormat++; 279 xFormat++;
280 } 280 }
281 xScreen = (xPictScreen *) xFormat; 281 xScreen = (xPictScreen *) xFormat;
282 screen = xri->screen; 282 screen = xri->screen;
283 depth = xri->depth; 283 depth = xri->depth;
284 visual = xri->visual; 284 visual = xri->visual;
285 for (ns = 0; ns < xri->nscreen; ns++) 285 for (ns = 0; ns < xri->nscreen; ns++)
286 { 286 {
287 screen->depths = depth; 287 screen->depths = depth;
288 screen->ndepths = xScreen->nDepth; 288 screen->ndepths = xScreen->nDepth;
289 screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); 289 screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
290 screen->subpixel = SubPixelUnknown; 290 screen->subpixel = SubPixelUnknown;
291 xDepth = (xPictDepth *) (xScreen + 1); 291 xDepth = (xPictDepth *) (xScreen + 1);
 292 if (screen->ndepths > rep.numDepths) {
 293 Xfree (xri);
 294 Xfree (xData);
 295 UnlockDisplay (dpy);
 296 SyncHandle ();
 297 return 0;
 298 }
 299 rep.numDepths -= screen->ndepths;
292 for (nd = 0; nd < screen->ndepths; nd++) 300 for (nd = 0; nd < screen->ndepths; nd++)
293 { 301 {
294 depth->depth = xDepth->depth; 302 depth->depth = xDepth->depth;
295 depth->nvisuals = xDepth->nPictVisuals; 303 depth->nvisuals = xDepth->nPictVisuals;
296 depth->visuals = visual; 304 depth->visuals = visual;
297 xVisual = (xPictVisual *) (xDepth + 1); 305 xVisual = (xPictVisual *) (xDepth + 1);
 306 if (depth->nvisuals > rep.numVisuals) {
 307 Xfree (xri);
 308 Xfree (xData);
 309 UnlockDisplay (dpy);
 310 SyncHandle ();
 311 return 0;
 312 }
 313 rep.numVisuals -= depth->nvisuals;
298 for (nv = 0; nv < depth->nvisuals; nv++) 314 for (nv = 0; nv < depth->nvisuals; nv++)
299 { 315 {
300 visual->visual = _XRenderFindVisual (dpy, xVisual->visual); 316 visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
301 visual->format = _XRenderFindFormat (xri, xVisual->format); 317 visual->format = _XRenderFindFormat (xri, xVisual->format);
302 visual++; 318 visual++;
303 xVisual++; 319 xVisual++;
304 } 320 }
305 depth++; 321 depth++;
306 xDepth = (xPictDepth *) xVisual; 322 xDepth = (xPictDepth *) xVisual;
307 } 323 }
308 screen++; 324 screen++;
309 xScreen = (xPictScreen *) xDepth;  325 xScreen = (xPictScreen *) xDepth;
310 } 326 }
cvs diff -r1.1.1.6 -r1.1.1.6.14.1 xsrc/xfree/xc/lib/Xtst/Attic/XRecord.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/Xtst/Attic/XRecord.c 2005/03/18 13:04:54 1.1.1.6
+++ xsrc/xfree/xc/lib/Xtst/Attic/XRecord.c 2016/10/05 10:48:27 1.1.1.6.14.1
@@ -41,26 +41,27 @@ from The Open Group. @@ -41,26 +41,27 @@ from The Open Group.
41 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 41 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
42 * AND FITNESS, IN NO EVENT SHALL NETWORK COMPUTING DEVICES BE LIABLE 42 * AND FITNESS, IN NO EVENT SHALL NETWORK COMPUTING DEVICES BE LIABLE
43 * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 43 * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
44 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN 44 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
45 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 45 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
46 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 46 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
47 **************************************************************************/ 47 **************************************************************************/
48/* 48/*
49 * By Stephen Gildea, X Consortium, and Martha Zimet, NCD. 49 * By Stephen Gildea, X Consortium, and Martha Zimet, NCD.
