Apply patch, requested my mrg in ticket 1411: xsrc/xfree/xc/lib/X11/FontNames.c patch xsrc/xfree/xc/lib/X11/GetImage.c patch xsrc/xfree/xc/lib/X11/ListExt.c patch xsrc/xfree/xc/lib/X11/ModMap.c patch xsrc/xfree/xc/lib/X11/Xlibint.h patch xsrc/xfree/xc/lib/Xi/XGMotion.c patch xsrc/xfree/xc/lib/Xi/XGetBMap.c patch xsrc/xfree/xc/lib/Xi/XGetDCtl.c patch xsrc/xfree/xc/lib/Xi/XGetFCtl.c patch xsrc/xfree/xc/lib/Xi/XGetKMap.c patch xsrc/xfree/xc/lib/Xi/XGetMMap.c patch xsrc/xfree/xc/lib/Xi/XOpenDev.c patch xsrc/xfree/xc/lib/Xi/XQueryDv.c patch xsrc/xfree/xc/lib/Xrender/Filter.c patch xsrc/xfree/xc/lib/Xrender/Xrender.c patch xsrc/xfree/xc/lib/Xtst/XRecord.c patch xsrc/xfree/xc/lib/Xv/Xv.c patch xsrc/xfree/xc/programs/Xserver/include/dix.h patch Fix (backported from upstream) the following issues in X client libraries: libX11 - insufficient validation of data from the X server can cause out of boundary memory read (XGetImage()) or write (XListFonts()). Affected versions libX11 <= 1.6.3 libXfixes - insufficient validation of data from the X server can cause an integer overflow on 32 bit architectures. Affected versions : libXfixes <= 5.0.2 libXi - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). Affected versions libXi <= 1.7.6 libXrandr - insufficient validation of data from the X server can cause out of boundary memory writes. Affected versions: libXrandr <= 1.5.0 libXrender - insufficient validation of data from the X server can cause out of boundary memory writes. Affected version: libXrender <= 0.9.9 XRecord - insufficient validation of data from the X server can cause out of boundary memory access or endless loops (Denial of Service). Affected version libXtst <= 1.2.2 libXv - insufficient validation of data from the X server can cause out of boundary memory and memory corruption. CVE-2016-5407 affected versions libXv <= 1.0.10 libXvMC - insufficient validation of data from the X server can cause a one byte buffer read underrun. Affected versions: libXvMC <= 1.0.9diff -r1.1.1.5 -r1.1.1.5.28.1 xsrc/xfree/xc/lib/X11/FontNames.c
(bouyer)
--- xsrc/xfree/xc/lib/X11/Attic/FontNames.c 2004/03/05 14:24:07 1.1.1.5
+++ xsrc/xfree/xc/lib/X11/Attic/FontNames.c 2016/10/05 10:49:30 1.1.1.5.28.1
@@ -19,89 +19,110 @@ OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMA | @@ -19,89 +19,110 @@ OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMA | |||
19 | AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN | 19 | AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN | |
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | |
21 | 21 | |||
22 | Except as contained in this notice, the name of The Open Group shall not be | 22 | Except as contained in this notice, the name of The Open Group shall not be | |
23 | used in advertising or otherwise to promote the sale, use or other dealings | 23 | used in advertising or otherwise to promote the sale, use or other dealings | |
24 | in this Software without prior written authorization from The Open Group. | 24 | in this Software without prior written authorization from The Open Group. | |
25 | 25 | |||
26 | */ | 26 | */ | |
27 | 27 | |||
28 | /* $XFree86: xc/lib/X11/FontNames.c,v 1.7 2003/11/17 22:20:06 dawes Exp $ */ | 28 | /* $XFree86: xc/lib/X11/FontNames.c,v 1.7 2003/11/17 22:20:06 dawes Exp $ */ | |
29 | 29 | |||
30 | #define NEED_REPLIES | 30 | #define NEED_REPLIES | |
31 | #include "Xlibint.h" | 31 | #include "Xlibint.h" | |
32 | #include <limits.h> | |||
32 | 33 | |||
33 | char ** | 34 | char ** | |
34 | XListFonts( | 35 | XListFonts( | |
35 | register Display *dpy, | 36 | register Display *dpy, | |
36 | _Xconst char *pattern, /* null-terminated */ | 37 | _Xconst char *pattern, /* null-terminated */ | |
37 | int maxNames, | 38 | int maxNames, | |
38 | int *actualCount) /* RETURN */ | 39 | int *actualCount) /* RETURN */ | |
39 | { | 40 | { | |
40 | register long nbytes; | 41 | register long nbytes; | |
41 | register unsigned i; | 42 | register unsigned i; | |
42 | register int length; | 43 | register int length; | |
43 | char **flist; | 44 | char **flist; | |
44 | char *ch; | 45 | char *ch = NULL; | |
46 | char *chend; | |||
47 | int count = 0; | |||
45 | xListFontsReply rep; | 48 | xListFontsReply rep; | |
46 | register xListFontsReq *req; | 49 | register xListFontsReq *req; | |
47 | register long rlen; | 50 | register long rlen; | |
48 | 51 | |||
49 | LockDisplay(dpy); | 52 | LockDisplay(dpy); | |
50 | GetReq(ListFonts, req); | 53 | GetReq(ListFonts, req); | |
51 | req->maxNames = maxNames; | 54 | req->maxNames = maxNames; | |
52 | nbytes = req->nbytes = pattern ? strlen (pattern) : 0; | 55 | nbytes = req->nbytes = pattern ? strlen (pattern) : 0; | |
53 | req->length += (nbytes + 3) >> 2; | 56 | req->length += (nbytes + 3) >> 2; | |
54 | _XSend (dpy, pattern, nbytes); | 57 | _XSend (dpy, pattern, nbytes); | |
55 | /* use _XSend instead of Data, since following _XReply will flush buffer */ | 58 | /* use _XSend instead of Data, since following _XReply will flush buffer */ | |
56 | 59 | |||
57 | if (!_XReply (dpy, (xReply *)&rep, 0, xFalse)) { | 60 | if (!_XReply (dpy, (xReply *)&rep, 0, xFalse)) { | |
58 | *actualCount = 0; | 61 | *actualCount = 0; | |
59 | UnlockDisplay(dpy); | 62 | UnlockDisplay(dpy); | |
60 | SyncHandle(); | 63 | SyncHandle(); | |
61 | return (char **) NULL; | 64 | return (char **) NULL; | |
62 | } | 65 | } | |
63 | 66 | |||
64 | if (rep.nFonts) { | 67 | if (rep.nFonts) { | |
65 | flist = (char **)Xmalloc ((unsigned)rep.nFonts * sizeof(char *)); | 68 | flist = (char **)Xmalloc ((unsigned)rep.nFonts * sizeof(char *)); | |
66 | rlen = rep.length << 2; | 69 | if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { | |
67 | ch = (char *) Xmalloc((unsigned) (rlen + 1)); | 70 | rlen = rep.length << 2; | |
68 | /* +1 to leave room for last null-terminator */ | 71 | ch = (char *) Xmalloc((unsigned) (rlen + 1)); | |
72 | /* +1 to leave room for last null-terminator */ | |||
73 | } | |||
69 | 74 | |||
70 | if ((! flist) || (! ch)) { | 75 | if ((! flist) || (! ch)) { | |
71 | if (flist) Xfree((char *) flist); | 76 | if (flist) Xfree((char *) flist); | |
72 | if (ch) Xfree(ch); | 77 | if (ch) Xfree(ch); | |
73 | _XEatData(dpy, (unsigned long) rlen); | 78 | _XEatData(dpy, (unsigned long) rlen); | |
74 | *actualCount = 0; | 79 | *actualCount = 0; | |
75 | UnlockDisplay(dpy); | 80 | UnlockDisplay(dpy); | |
76 | SyncHandle(); | 81 | SyncHandle(); | |
77 | return (char **) NULL; | 82 | return (char **) NULL; | |
78 | } | 83 | } | |
79 | 84 | |||
80 | _XReadPad (dpy, ch, rlen); | 85 | _XReadPad (dpy, ch, rlen); | |
81 | /* | 86 | /* | |
82 | * unpack into null terminated strings. | 87 | * unpack into null terminated strings. | |
83 | */ | 88 | */ | |
89 | chend = ch + (rlen + 1); | |||
84 | length = *(unsigned char *)ch; | 90 | length = *(unsigned char *)ch; | |
85 | *ch = 1; /* make sure it is non-zero for XFreeFontNames */ | 91 | *ch = 1; /* make sure it is non-zero for XFreeFontNames */ | |
86 | for (i = 0; i < rep.nFonts; i++) { | 92 | for (i = 0; i < rep.nFonts; i++) { | |
87 | flist[i] = ch + 1; /* skip over length */ | 93 | if (ch + length < chend) { | |
88 | ch += length + 1; /* find next length ... */ | 94 | flist[i] = ch + 1; /* skip over length */ | |
89 | length = *(unsigned char *)ch; | 95 | ch += length + 1; /* find next length ... */ | |
90 | *ch = '\0'; /* and replace with null-termination */ | 96 | if (ch <= chend) { | |
97 | length = *(unsigned char *)ch; | |||
98 | *ch = '\0'; /* and replace with null-termination */ | |||
99 | count++; | |||
100 | } else { | |||
101 | Xfree(flist); | |||
102 | flist = NULL; | |||
103 | count = 0; | |||
104 | break; | |||
105 | } | |||
106 | } else { | |||
107 | Xfree(flist); | |||
108 | flist = NULL; | |||
109 | count = 0; | |||
110 | break; | |||
111 | } | |||
91 | } | 112 | } | |
92 | } | 113 | } | |
93 | else flist = (char **) NULL; | 114 | else flist = (char **) NULL; | |
94 | *actualCount = rep.nFonts; | 115 | *actualCount = count; | |
95 | UnlockDisplay(dpy); | 116 | UnlockDisplay(dpy); | |
96 | SyncHandle(); | 117 | SyncHandle(); | |
97 | return (flist); | 118 | return (flist); | |
98 | } | 119 | } | |
99 | 120 | |||
100 | int | 121 | int | |
101 | XFreeFontNames(list) | 122 | XFreeFontNames(list) | |
102 | char **list; | 123 | char **list; | |
103 | { | 124 | { | |
104 | if (list) { | 125 | if (list) { | |
105 | if (!*(list[0]-1)) { /* from ListFontsWithInfo */ | 126 | if (!*(list[0]-1)) { /* from ListFontsWithInfo */ | |
106 | register char **names; | 127 | register char **names; | |
107 | for (names = list+1; *names; names++) | 128 | for (names = list+1; *names; names++) |
--- xsrc/xfree/xc/lib/X11/Attic/GetImage.c 2004/03/05 14:24:07 1.1.1.5
+++ xsrc/xfree/xc/lib/X11/Attic/GetImage.c 2016/10/05 10:49:30 1.1.1.5.28.1
@@ -20,52 +20,54 @@ AN ACTION OF CONTRACT, TORT OR OTHERWISE | @@ -20,52 +20,54 @@ AN ACTION OF CONTRACT, TORT OR OTHERWISE | |||
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | |
21 | 21 | |||
22 | Except as contained in this notice, the name of The Open Group shall not be | 22 | Except as contained in this notice, the name of The Open Group shall not be | |
23 | used in advertising or otherwise to promote the sale, use or other dealings | 23 | used in advertising or otherwise to promote the sale, use or other dealings | |
24 | in this Software without prior written authorization from The Open Group. | 24 | in this Software without prior written authorization from The Open Group. | |
25 | 25 | |||
26 | */ | 26 | */ | |
27 | /* $XFree86: xc/lib/X11/GetImage.c,v 1.5 2003/04/13 19:22:16 dawes Exp $ */ | 27 | /* $XFree86: xc/lib/X11/GetImage.c,v 1.5 2003/04/13 19:22:16 dawes Exp $ */ | |
28 | 28 | |||
29 | #define NEED_REPLIES | 29 | #define NEED_REPLIES | |
30 | #include "Xlibint.h" | 30 | #include "Xlibint.h" | |
31 | #include <X11/Xutil.h> /* for XDestroyImage */ | 31 | #include <X11/Xutil.h> /* for XDestroyImage */ | |
32 | #include "ImUtil.h" | 32 | #include "ImUtil.h" | |
33 | #include <limits.h> | |||
33 | 34 | |||
34 | #define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad)) | 35 | #define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad)) | |
35 | 36 | |||
36 | static unsigned int Ones( /* HACKMEM 169 */ | 37 | static unsigned int Ones( /* HACKMEM 169 */ | |
37 | unsigned long mask) | 38 | unsigned long mask) | |
38 | { | 39 | { | |
39 | register unsigned long y; | 40 | register unsigned long y; | |
40 | 41 | |||
41 | y = (mask >> 1) &033333333333; | 42 | y = (mask >> 1) &033333333333; | |
42 | y = mask - y - ((y >>1) & 033333333333); | 43 | y = mask - y - ((y >>1) & 033333333333); | |
43 | return ((unsigned int) (((y + (y >> 3)) & 030707070707) % 077)); | 44 | return ((unsigned int) (((y + (y >> 3)) & 030707070707) % 077)); | |
44 | } | 45 | } | |
45 | 46 | |||
46 | XImage *XGetImage (dpy, d, x, y, width, height, plane_mask, format) | 47 | XImage *XGetImage (dpy, d, x, y, width, height, plane_mask, format) | |
47 | register Display *dpy; | 48 | register Display *dpy; | |
48 | Drawable d; | 49 | Drawable d; | |
49 | int x, y; | 50 | int x, y; | |
50 | unsigned int width, height; | 51 | unsigned int width, height; | |
51 | unsigned long plane_mask; | 52 | unsigned long plane_mask; | |