50 */ 50 */
51/* $XFree86: xc/lib/Xtst/XRecord.c,v 1.8 2005/01/27 02:28:59 dawes Exp $ */ 51/* $XFree86: xc/lib/Xtst/XRecord.c,v 1.8 2005/01/27 02:28:59 dawes Exp $ */
52 52
53#include <stdio.h> 53#include <stdio.h>
 54#include <limits.h>
54#include <assert.h> 55#include <assert.h>
55#define NEED_EVENTS 56#define NEED_EVENTS
56#define NEED_REPLIES 57#define NEED_REPLIES
57#include <X11/Xlibint.h> 58#include <X11/Xlibint.h>
58#include <X11/extensions/Xext.h> 59#include <X11/extensions/Xext.h>
59#include <X11/Xtrans.h> 60#include <X11/Xtrans.h>
60#include <X11/extensions/extutil.h> 61#include <X11/extensions/extutil.h>
61#include <X11/extensions/recordstr.h> 62#include <X11/extensions/recordstr.h>
62 63
63static XExtensionInfo _xrecord_info_data; 64static XExtensionInfo _xrecord_info_data;
64static XExtensionInfo *xrecord_info = &_xrecord_info_data; 65static XExtensionInfo *xrecord_info = &_xrecord_info_data;
65static /* const */ char *xrecord_extension_name = RECORD_NAME; 66static /* const */ char *xrecord_extension_name = RECORD_NAME;
66 67
@@ -718,89 +719,118 @@ parse_reply_call_callback(Display *dpy,  @@ -718,89 +719,118 @@ parse_reply_call_callback(Display *dpy,
718 return Error; 719 return Error;
719  720
720 data->id_base = rep->idBase; 721 data->id_base = rep->idBase;
721 data->category = rep->category; 722 data->category = rep->category;
722 data->client_swapped = rep->clientSwapped; 723 data->client_swapped = rep->clientSwapped;
723 data->server_time = rep->serverTime; 724 data->server_time = rep->serverTime;
724 data->client_seq = rep->recordedSequenceNumber; 725 data->client_seq = rep->recordedSequenceNumber;
725 /* 726 /*
726 * compute the size of this protocol element. 727 * compute the size of this protocol element.
727 */ 728 */
728 switch (rep->category) { 729 switch (rep->category) {
729 case XRecordFromServer: 730 case XRecordFromServer:
730 if (rep->elementHeader&XRecordFromServerTime) { 731 if (rep->elementHeader&XRecordFromServerTime) {
 732 if (current_index + 4 > rep->length << 2)
 733 return Error;
731 EXTRACT_CARD32(rep->clientSwapped, 734 EXTRACT_CARD32(rep->clientSwapped,
732 reply->buf+current_index, 735 reply->buf+current_index,
733 data->server_time); 736 data->server_time);
734 current_index += 4; 737 current_index += 4;
735 } 738 }
 739 if (current_index + 1 > rep->length << 2)
 740 return Error;
736 switch (reply->buf[current_index]) { 741 switch (reply->buf[current_index]) {
737 case X_Reply: /* reply */ 742 case X_Reply: /* reply */
 743 if (current_index + 8 > rep->length << 2)
 744 return Error;
738 EXTRACT_CARD32(rep->clientSwapped, 745 EXTRACT_CARD32(rep->clientSwapped,
739 reply->buf+current_index+4, datum_bytes); 746 reply->buf+current_index+4, datum_bytes);
 747 if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8))
 748 return Error;
740 datum_bytes = (datum_bytes+8) << 2; 749 datum_bytes = (datum_bytes+8) << 2;
741 break; 750 break;
742 default: /* error or event */ 751 default: /* error or event */
743 datum_bytes = 32; 752 datum_bytes = 32;
744 } 753 }
745 break; 754 break;
746 case XRecordFromClient: 755 case XRecordFromClient:
747 if (rep->elementHeader&XRecordFromClientTime) { 756 if (rep->elementHeader&XRecordFromClientTime) {
 757 if (current_index + 4 > rep->length << 2)
 758 return Error;
748 EXTRACT_CARD32(rep->clientSwapped, 759 EXTRACT_CARD32(rep->clientSwapped,
749 reply->buf+current_index, 760 reply->buf+current_index,
750 data->server_time); 761 data->server_time);