52 | int format; /* either XYPixmap or ZPixmap */ | 53 | int format; /* either XYPixmap or ZPixmap */ | |
53 | { | 54 | { | |
54 | xGetImageReply rep; | 55 | xGetImageReply rep; | |
55 | register xGetImageReq *req; | 56 | register xGetImageReq *req; | |
56 | char *data; | 57 | char *data; | |
57 | long nbytes; | 58 | long nbytes; | |
58 | XImage *image; | 59 | XImage *image; | |
60 | int planes; | |||
59 | LockDisplay(dpy); | 61 | LockDisplay(dpy); | |
60 | GetReq (GetImage, req); | 62 | GetReq (GetImage, req); | |
61 | /* | 63 | /* | |
62 | * first set up the standard stuff in the request | 64 | * first set up the standard stuff in the request | |
63 | */ | 65 | */ | |
64 | req->drawable = d; | 66 | req->drawable = d; | |
65 | req->x = x; | 67 | req->x = x; | |
66 | req->y = y; | 68 | req->y = y; | |
67 | req->width = width; | 69 | req->width = width; | |
68 | req->height = height; | 70 | req->height = height; | |
69 | req->planeMask = plane_mask; | 71 | req->planeMask = plane_mask; | |
70 | req->format = format; | 72 | req->format = format; | |
71 | 73 | |||
@@ -75,38 +77,48 @@ XImage *XGetImage (dpy, d, x, y, width, | @@ -75,38 +77,48 @@ XImage *XGetImage (dpy, d, x, y, width, | |||
75 | SyncHandle(); | 77 | SyncHandle(); | |
76 | return (XImage *)NULL; | 78 | return (XImage *)NULL; | |
77 | } | 79 | } | |
78 | 80 | |||
79 | nbytes = (long)rep.length << 2; | 81 | nbytes = (long)rep.length << 2; | |
80 | data = (char *) Xmalloc((unsigned) nbytes); | 82 | data = (char *) Xmalloc((unsigned) nbytes); | |
81 | if (! data) { | 83 | if (! data) { | |
82 | _XEatData(dpy, (unsigned long) nbytes); | 84 | _XEatData(dpy, (unsigned long) nbytes); | |
83 | UnlockDisplay(dpy); | 85 | UnlockDisplay(dpy); | |
84 | SyncHandle(); | 86 | SyncHandle(); | |
85 | return (XImage *) NULL; | 87 | return (XImage *) NULL; | |
86 | } | 88 | } | |
87 | _XReadPad (dpy, data, nbytes); | 89 | _XReadPad (dpy, data, nbytes); | |
88 | if (format == XYPixmap) | 90 | if (format == XYPixmap) { | |
89 | image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), | 91 | image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), | |
90 | Ones (plane_mask & | 92 | Ones (plane_mask & | |
91 | (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), | 93 | (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), | |
92 | format, 0, data, width, height, dpy->bitmap_pad, 0); | 94 | format, 0, data, width, height, dpy->bitmap_pad, 0); | |
93 | else /* format == ZPixmap */ | 95 | planes = image->depth; | |
94 | image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), | 96 | } else { /* format == ZPixmap */ | |
95 | rep.depth, ZPixmap, 0, data, width, height, | 97 | image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), | |
96 | _XGetScanlinePad(dpy, (int) rep.depth), 0); | 98 | rep.depth, ZPixmap, 0, data, width, height, | |
99 | _XGetScanlinePad(dpy, (int) rep.depth), 0); | |||
100 | planes = 1; | |||
101 | } | |||
97 | 102 | |||
98 | if (!image) | 103 | if (!image) | |
99 | Xfree(data); | 104 | Xfree(data); | |
105 | if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 || | |||
106 | INT_MAX / image->height <= image->bytes_per_line || | |||
107 | INT_MAX / planes <= image->height * image->bytes_per_line || | |||
108 | nbytes < planes * image->height * image->bytes_per_line) { | |||
109 | XDestroyImage(image); | |||
110 | image = NULL; | |||
111 | } | |||
100 | UnlockDisplay(dpy); | 112 | UnlockDisplay(dpy); | |
101 | SyncHandle(); | 113 | SyncHandle(); | |
102 | return (image); | 114 | return (image); | |
103 | } | 115 | } | |
104 | 116 | |||
105 | XImage *XGetSubImage(dpy, d, x, y, width, height, plane_mask, format, | 117 | XImage *XGetSubImage(dpy, d, x, y, width, height, plane_mask, format, | |
106 | dest_image, dest_x, dest_y) | 118 | dest_image, dest_x, dest_y) | |
107 | register Display *dpy; | 119 | register Display *dpy; | |
108 | Drawable d; | 120 | Drawable d; | |
109 | int x, y; | 121 | int x, y; | |
110 | unsigned int width, height; | 122 | unsigned int width, height; | |
111 | unsigned long plane_mask; | 123 | unsigned long plane_mask; | |
112 | int format; /* either XYPixmap or ZPixmap */ | 124 | int format; /* either XYPixmap or ZPixmap */ |
--- xsrc/xfree/xc/lib/X11/Attic/ModMap.c 2004/03/05 14:24:08 1.1.1.5
+++ xsrc/xfree/xc/lib/X11/Attic/ModMap.c 2016/10/05 10:49:30 1.1.1.5.28.1
@@ -18,42 +18,48 @@ FITNESS FOR A PARTICULAR PURPOSE AND NON | @@ -18,42 +18,48 @@ FITNESS FOR A PARTICULAR PURPOSE AND NON | |||
18 | OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN | 18 | OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN | |
19 | AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN | 19 | AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN | |
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | |
21 | 21 | |||
22 | Except as contained in this notice, the name of The Open Group shall not be | 22 | Except as contained in this notice, the name of The Open Group shall not be | |
23 | used in advertising or otherwise to promote the sale, use or other dealings | 23 | used in advertising or otherwise to promote the sale, use or other dealings | |
24 | in this Software without prior written authorization from The Open Group. | 24 | in this Software without prior written authorization from The Open Group. | |
25 | 25 | |||
26 | */ | 26 | */ | |
27 | /* $XFree86: xc/lib/X11/ModMap.c,v 1.5 2003/11/17 22:20:08 dawes Exp $ */ | 27 | /* $XFree86: xc/lib/X11/ModMap.c,v 1.5 2003/11/17 22:20:08 dawes Exp $ */ | |
28 | 28 | |||
29 | #define NEED_REPLIES | 29 | #define NEED_REPLIES | |
30 | #include "Xlibint.h" | 30 | #include "Xlibint.h" | |
31 | #include <limits.h> | |||
31 | 32 | |||
32 | XModifierKeymap * | 33 | XModifierKeymap * | |
33 | XGetModifierMapping(dpy) | 34 | XGetModifierMapping(dpy) | |
34 | register Display *dpy; | 35 | register Display *dpy; | |
35 | { | 36 | { | |
36 | xGetModifierMappingReply rep; | 37 | xGetModifierMappingReply rep; | |
37 | register xReq *req; | 38 | register xReq *req; | |
38 | unsigned long nbytes; | 39 | unsigned long nbytes; | |
39 | XModifierKeymap *res; | 40 | XModifierKeymap *res; | |
40 | 41 | |||
41 | LockDisplay(dpy); | 42 | LockDisplay(dpy); | |
42 | GetEmptyReq(GetModifierMapping, req); | 43 | GetEmptyReq(GetModifierMapping, req); | |
43 | (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); | 44 | (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); | |
44 | 45 | |||
45 | nbytes = (unsigned long)rep.length << 2; | 46 | if (rep.length < (INT_MAX >> 2) && | |
46 | res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); | 47 | (rep.length >> 1) == rep.numKeyPerModifier) { | |
48 | nbytes = (unsigned long)rep.length << 2; | |||
49 | res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); | |||
50 | } else | |||
51 | res = NULL; | |||
52 | ||||
47 | if (res) res->modifiermap = (KeyCode *) Xmalloc ((unsigned) nbytes); | 53 | if (res) res->modifiermap = (KeyCode *) Xmalloc ((unsigned) nbytes); | |
48 | if ((! res) || (! res->modifiermap)) { | 54 | if ((! res) || (! res->modifiermap)) { | |
49 | if (res) Xfree((char *) res); | 55 | if (res) Xfree((char *) res); | |
50 | res = (XModifierKeymap *) NULL; | 56 | res = (XModifierKeymap *) NULL; | |
51 | _XEatData(dpy, nbytes); | 57 | _XEatData(dpy, nbytes); | |
52 | } else { | 58 | } else { | |
53 | _XReadPad(dpy, (char *) res->modifiermap, (long) nbytes); | 59 | _XReadPad(dpy, (char *) res->modifiermap, (long) nbytes); | |
54 | res->max_keypermod = rep.numKeyPerModifier; | 60 | res->max_keypermod = rep.numKeyPerModifier; | |
55 | } | 61 | } | |
56 | 62 | |||
57 | UnlockDisplay(dpy); | 63 | UnlockDisplay(dpy); | |
58 | SyncHandle(); | 64 | SyncHandle(); | |
59 | return (res); | 65 | return (res); |
--- xsrc/xfree/xc/lib/X11/Attic/ListExt.c 2002/01/19 14:55:27 1.1.1.4
+++ xsrc/xfree/xc/lib/X11/Attic/ListExt.c 2016/10/05 10:49:30 1.1.1.4.30.1
@@ -18,79 +18,93 @@ FITNESS FOR A PARTICULAR PURPOSE AND NON | @@ -18,79 +18,93 @@ FITNESS FOR A PARTICULAR PURPOSE AND NON | |||
18 | OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN | 18 | OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN | |
19 | AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN | 19 | AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN | |
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | |
21 | 21 | |||
22 | Except as contained in this notice, the name of The Open Group shall not be | 22 | Except as contained in this notice, the name of The Open Group shall not be | |
23 | used in advertising or otherwise to promote the sale, use or other dealings | 23 | used in advertising or otherwise to promote the sale, use or other dealings | |
24 | in this Software without prior written authorization from The Open Group. | 24 | in this Software without prior written authorization from The Open Group. | |
25 | 25 | |||
26 | */ | 26 | */ | |
27 | /* $XFree86: xc/lib/X11/ListExt.c,v 1.4 2001/12/14 19:54:02 dawes Exp $ */ | 27 | /* $XFree86: xc/lib/X11/ListExt.c,v 1.4 2001/12/14 19:54:02 dawes Exp $ */ | |
28 | 28 | |||
29 | #define NEED_REPLIES | 29 | #define NEED_REPLIES | |
30 | #include "Xlibint.h" | 30 | #include "Xlibint.h" | |
31 | #include <limits.h> | |||
31 | 32 | |||
32 | char **XListExtensions(dpy, nextensions) | 33 | char **XListExtensions(dpy, nextensions) | |
33 | register Display *dpy; | 34 | register Display *dpy; | |
34 | int *nextensions; /* RETURN */ | 35 | int *nextensions; /* RETURN */ | |
35 | { | 36 | { | |
36 | xListExtensionsReply rep; | 37 | xListExtensionsReply rep; | |
37 | char **list; | 38 | char **list; | |
38 | char *ch; | 39 | char *ch = NULL; | |
40 | char *chend; | |||
41 | int count = 0; | |||
39 | register unsigned i; | 42 | register unsigned i; | |
40 | register int length; | 43 | register int length; | |
41 | register xReq *req; | 44 | register xReq *req; | |
42 | register long rlen; | 45 | register long rlen; | |
43 | 46 | |||
44 | LockDisplay(dpy); | 47 | LockDisplay(dpy); | |
45 | GetEmptyReq (ListExtensions, req); | 48 | GetEmptyReq (ListExtensions, req); | |
46 | 49 | |||
47 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) { | 50 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) { | |
48 | UnlockDisplay(dpy); | 51 | UnlockDisplay(dpy); | |
49 | SyncHandle(); | 52 | SyncHandle(); | |
50 | return (char **) NULL; | 53 | return (char **) NULL; | |
51 | } | 54 | } | |
52 | 55 | |||
53 | if (rep.nExtensions) { | 56 | if (rep.nExtensions) { | |
54 | list = (char **) Xmalloc ( | 57 | list = (char **) Xmalloc ( | |
55 | (unsigned)(rep.nExtensions * sizeof (char *))); | 58 | (unsigned)(rep.nExtensions * sizeof (char *))); | |
56 | rlen = rep.length << 2; | 59 | if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { | |
57 | ch = (char *) Xmalloc ((unsigned) rlen + 1); | 60 | rlen = rep.length << 2; | |
58 | /* +1 to leave room for last null-terminator */ | 61 | ch = (char *) Xmalloc ((unsigned) rlen + 1); | |
62 | /* +1 to leave room for last null-terminator */ | |||
63 | } | |||
59 | 64 | |||
60 | if ((!list) || (!ch)) { | 65 | if ((!list) || (!ch)) { | |
61 | if (list) Xfree((char *) list); | 66 | if (list) Xfree((char *) list); | |
62 | if (ch) Xfree((char *) ch); | 67 | if (ch) Xfree((char *) ch); | |
63 | _XEatData(dpy, (unsigned long) rlen); | 68 | _XEatData(dpy, (unsigned long) rlen); | |