751 current_index += 4; 762 current_index += 4;
752 } 763 }
753 if (rep->elementHeader&XRecordFromClientSequence) { 764 if (rep->elementHeader&XRecordFromClientSequence) {
 765 if (current_index + 4 > rep->length << 2)
 766 return Error;
754 EXTRACT_CARD32(rep->clientSwapped, 767 EXTRACT_CARD32(rep->clientSwapped,
755 reply->buf+current_index, 768 reply->buf+current_index,
756 data->client_seq); 769 data->client_seq);
757 current_index += 4; 770 current_index += 4;
758 } 771 }
 772 if (current_index + 4 > rep->length<<2)
 773 return Error;
759 if (reply->buf[current_index+2] == 0 774 if (reply->buf[current_index+2] == 0
760 && reply->buf[current_index+3] == 0) /* needn't swap 0 */ 775 && reply->buf[current_index+3] == 0) /* needn't swap 0 */
761 { /* BIG-REQUESTS */ 776 { /* BIG-REQUESTS */
 777 if (current_index + 8 > rep->length << 2)
 778 return Error;
762 EXTRACT_CARD32(rep->clientSwapped, 779 EXTRACT_CARD32(rep->clientSwapped,
763 reply->buf+current_index+4, datum_bytes); 780 reply->buf+current_index+4, datum_bytes);
764 } else { 781 } else {
765 EXTRACT_CARD16(rep->clientSwapped, 782 EXTRACT_CARD16(rep->clientSwapped,
766 reply->buf+current_index+2, datum_bytes); 783 reply->buf+current_index+2, datum_bytes);
767 } 784 }
 785 if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2)
 786 return Error;
768 datum_bytes <<= 2; 787 datum_bytes <<= 2;
769 break; 788 break;
770 case XRecordClientStarted: 789 case XRecordClientStarted:
 790 if (current_index + 8 > rep->length << 2)
 791 return Error;
771 EXTRACT_CARD16(rep->clientSwapped, 792 EXTRACT_CARD16(rep->clientSwapped,
772 reply->buf+current_index+6, datum_bytes); 793 reply->buf+current_index+6, datum_bytes);
773 datum_bytes = (datum_bytes+2) << 2; 794 datum_bytes = (datum_bytes+2) << 2;
774 break; 795 break;
775 case XRecordClientDied: 796 case XRecordClientDied:
776 if (rep->elementHeader&XRecordFromClientSequence) { 797 if (rep->elementHeader&XRecordFromClientSequence) {
 798 if (current_index + 4 > rep->length << 2)
 799 return Error;
777 EXTRACT_CARD32(rep->clientSwapped, 800 EXTRACT_CARD32(rep->clientSwapped,
778 reply->buf+current_index, 801 reply->buf+current_index,
779 data->client_seq); 802 data->client_seq);
780 current_index += 4; 803 current_index += 4;
781 } 804 } else if (current_index < rep->length << 2)
782 /* fall through */ 805 return Error;
 806 datum_bytes = 0;
 807 break;
783 case XRecordStartOfData: 808 case XRecordStartOfData:
784 case XRecordEndOfData: 809 case XRecordEndOfData:
 810 if (current_index < rep->length << 2)
 811 return Error;
785 datum_bytes = 0; 812 datum_bytes = 0;
 813 break;
786 } 814 }
787  815
788 if (datum_bytes > 0) { 816 if (datum_bytes > 0) {
789 if (current_index + datum_bytes > rep->length << 2) 817 if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) {
790 fprintf(stderr, 818 fprintf(stderr,
791 "XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n", 819 "XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n",
792 (long)rep->length << 2, current_index + datum_bytes, 820 (unsigned long)rep->length << 2, current_index + datum_bytes,
793 dpy->last_request_read); 821 dpy->last_request_read);
 822 return Error;
 823 }
794 /* 824 /*
795 * This assignment (and indeed the whole buffer sharing 825 * This assignment (and indeed the whole buffer sharing
796 * scheme) assumes arbitrary 4-byte boundaries are 826 * scheme) assumes arbitrary 4-byte boundaries are
797 * addressable.  827 * addressable.