64 | UnlockDisplay(dpy); | 69 | UnlockDisplay(dpy); | |
65 | SyncHandle(); | 70 | SyncHandle(); | |
66 | return (char **) NULL; | 71 | return (char **) NULL; | |
67 | } | 72 | } | |
68 | 73 | |||
69 | _XReadPad (dpy, ch, rlen); | 74 | _XReadPad (dpy, ch, rlen); | |
70 | /* | 75 | /* | |
71 | * unpack into null terminated strings. | 76 | * unpack into null terminated strings. | |
72 | */ | 77 | */ | |
78 | chend = ch + (rlen + 1); | |||
73 | length = *ch; | 79 | length = *ch; | |
74 | for (i = 0; i < rep.nExtensions; i++) { | 80 | for (i = 0; i < rep.nExtensions; i++) { | |
75 | list[i] = ch+1; /* skip over length */ | 81 | if (ch + length < chend) { | |
76 | ch += length + 1; /* find next length ... */ | 82 | list[i] = ch+1; /* skip over length */ | |
77 | length = *ch; | 83 | ch += length + 1; /* find next length ... */ | |
78 | *ch = '\0'; /* and replace with null-termination */ | 84 | if (ch <= chend) { | |
85 | length = *ch; | |||
86 | *ch = '\0'; /* and replace with null-termination */ | |||
87 | count++; | |||
88 | } else { | |||
89 | list[i] = NULL; | |||
90 | } | |||
91 | } else | |||
92 | list[i] = NULL; | |||
79 | } | 93 | } | |
80 | } | 94 | } | |
81 | else list = (char **) NULL; | 95 | else list = (char **) NULL; | |
82 | 96 | |||
83 | *nextensions = rep.nExtensions; | 97 | *nextensions = count; | |
84 | UnlockDisplay(dpy); | 98 | UnlockDisplay(dpy); | |
85 | SyncHandle(); | 99 | SyncHandle(); | |
86 | return (list); | 100 | return (list); | |
87 | } | 101 | } | |
88 | 102 | |||
89 | int | 103 | int | |
90 | XFreeExtensionList (list) | 104 | XFreeExtensionList (list) | |
91 | char **list; | 105 | char **list; | |
92 | { | 106 | { | |
93 | if (list != NULL) { | 107 | if (list != NULL) { | |
94 | Xfree (list[0]-1); | 108 | Xfree (list[0]-1); | |
95 | Xfree ((char *)list); | 109 | Xfree ((char *)list); | |
96 | } | 110 | } |
--- xsrc/xfree/xc/lib/X11/Attic/Xlibint.h 2015/04/19 05:56:13 1.1.1.7.16.1
+++ xsrc/xfree/xc/lib/X11/Attic/Xlibint.h 2016/10/05 10:49:30 1.1.1.7.16.2
@@ -532,27 +532,27 @@ extern LockInfoPtr _Xglobal_lock; | @@ -532,27 +532,27 @@ extern LockInfoPtr _Xglobal_lock; | |||
532 | * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32 | 532 | * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32 | |
533 | * length, after req->length, before the data in the request. The new length | 533 | * length, after req->length, before the data in the request. The new length | |
534 | * includes the "n" extra 32-bit words. | 534 | * includes the "n" extra 32-bit words. | |
535 | * | 535 | * | |
536 | * Do not use MakeBigReq if there is no data already in the request. | 536 | * Do not use MakeBigReq if there is no data already in the request. | |
537 | * req->length must already be >= 2. | 537 | * req->length must already be >= 2. | |
538 | */ | 538 | */ | |
539 | #define MakeBigReq(req,n) \ | 539 | #define MakeBigReq(req,n) \ | |
540 | { \ | 540 | { \ | |
541 | char _BRdat[4]; \ | 541 | char _BRdat[4]; \ | |
542 | unsigned long _BRlen = req->length - 1; \ | 542 | unsigned long _BRlen = req->length - 1; \ | |
543 | req->length = 0; \ | 543 | req->length = 0; \ | |
544 | memcpy(_BRdat, ((char *)req) + (_BRlen << 2), 4); \ | 544 | memcpy(_BRdat, ((char *)req) + (_BRlen << 2), 4); \ | |
545 | memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ | 545 | memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ | |
546 | memcpy(((char *)req) + 4, _BRdat, 4); \ | 546 | memcpy(((char *)req) + 4, _BRdat, 4); \ | |
547 | Data32(dpy, (long *)&_BRdat, 4); \ | 547 | Data32(dpy, (long *)&_BRdat, 4); \ | |
548 | } | 548 | } | |
549 | #else | 549 | #else | |
550 | #ifdef LONG64 | 550 | #ifdef LONG64 | |
551 | #define MakeBigReq(req,n) \ | 551 | #define MakeBigReq(req,n) \ | |
552 | { \ | 552 | { \ | |
553 | CARD64 _BRdat; \ | 553 | CARD64 _BRdat; \ | |
554 | CARD32 _BRlen = req->length - 1; \ | 554 | CARD32 _BRlen = req->length - 1; \ | |
555 | req->length = 0; \ | 555 | req->length = 0; \ | |
556 | _BRdat = ((CARD32 *)req)[_BRlen]; \ | 556 | _BRdat = ((CARD32 *)req)[_BRlen]; \ | |
557 | memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ | 557 | memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ | |
558 | ((CARD32 *)req)[1] = _BRlen + n + 2; \ | 558 | ((CARD32 *)req)[1] = _BRlen + n + 2; \ |
--- xsrc/xfree/xc/lib/Xi/Attic/XGMotion.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XGMotion.c 2016/10/05 10:49:30 1.1.1.5.30.1
@@ -49,42 +49,43 @@ SOFTWARE. | @@ -49,42 +49,43 @@ SOFTWARE. | |||
49 | 49 | |||
50 | /*********************************************************************** | 50 | /*********************************************************************** | |
51 | * | 51 | * | |
52 | * XGetDeviceMotionEvents - Get the motion history of an input device. | 52 | * XGetDeviceMotionEvents - Get the motion history of an input device. | |
53 | * | 53 | * | |
54 | */ | 54 | */ | |
55 | 55 | |||
56 | #include <X11/extensions/XI.h> | 56 | #include <X11/extensions/XI.h> | |
57 | #include <X11/extensions/XIproto.h> | 57 | #include <X11/extensions/XIproto.h> | |
58 | #include <X11/Xlibint.h> | 58 | #include <X11/Xlibint.h> | |
59 | #include <X11/extensions/XInput.h> | 59 | #include <X11/extensions/XInput.h> | |
60 | #include <X11/extensions/extutil.h> | 60 | #include <X11/extensions/extutil.h> | |
61 | #include "XIint.h" | 61 | #include "XIint.h" | |
62 | #include <limits.h> | |||
62 | 63 | |||
63 | XDeviceTimeCoord | 64 | XDeviceTimeCoord | |
64 | *XGetDeviceMotionEvents (dpy, dev, start, stop, nEvents, mode, axis_count) | 65 | *XGetDeviceMotionEvents (dpy, dev, start, stop, nEvents, mode, axis_count) | |
65 | register Display *dpy; | 66 | register Display *dpy; | |
66 | XDevice *dev; | 67 | XDevice *dev; | |
67 | Time start; | 68 | Time start; | |
68 | Time stop; | 69 | Time stop; | |
69 | int *nEvents; | 70 | int *nEvents; | |
70 | int *mode; | 71 | int *mode; | |
71 | int *axis_count; | 72 | int *axis_count; | |
72 | { | 73 | { | |
73 | xGetDeviceMotionEventsReq *req; | 74 | xGetDeviceMotionEventsReq *req; | |
74 | xGetDeviceMotionEventsReply rep; | 75 | xGetDeviceMotionEventsReply rep; | |
75 | XDeviceTimeCoord *tc; | 76 | XDeviceTimeCoord *tc; | |
76 | int *data, *bufp, *readp, *savp; | 77 | int *data, *bufp, *readp, *savp; | |
77 | long size, size2; | 78 | long size; | |
78 | int i, j; | 79 | int i, j; | |
79 | XExtDisplayInfo *info = XInput_find_display (dpy); | 80 | XExtDisplayInfo *info = XInput_find_display (dpy); | |
80 | 81 | |||
81 | LockDisplay (dpy); | 82 | LockDisplay (dpy); | |
82 | if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1) | 83 | if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1) | |
83 | return ((XDeviceTimeCoord *) NoSuchExtension); | 84 | return ((XDeviceTimeCoord *) NoSuchExtension); | |
84 | 85 | |||
85 | GetReq(GetDeviceMotionEvents,req); | 86 | GetReq(GetDeviceMotionEvents,req); | |
86 | req->reqType = info->codes->major_opcode; | 87 | req->reqType = info->codes->major_opcode; | |
87 | req->ReqType = X_GetDeviceMotionEvents; | 88 | req->ReqType = X_GetDeviceMotionEvents; | |
88 | req->start = start; | 89 | req->start = start; | |
89 | req->stop = stop; | 90 | req->stop = stop; | |
90 | req->deviceid = dev->device_id; | 91 | req->deviceid = dev->device_id; | |
@@ -95,31 +96,43 @@ XDeviceTimeCoord | @@ -95,31 +96,43 @@ XDeviceTimeCoord | |||
95 | *nEvents = 0; | 96 | *nEvents = 0; | |
96 | return (NULL); | 97 | return (NULL); | |
97 | } | 98 | } | |
98 | 99 | |||
99 | *mode = rep.mode; | 100 | *mode = rep.mode; | |
100 | *axis_count = rep.axes; | 101 | *axis_count = rep.axes; | |
101 | *nEvents = rep.nEvents; | 102 | *nEvents = rep.nEvents; | |
102 | if (!rep.nEvents) | 103 | if (!rep.nEvents) | |
103 | { | 104 | { | |
104 | UnlockDisplay(dpy); | 105 | UnlockDisplay(dpy); | |
105 | SyncHandle(); | 106 | SyncHandle(); | |
106 | return (NULL); | 107 | return (NULL); | |
107 | } | 108 | } | |
108 | size = rep.length << 2; | 109 | if (rep.length < (INT_MAX >> 2)) { | |
109 | size2 = rep.nEvents * | 110 | size = rep.length << 2; | |
110 | (sizeof (XDeviceTimeCoord) + (rep.axes * sizeof (int))); | 111 | savp = readp = Xmalloc(size); | |
111 | savp = readp = (int *) Xmalloc (size); | 112 | } else { | |
112 | bufp = (int *) Xmalloc (size2); | 113 | size = 0; | |
114 | savp = readp = NULL; | |||
115 | } | |||
116 | /* rep.axes is a CARD8, so assume max number of axes for bounds check */ | |||
117 | if (rep.nEvents < | |||
118 | (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int)))) && | |||
119 | rep.nEvents * (rep.axes + 1) <= rep.length) { | |||
120 | size_t bsize = rep.nEvents * | |||
121 | (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); | |||
122 | bufp = Xmalloc(bsize); | |||
123 | } else | |||
124 | bufp = NULL; | |||
125 | ||||
113 | if (!bufp || !savp) | 126 | if (!bufp || !savp) | |
114 | { | 127 | { | |
115 | *nEvents = 0; | 128 | *nEvents = 0; | |
116 | _XEatData (dpy, (unsigned long) size); | 129 | _XEatData (dpy, (unsigned long) size); | |
117 | UnlockDisplay(dpy); | 130 | UnlockDisplay(dpy); | |
118 | SyncHandle(); | 131 | SyncHandle(); | |
119 | return (NULL); | 132 | return (NULL); | |
120 | } | 133 | } | |
121 | _XRead (dpy, (char *) readp, size); | 134 | _XRead (dpy, (char *) readp, size); | |
122 | 135 | |||
123 | tc = (XDeviceTimeCoord *) bufp; | 136 | tc = (XDeviceTimeCoord *) bufp; | |
124 | data = (int *) (tc + rep.nEvents); | 137 | data = (int *) (tc + rep.nEvents); | |
125 | for (i=0; i<*nEvents; i++,tc++) | 138 | for (i=0; i<*nEvents; i++,tc++) |
--- xsrc/xfree/xc/lib/Xi/Attic/XGetBMap.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XGetBMap.c 2016/10/05 10:49:30 1.1.1.5.30.1
@@ -80,29 +80,33 @@ XGetDeviceButtonMapping (dpy, device, ma | @@ -80,29 +80,33 @@ XGetDeviceButtonMapping (dpy, device, ma | |||
80 | register xGetDeviceButtonMappingReq *req; | 80 | register xGetDeviceButtonMappingReq *req; | |
81 | xGetDeviceButtonMappingReply rep; | 81 | xGetDeviceButtonMappingReply rep; | |
82 | 82 | |||
83 | LockDisplay(dpy); | 83 | LockDisplay(dpy); | |
84 | if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1) | 84 | if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1) | |
85 | return (NoSuchExtension); | 85 | return (NoSuchExtension); | |
86 | GetReq(GetDeviceButtonMapping, req); | 86 | GetReq(GetDeviceButtonMapping, req); | |
87 | 87 | |||
88 | req->reqType = info->codes->major_opcode; | 88 | req->reqType = info->codes->major_opcode; | |
89 | req->ReqType = X_GetDeviceButtonMapping; | 89 | req->ReqType = X_GetDeviceButtonMapping; | |
90 | req->deviceid = device->device_id; | 90 | req->deviceid = device->device_id; | |
91 | 91 | |||
92 | status = _XReply (dpy, (xReply *)&rep, 0, xFalse); | 92 | status = _XReply (dpy, (xReply *)&rep, 0, xFalse); | |
93 | if (status == 1) | 93 | if (status == 1) { | |
94 | { | 94 | if (rep.length <= (sizeof(mapping) >> 2) && | |
95 | nbytes = (long)rep.length << 2; | 95 | rep.nElts <= (rep.length << 2)) { | |
96 | _XRead (dpy, (char *)mapping, nbytes); | 96 | nbytes = (long)rep.length << 2; | |
97 | _XRead (dpy, (char *)mapping, nbytes); | |||
97 | 98 | |||
98 | /* don't return more data than the user asked for. */ | 99 | /* don't return more data than the user asked for. */ | |
99 | if (rep.nElts) | 100 | if (rep.nElts) | |