798 */ 828 */
799 data->data = reply->buf+current_index; 829 data->data = reply->buf+current_index;
800 reply->ref_count++; 830 reply->ref_count++;
801 } else { 831 } else {
802 data->data = NULL; 832 data->data = NULL;
803 } 833 }
804 data->data_len = datum_bytes >> 2; 834 data->data_len = datum_bytes >> 2;
805  835
806 (*callback)(closure, data); 836 (*callback)(closure, data);
@@ -832,26 +862,32 @@ XRecordEnableContext(Display *dpy, XReco @@ -832,26 +862,32 @@ XRecordEnableContext(Display *dpy, XReco
832 req->recordReqType = X_RecordEnableContext; 862 req->recordReqType = X_RecordEnableContext;
833 req->context = context; 863 req->context = context;
834 864
835 while (1) 865 while (1)
836 { 866 {
837 /* This code should match that in XRecordEnableContextAsync */ 867 /* This code should match that in XRecordEnableContextAsync */
838 if (!_XReply (dpy, (xReply *)&rep, 0, xFalse)) 868 if (!_XReply (dpy, (xReply *)&rep, 0, xFalse))
839 { 869 {
840 UnlockDisplay(dpy); 870 UnlockDisplay(dpy);
841 SyncHandle(); 871 SyncHandle();
842 return 0; 872 return 0;
843 } 873 }
844 874
 875 if (rep.length > INT_MAX >> 2) {
 876 UnlockDisplay(dpy);
 877 SyncHandle();
 878 return 0;
 879 }
 880
845 if (rep.length > 0) { 881 if (rep.length > 0) {
846 reply = alloc_reply_buffer(info, rep.length<<2); 882 reply = alloc_reply_buffer(info, rep.length<<2);
847 if (!reply) { 883 if (!reply) {
848 UnlockDisplay(dpy); 884 UnlockDisplay(dpy);
849 SyncHandle(); 885 SyncHandle();
850 return 0; 886 return 0;
851 } 887 }
852 _XRead (dpy, (char *)reply->buf, rep.length<<2); 888 _XRead (dpy, (char *)reply->buf, rep.length<<2);
853 } else { 889 } else {
854 reply = NULL; 890 reply = NULL;
855 } 891 }
856 892
857 status = parse_reply_call_callback(dpy, info, &rep, reply, 893 status = parse_reply_call_callback(dpy, info, &rep, reply,
cvs diff -r1.1.1.6 -r1.1.1.6.14.1 xsrc/xfree/xc/lib/Xv/Attic/Xv.c (expand / switch to unified diff)

--- xsrc/xfree/xc/lib/Xv/Attic/Xv.c 2005/03/18 13:04:54 1.1.1.6
+++ xsrc/xfree/xc/lib/Xv/Attic/Xv.c 2016/10/05 10:48:27 1.1.1.6.14.1
@@ -140,61 +140,66 @@ XvQueryExtension( @@ -140,61 +140,66 @@ XvQueryExtension(
140 140
141int 141int
142XvQueryAdaptors( 142XvQueryAdaptors(
143 Display *dpy, 143 Display *dpy,
144 Window window, 144 Window window,
145 unsigned int *p_nAdaptors, 145 unsigned int *p_nAdaptors,
146 XvAdaptorInfo **p_pAdaptors 146 XvAdaptorInfo **p_pAdaptors
147){ 147){
148 XExtDisplayInfo *info = xv_find_display(dpy); 148 XExtDisplayInfo *info = xv_find_display(dpy);
149 xvQueryAdaptorsReq *req; 149 xvQueryAdaptorsReq *req;
150 xvQueryAdaptorsReply rep; 150 xvQueryAdaptorsReply rep;
151 int size,ii,jj; 151 int size,ii,jj;
152 char *name; 152 char *name;
 153 char *end;
153 XvAdaptorInfo *pas, *pa; 154 XvAdaptorInfo *pas, *pa;
154 XvFormat *pfs, *pf; 155 XvFormat *pfs, *pf;
155 char *buffer; 156 char *buffer;
 157 int status;
156 union  158 union
157 { 159 {
158 char *buffer; 160 char *buffer;
159 char *string; 161 char *string;
160 xvAdaptorInfo *pa; 162 xvAdaptorInfo *pa;
161 xvFormat *pf; 163 xvFormat *pf;
162 } u; 164 } u;
163  165