100 | memcpy ((char *) map, (char *) mapping, MIN((int)rep.nElts, nmap)); | 101 | memcpy ((char *) map, (char *) mapping, MIN((int)rep.nElts, nmap)); | |
101 | status = rep.nElts; | 102 | status = rep.nElts; | |
103 | } else { | |||
104 | status = 0; | |||
102 | } | 105 | } | |
106 | } | |||
103 | else | 107 | else | |
104 | status = 0; | 108 | status = 0; | |
105 | UnlockDisplay(dpy); | 109 | UnlockDisplay(dpy); | |
106 | SyncHandle(); | 110 | SyncHandle(); | |
107 | return (status); | 111 | return (status); | |
108 | } | 112 | } |
--- xsrc/xfree/xc/lib/Xi/Attic/XGetDCtl.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XGetDCtl.c 2016/10/05 10:49:30 1.1.1.5.30.1
@@ -50,26 +50,27 @@ SOFTWARE. | @@ -50,26 +50,27 @@ SOFTWARE. | |||
50 | /*********************************************************************** | 50 | /*********************************************************************** | |
51 | * | 51 | * | |
52 | * XGetDeviceControl - get the Device control state of an extension device. | 52 | * XGetDeviceControl - get the Device control state of an extension device. | |
53 | * | 53 | * | |
54 | */ | 54 | */ | |
55 | 55 | |||
56 | #include <X11/extensions/XI.h> | 56 | #include <X11/extensions/XI.h> | |
57 | #include <X11/extensions/XIproto.h> | 57 | #include <X11/extensions/XIproto.h> | |
58 | #include <X11/Xlibint.h> | 58 | #include <X11/Xlibint.h> | |
59 | #include <X11/Xlib.h> | 59 | #include <X11/Xlib.h> | |
60 | #include <X11/extensions/XInput.h> | 60 | #include <X11/extensions/XInput.h> | |
61 | #include <X11/extensions/extutil.h> | 61 | #include <X11/extensions/extutil.h> | |
62 | #include "XIint.h" | 62 | #include "XIint.h" | |
63 | #include <limits.h> | |||
63 | 64 | |||
64 | XDeviceControl | 65 | XDeviceControl | |
65 | *XGetDeviceControl (dpy, dev, control) | 66 | *XGetDeviceControl (dpy, dev, control) | |
66 | register Display *dpy; | 67 | register Display *dpy; | |
67 | XDevice *dev; | 68 | XDevice *dev; | |
68 | int control; | 69 | int control; | |
69 | { | 70 | { | |
70 | int size = 0; | 71 | int size = 0; | |
71 | int nbytes, i; | 72 | int nbytes, i; | |
72 | XDeviceControl *Device = NULL; | 73 | XDeviceControl *Device = NULL; | |
73 | XDeviceControl *Sav = NULL; | 74 | XDeviceControl *Sav = NULL; | |
74 | xDeviceState *d = NULL; | 75 | xDeviceState *d = NULL; | |
75 | xDeviceState *sav = NULL; | 76 | xDeviceState *sav = NULL; | |
@@ -85,47 +86,56 @@ XDeviceControl | @@ -85,47 +86,56 @@ XDeviceControl | |||
85 | req->reqType = info->codes->major_opcode; | 86 | req->reqType = info->codes->major_opcode; | |
86 | req->ReqType = X_GetDeviceControl; | 87 | req->ReqType = X_GetDeviceControl; | |
87 | req->deviceid = dev->device_id; | 88 | req->deviceid = dev->device_id; | |
88 | req->control = control; | 89 | req->control = control; | |
89 | 90 | |||
90 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) | 91 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) | |
91 | { | 92 | { | |
92 | UnlockDisplay(dpy); | 93 | UnlockDisplay(dpy); | |
93 | SyncHandle(); | 94 | SyncHandle(); | |
94 | return (XDeviceControl *) NULL; | 95 | return (XDeviceControl *) NULL; | |
95 | } | 96 | } | |
96 | if (rep.length > 0) | 97 | if (rep.length > 0) | |
97 | { | 98 | { | |
98 | nbytes = (long)rep.length << 2; | 99 | if (rep.length < (INT_MAX >> 2) && | |
99 | d = (xDeviceState *) Xmalloc((unsigned) nbytes); | 100 | (rep.length << 2) >= sizeof(xDeviceState)) { | |
101 | nbytes = (long)rep.length << 2; | |||
102 | d = (xDeviceState *) Xmalloc((unsigned) nbytes); | |||
103 | } | |||
100 | if (!d) | 104 | if (!d) | |
101 | { | 105 | { | |
102 | _XEatData (dpy, (unsigned long) nbytes); | 106 | _XEatData (dpy, (unsigned long) nbytes); | |
103 | UnlockDisplay(dpy); | 107 | UnlockDisplay(dpy); | |
104 | SyncHandle(); | 108 | SyncHandle(); | |
105 | return (XDeviceControl *) NULL; | 109 | return (XDeviceControl *) NULL; | |
106 | } | 110 | } | |
107 | sav = d; | 111 | sav = d; | |
108 | _XRead (dpy, (char *) d, nbytes); | 112 | _XRead (dpy, (char *) d, nbytes); | |
109 | 113 | |||
110 | switch (d->control) | 114 | switch (d->control) | |
111 | { | 115 | { | |
112 | case DEVICE_RESOLUTION: | 116 | case DEVICE_RESOLUTION: | |
113 | { | 117 | { | |
114 | xDeviceResolutionState *r; | 118 | xDeviceResolutionState *r; | |
119 | size_t val_size; | |||
115 | 120 | |||
116 | r = (xDeviceResolutionState *) d; | 121 | r = (xDeviceResolutionState *) d; | |
117 | size += sizeof (XDeviceResolutionState) + | 122 | if (sizeof(xDeviceResolutionState) > nbytes || | |
118 | (3 * sizeof(int) * r->num_valuators); | 123 | r->num_valuators >= (INT_MAX / (3 * sizeof(int)))) | |
124 | goto out; | |||
125 | val_size = 3 * sizeof(int) * r->num_valuators; | |||
126 | if ((sizeof(xDeviceResolutionState) + val_size) > nbytes) | |||
127 | goto out; | |||
128 | size = sizeof(XDeviceResolutionState) + val_size; | |||
119 | break; | 129 | break; | |
120 | } | 130 | } | |
121 | default: | 131 | default: | |
122 | size += d->length; | 132 | size += d->length; | |
123 | break; | 133 | break; | |
124 | } | 134 | } | |
125 | 135 | |||
126 | Device = (XDeviceControl *) Xmalloc((unsigned) size); | 136 | Device = (XDeviceControl *) Xmalloc((unsigned) size); | |
127 | if (!Device) | 137 | if (!Device) | |
128 | { | 138 | { | |
129 | UnlockDisplay(dpy); | 139 | UnlockDisplay(dpy); | |
130 | SyncHandle(); | 140 | SyncHandle(); | |
131 | return (XDeviceControl *) NULL; | 141 | return (XDeviceControl *) NULL; | |
@@ -148,26 +158,27 @@ XDeviceControl | @@ -148,26 +158,27 @@ XDeviceControl | |||
148 | R->num_valuators = r->num_valuators; | 158 | R->num_valuators = r->num_valuators; | |
149 | iptr = (int *) (R+1); | 159 | iptr = (int *) (R+1); | |