164 XvCheckExtension(dpy, info, XvBadExtension); 166 XvCheckExtension(dpy, info, XvBadExtension);
165 167
166 LockDisplay(dpy); 168 LockDisplay(dpy);
167 169
168 XvGetReq(QueryAdaptors, req); 170 XvGetReq(QueryAdaptors, req);
169 req->window = window; 171 req->window = window;
170 172
171 /* READ THE REPLY */ 173 /* READ THE REPLY */
172 174
173 if (_XReply(dpy, (xReply *)&rep, 0, xFalse) == 0) { 175 if (_XReply(dpy, (xReply *)&rep, 0, xFalse) == 0) {
174 UnlockDisplay(dpy); 176 UnlockDisplay(dpy);
175 SyncHandle(); 177 SyncHandle();
176 return(XvBadReply); 178 return(XvBadReply);
177 } 179 }
178 180
179 size = rep.length << 2; 181 size = rep.length << 2;
180 if ( (buffer = (char *)Xmalloc ((unsigned) size)) == NULL) { 182 if (size > 0) {
 183 if ((buffer = Xmalloc(size)) == NULL) {
181 UnlockDisplay(dpy); 184 UnlockDisplay(dpy);
182 SyncHandle(); 185 SyncHandle();
183 return(XvBadAlloc); 186 return(XvBadAlloc);
 187 }
 188 _XRead(dpy, buffer, (long) size);
184 } 189 }
185 _XRead (dpy, buffer, size); 
186 190
187 u.buffer = buffer; 191 u.buffer = buffer;
 192 end = buffer + size;
188 193
189 /* GET INPUT ADAPTORS */ 194 /* GET INPUT ADAPTORS */
190 195
191 if (rep.num_adaptors == 0) { 196 if (rep.num_adaptors == 0) {
192 pas = NULL; 197 pas = NULL;
193 } else { 198 } else {
194 size = rep.num_adaptors*sizeof(XvAdaptorInfo); 199 size = rep.num_adaptors*sizeof(XvAdaptorInfo);
195 if ((pas=(XvAdaptorInfo *)Xmalloc(size))==NULL) { 200 if ((pas=(XvAdaptorInfo *)Xmalloc(size))==NULL) {
196 Xfree(buffer); 201 Xfree(buffer);
197 UnlockDisplay(dpy); 202 UnlockDisplay(dpy);
198 SyncHandle(); 203 SyncHandle();
199 return(XvBadAlloc); 204 return(XvBadAlloc);
200 } 205 }
@@ -202,37 +207,46 @@ XvQueryAdaptors( @@ -202,37 +207,46 @@ XvQueryAdaptors(
202 207
203 /* INIT ADAPTOR FIELDS */ 208 /* INIT ADAPTOR FIELDS */
204 209
205 pa = pas; 210 pa = pas;
206 for (ii=0; ii<rep.num_adaptors; ii++) { 211 for (ii=0; ii<rep.num_adaptors; ii++) {
207 pa->num_adaptors = 0; 212 pa->num_adaptors = 0;
208 pa->name = (char *)NULL; 213 pa->name = (char *)NULL;
209 pa->formats = (XvFormat *)NULL; 214 pa->formats = (XvFormat *)NULL;
210 pa++; 215 pa++;
211 } 216 }
212 217
213 pa = pas; 218 pa = pas;
214 for (ii=0; ii<rep.num_adaptors; ii++) { 219 for (ii=0; ii<rep.num_adaptors; ii++) {
 220 if (u.buffer + sz_xvAdaptorInfo > end) {
 221 status = XvBadReply;
 222 goto out;
 223 }
215 pa->type = u.pa->type; 224 pa->type = u.pa->type;
216 pa->base_id = u.pa->base_id; 225 pa->base_id = u.pa->base_id;
217 pa->num_ports = u.pa->num_ports; 226 pa->num_ports = u.pa->num_ports;
218 pa->num_formats = u.pa->num_formats; 227 pa->num_formats = u.pa->num_formats;
219 pa->num_adaptors = rep.num_adaptors - ii; 228 pa->num_adaptors = rep.num_adaptors - ii;
220 229
221 /* GET ADAPTOR NAME */ 230 /* GET ADAPTOR NAME */
222 231
223 size = u.pa->name_size; 232 size = u.pa->name_size;
224 u.buffer += (sz_xvAdaptorInfo + 3) & ~3; 233 u.buffer += (sz_xvAdaptorInfo + 3) & ~3;
225 234
 235 if (u.buffer + size > end) {
 236 status = XvBadReply;
 237 goto out;
 238 }
 239
226 if ( (name = (char *)Xmalloc(size+1)) == NULL) 240 if ( (name = (char *)Xmalloc(size+1)) == NULL)
227 { 241 {
228 XvFreeAdaptorInfo(pas); 242 XvFreeAdaptorInfo(pas);
229 Xfree(buffer); 243 Xfree(buffer);
230 UnlockDisplay(dpy); 244 UnlockDisplay(dpy);
231 SyncHandle(); 245 SyncHandle();
232 return(XvBadAlloc); 246 return(XvBadAlloc);
233 } 247 }
234 (void)strncpy(name, u.string, size); 248 (void)strncpy(name, u.string, size);
235 name[size] = '\0'; 249 name[size] = '\0';
236 pa->name = name; 250 pa->name = name;
237 251
238 u.buffer += (size + 3) & ~3; 252 u.buffer += (size + 3) & ~3;
@@ -240,47 +254,55 @@ XvQueryAdaptors( @@ -240,47 +254,55 @@ XvQueryAdaptors(
240 /* GET FORMATS */ 254 /* GET FORMATS */
241 255
242 size = pa->num_formats*sizeof(XvFormat); 256 size = pa->num_formats*sizeof(XvFormat);
243 if ((pfs=(XvFormat *)Xmalloc(size))==NULL) { 257 if ((pfs=(XvFormat *)Xmalloc(size))==NULL) {
244 XvFreeAdaptorInfo(pas); 258 XvFreeAdaptorInfo(pas);
245 Xfree(buffer); 259 Xfree(buffer);
246 UnlockDisplay(dpy); 260 UnlockDisplay(dpy);
247 SyncHandle(); 261 SyncHandle();
248 return(XvBadAlloc); 262 return(XvBadAlloc);
249 } 263 }
250 264
251 pf = pfs; 265 pf = pfs;
252 for (jj=0; jj<pa->num_formats; jj++) { 266 for (jj=0; jj<pa->num_formats; jj++) {
 267 if (u.buffer + sz_xvFormat > end) {
 268 Xfree(pfs);
 269 status = XvBadReply;
 270 goto out;
 271 }
253 pf->depth = u.pf->depth; 272 pf->depth = u.pf->depth;
254 pf->visual_id = u.pf->visual; 273 pf->visual_id = u.pf->visual;
255 pf++; 274 pf++;
256  275
257 u.buffer += (sz_xvFormat + 3) & ~3; 276 u.buffer += (sz_xvFormat + 3) & ~3;
258 } 277 }
259 278
260 pa->formats = pfs; 279 pa->formats = pfs;
261 280
262 pa++; 281 pa++;
263 282
264 } 283 }
265 284
266 *p_nAdaptors = rep.num_adaptors; 285 *p_nAdaptors = rep.num_adaptors;
267 *p_pAdaptors = pas; 286 *p_pAdaptors = pas;
268 287
 288 status = Success;
 289
 290out:
269 Xfree(buffer); 291 Xfree(buffer);
270 UnlockDisplay(dpy); 292 UnlockDisplay(dpy);
271 SyncHandle(); 293 SyncHandle();
272 294
273 return (Success); 295 return (status);
274} 296}
275 297
276 298
277void 299void
278XvFreeAdaptorInfo(XvAdaptorInfo *pAdaptors) 300XvFreeAdaptorInfo(XvAdaptorInfo *pAdaptors)
279{ 301{
280 302
281 XvAdaptorInfo *pa; 303 XvAdaptorInfo *pa;
282 int ii; 304 int ii;
283 305
284 if (!pAdaptors) return; 306 if (!pAdaptors) return;
285 307
286 pa = pAdaptors; 308 pa = pAdaptors;
@@ -302,113 +324,129 @@ XvFreeAdaptorInfo(XvAdaptorInfo *pAdapto @@ -302,113 +324,129 @@ XvFreeAdaptorInfo(XvAdaptorInfo *pAdapto
302 324
303int 325int
304XvQueryEncodings( 326XvQueryEncodings(
305 Display *dpy, 327 Display *dpy,
306 XvPortID port, 328 XvPortID port,
307 unsigned int *p_nEncodings, 329 unsigned int *p_nEncodings,
308 XvEncodingInfo **p_pEncodings 330 XvEncodingInfo **p_pEncodings
309){ 331){
310 XExtDisplayInfo *info = xv_find_display(dpy); 332 XExtDisplayInfo *info = xv_find_display(dpy);
311 xvQueryEncodingsReq *req; 333 xvQueryEncodingsReq *req;
312 xvQueryEncodingsReply rep; 334 xvQueryEncodingsReply rep;
313 int size, jj; 335 int size, jj;
314 char *name; 336 char *name;
 337 char *end;
 338 int status;
315 XvEncodingInfo *pes, *pe; 339 XvEncodingInfo *pes, *pe;
316 char *buffer; 340 char *buffer;
317 union  341 union
318 { 342 {
319 char *buffer; 343 char *buffer;
320 char *string; 344 char *string;
321 xvEncodingInfo *pe; 345 xvEncodingInfo *pe;
322 } u; 346 } u;
323  347
324 XvCheckExtension(dpy, info, XvBadExtension); 348 XvCheckExtension(dpy, info, XvBadExtension);
325 349
326 LockDisplay(dpy); 350 LockDisplay(dpy);
327 351
328 XvGetReq(QueryEncodings, req); 352 XvGetReq(QueryEncodings, req);
329 req->port = port; 353 req->port = port;
330 354
331 /* READ THE REPLY */ 355 /* READ THE REPLY */
332 356
333 if (_XReply(dpy, (xReply *)&rep, 0, xFalse) == 0) { 357 if (_XReply(dpy, (xReply *)&rep, 0, xFalse) == 0) {
334 UnlockDisplay(dpy); 358 UnlockDisplay(dpy);
335 SyncHandle(); 359 SyncHandle();
336 return(XvBadReply); 360 return(XvBadReply);
337 } 361 }
338 362
339 size = rep.length << 2; 363 size = rep.length << 2;
340 if ( (buffer = (char *)Xmalloc ((unsigned) size)) == NULL) { 364 if (size > 0) {
 365 if ( (buffer = (char *)Xmalloc ((unsigned) size)) == NULL) {
341 UnlockDisplay(dpy); 366 UnlockDisplay(dpy);
342 SyncHandle(); 367 SyncHandle();
343 return(XvBadAlloc); 368 return(XvBadAlloc);
 369 }
 370 _XRead (dpy, buffer, size);
344 } 371 }
345 _XRead (dpy, buffer, size); 
346 372
347 u.buffer = buffer; 373 u.buffer = buffer;
 374 end = buffer + size;
348 375
349 /* GET ENCODINGS */ 376 /* GET ENCODINGS */
350 377
351 size = rep.num_encodings*sizeof(XvEncodingInfo); 378 size = rep.num_encodings*sizeof(XvEncodingInfo);
352 if ( (pes = (XvEncodingInfo *)Xmalloc(size)) == NULL) { 379 if ( (pes = (XvEncodingInfo *)Xmalloc(size)) == NULL) {
353 Xfree(buffer); 380 Xfree(buffer);
354 UnlockDisplay(dpy); 381 UnlockDisplay(dpy);
355 SyncHandle(); 382 SyncHandle();
356 return(XvBadAlloc); 383 return(XvBadAlloc);
357 } 384 }
358 385
359 /* INITIALIZE THE ENCODING POINTER */ 386 /* INITIALIZE THE ENCODING POINTER */
360 387
361 pe = pes; 388 pe = pes;
362 for (jj=0; jj<rep.num_encodings; jj++) { 389 for (jj=0; jj<rep.num_encodings; jj++) {
363 pe->name = (char *)NULL; 390 pe->name = (char *)NULL;
364 pe->num_encodings = 0; 391 pe->num_encodings = 0;
365 pe++; 392 pe++;
366 } 393 }
367 394
368 pe = pes; 395 pe = pes;
369 for (jj=0; jj<rep.num_encodings; jj++) { 396 for (jj=0; jj<rep.num_encodings; jj++) {
 397 if (u.buffer + sz_xvEncodingInfo > end) {
 398 status = XvBadReply;
 399 goto out;
 400 }
370 pe->encoding_id = u.pe->encoding; 401 pe->encoding_id = u.pe->encoding;
371 pe->width = u.pe->width; 402 pe->width = u.pe->width;
372 pe->height = u.pe->height; 403 pe->height = u.pe->height;
373 pe->rate.numerator = u.pe->rate.numerator; 404 pe->rate.numerator = u.pe->rate.numerator;
374 pe->rate.denominator = u.pe->rate.denominator; 405 pe->rate.denominator = u.pe->rate.denominator;
375 pe->num_encodings = rep.num_encodings - jj; 406 pe->num_encodings = rep.num_encodings - jj;
376 407
377 size = u.pe->name_size; 408 size = u.pe->name_size;
378 u.buffer += (sz_xvEncodingInfo + 3) & ~3; 409 u.buffer += (sz_xvEncodingInfo + 3) & ~3;
379 410
 411 if (u.buffer + size > end) {
 412 status = XvBadReply;
 413 goto out;
 414 }
380 if ( (name = (char *)Xmalloc(size+1)) == NULL) { 415 if ( (name = (char *)Xmalloc(size+1)) == NULL) {
381 Xfree(buffer); 416 Xfree(buffer);
382 UnlockDisplay(dpy); 417 UnlockDisplay(dpy);
383 SyncHandle(); 418 SyncHandle();
384 return(XvBadAlloc); 419 return(XvBadAlloc);
385 } 420 }
386 strncpy(name, u.string, size); 421 strncpy(name, u.string, size);
387 name[size] = '\0'; 422 name[size] = '\0';
388 pe->name = name; 423 pe->name = name;
389 pe++; 424 pe++;
390 425
391 u.buffer += (size + 3) & ~3; 426 u.buffer += (size + 3) & ~3;
392 } 427 }
393 428
394 *p_nEncodings = rep.num_encodings; 429 *p_nEncodings = rep.num_encodings;
395 *p_pEncodings = pes; 430 *p_pEncodings = pes;
396 431
 432 status = Success;
 433
 434out:
397 Xfree(buffer); 435 Xfree(buffer);
398 UnlockDisplay(dpy); 436 UnlockDisplay(dpy);
399 SyncHandle(); 437 SyncHandle();
400 438
401 return (Success); 439 return (status);
402} 440}
403 441
404void 442void
405XvFreeEncodingInfo(XvEncodingInfo *pEncodings) 443XvFreeEncodingInfo(XvEncodingInfo *pEncodings)
406{ 444{
407 445
408 XvEncodingInfo *pe; 446 XvEncodingInfo *pe;
409 int ii; 447 int ii;
410 448
411 if (!pEncodings) return; 449 if (!pEncodings) return;
412 450
413 pe = pEncodings; 451 pe = pEncodings;
414 452
cvs diff -r1.1.1.6.26.1 -r1.1.1.6.26.2 xsrc/xfree/xc/programs/Xserver/include/Attic/dix.h (expand / switch to unified diff)

--- xsrc/xfree/xc/programs/Xserver/include/Attic/dix.h 2014/12/12 07:15:06 1.1.1.6.26.1
+++ xsrc/xfree/xc/programs/Xserver/include/Attic/dix.h 2016/10/05 10:48:27 1.1.1.6.26.2
@@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO @@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO
43WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 43WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
44ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS 44ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
45SOFTWARE. 45SOFTWARE.
46 46
47******************************************************************/ 47******************************************************************/
48/* $Xorg: dix.h,v 1.4 2001/02/09 02:05:15 xorgcvs Exp $ */ 48/* $Xorg: dix.h,v 1.4 2001/02/09 02:05:15 xorgcvs Exp $ */
49 49
50#ifndef DIX_H 50#ifndef DIX_H
51#define DIX_H 51#define DIX_H
52 52
53#include "gc.h" 53#include "gc.h"
54#include "window.h" 54#include "window.h"
55#include "input.h" 55#include "input.h"
 56#include <stdint.h>
56 57
57#define EARLIER -1 58#define EARLIER -1
58#define SAMETIME 0 59#define SAMETIME 0
59#define LATER 1 60#define LATER 1
60 61
61#define NullClient ((ClientPtr) 0) 62#define NullClient ((ClientPtr) 0)
62#define REQUEST(type) \ 63#define REQUEST(type) \
63 register type *stuff = (type *)client->requestBuffer 64 register type *stuff = (type *)client->requestBuffer
64 65
65 66
66#define REQUEST_SIZE_MATCH(req)\ 67#define REQUEST_SIZE_MATCH(req)\
67 if ((sizeof(req) >> 2) != client->req_len)\ 68 if ((sizeof(req) >> 2) != client->req_len)\
68 return(BadLength) 69 return(BadLength)