150 | iptr2 = (int *) (r+1); | 160 | iptr2 = (int *) (r+1); | |
151 | R->resolutions = iptr; | 161 | R->resolutions = iptr; | |
152 | R->min_resolutions = iptr + R->num_valuators; | 162 | R->min_resolutions = iptr + R->num_valuators; | |
153 | R->max_resolutions = iptr + (2 * R->num_valuators); | 163 | R->max_resolutions = iptr + (2 * R->num_valuators); | |
154 | for (i=0; i < (3 * R->num_valuators); i++) | 164 | for (i=0; i < (3 * R->num_valuators); i++) | |
155 | *iptr++ = *iptr2++; | 165 | *iptr++ = *iptr2++; | |
156 | break; | 166 | break; | |
157 | } | 167 | } | |
158 | default: | 168 | default: | |
159 | break; | 169 | break; | |
160 | } | 170 | } | |
171 | out: | |||
161 | XFree (sav); | 172 | XFree (sav); | |
162 | } | 173 | } | |
163 | 174 | |||
164 | UnlockDisplay(dpy); | 175 | UnlockDisplay(dpy); | |
165 | SyncHandle(); | 176 | SyncHandle(); | |
166 | return (Sav); | 177 | return (Sav); | |
167 | } | 178 | } | |
168 | 179 | |||
169 | void XFreeDeviceControl (control) | 180 | void XFreeDeviceControl (control) | |
170 | XDeviceControl *control; | 181 | XDeviceControl *control; | |
171 | { | 182 | { | |
172 | XFree (control); | 183 | XFree (control); | |
173 | } | 184 | } |
--- xsrc/xfree/xc/lib/Xi/Attic/XGetFCtl.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XGetFCtl.c 2016/10/05 10:49:30 1.1.1.5.30.1
@@ -50,75 +50,84 @@ SOFTWARE. | @@ -50,75 +50,84 @@ SOFTWARE. | |||
50 | /*********************************************************************** | 50 | /*********************************************************************** | |
51 | * | 51 | * | |
52 | * XGetFeedbackControl - get the feedback attributes of an extension device. | 52 | * XGetFeedbackControl - get the feedback attributes of an extension device. | |
53 | * | 53 | * | |
54 | */ | 54 | */ | |
55 | 55 | |||
56 | #include <X11/extensions/XI.h> | 56 | #include <X11/extensions/XI.h> | |
57 | #include <X11/extensions/XIproto.h> | 57 | #include <X11/extensions/XIproto.h> | |
58 | #include <X11/Xlibint.h> | 58 | #include <X11/Xlibint.h> | |
59 | #include <X11/Xlib.h> | 59 | #include <X11/Xlib.h> | |
60 | #include <X11/extensions/XInput.h> | 60 | #include <X11/extensions/XInput.h> | |
61 | #include <X11/extensions/extutil.h> | 61 | #include <X11/extensions/extutil.h> | |
62 | #include "XIint.h" | 62 | #include "XIint.h" | |
63 | #include <limits.h> | |||
63 | 64 | |||
64 | XFeedbackState | 65 | XFeedbackState | |
65 | *XGetFeedbackControl (dpy, dev, num_feedbacks) | 66 | *XGetFeedbackControl (dpy, dev, num_feedbacks) | |
66 | register Display *dpy; | 67 | register Display *dpy; | |
67 | XDevice *dev; | 68 | XDevice *dev; | |
68 | int *num_feedbacks; | 69 | int *num_feedbacks; | |
69 | { | 70 | { | |
70 | int size = 0; | 71 | int size = 0; | |
71 | int nbytes, i; | 72 | int nbytes, i; | |
72 | XFeedbackState *Feedback = NULL; | 73 | XFeedbackState *Feedback = NULL; | |
73 | XFeedbackState *Sav = NULL; | 74 | XFeedbackState *Sav = NULL; | |
74 | xFeedbackState *f = NULL; | 75 | xFeedbackState *f = NULL; | |
75 | xFeedbackState *sav = NULL; | 76 | xFeedbackState *sav = NULL; | |
77 | char *end = NULL; | |||
76 | xGetFeedbackControlReq *req; | 78 | xGetFeedbackControlReq *req; | |
77 | xGetFeedbackControlReply rep; | 79 | xGetFeedbackControlReply rep; | |
78 | XExtDisplayInfo *info = XInput_find_display (dpy); | 80 | XExtDisplayInfo *info = XInput_find_display (dpy); | |
79 | 81 | |||
80 | LockDisplay (dpy); | 82 | LockDisplay (dpy); | |
81 | if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1) | 83 | if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1) | |
82 | return ((XFeedbackState *) NoSuchExtension); | 84 | return ((XFeedbackState *) NoSuchExtension); | |
83 | 85 | |||
84 | GetReq(GetFeedbackControl,req); | 86 | GetReq(GetFeedbackControl,req); | |
85 | req->reqType = info->codes->major_opcode; | 87 | req->reqType = info->codes->major_opcode; | |
86 | req->ReqType = X_GetFeedbackControl; | 88 | req->ReqType = X_GetFeedbackControl; | |
87 | req->deviceid = dev->device_id; | 89 | req->deviceid = dev->device_id; | |
88 | 90 | |||
89 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) | 91 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) | |
90 | { | 92 | { | |
91 | UnlockDisplay(dpy); | 93 | UnlockDisplay(dpy); | |
92 | SyncHandle(); | 94 | SyncHandle(); | |
93 | return (XFeedbackState *) NULL; | 95 | return (XFeedbackState *) NULL; | |
94 | } | 96 | } | |
95 | if (rep.length > 0) | 97 | if (rep.length > 0) | |
96 | { | 98 | { | |
97 | *num_feedbacks = rep.num_feedbacks; | 99 | *num_feedbacks = rep.num_feedbacks; | |
98 | nbytes = (long)rep.length << 2; | 100 | ||
99 | f = (xFeedbackState *) Xmalloc((unsigned) nbytes); | 101 | if (rep.length < (INT_MAX >> 2)) { | |
102 | nbytes = (long)rep.length << 2; | |||
103 | f = (xFeedbackState *) Xmalloc((unsigned) nbytes); | |||
104 | } | |||
100 | if (!f) | 105 | if (!f) | |
101 | { | 106 | { | |
102 | _XEatData (dpy, (unsigned long) nbytes); | 107 | _XEatData (dpy, (unsigned long) nbytes); | |
103 | UnlockDisplay(dpy); | 108 | UnlockDisplay(dpy); | |
104 | SyncHandle(); | 109 | SyncHandle(); | |
105 | return (XFeedbackState *) NULL; | 110 | return (XFeedbackState *) NULL; | |
106 | } | 111 | } | |
107 | sav = f; | 112 | sav = f; | |
113 | end = (char *)f + nbytes; | |||
108 | _XRead (dpy, (char *) f, nbytes); | 114 | _XRead (dpy, (char *) f, nbytes); | |
109 | 115 | |||
110 | for (i=0; i<*num_feedbacks; i++) | 116 | for (i=0; i<*num_feedbacks; i++) | |
111 | { | 117 | { | |
118 | if ((char *)f + sizeof(*f) > end || | |||
119 | f->length == 0 || f->length > nbytes) | |||
120 | goto out; | |||
112 | switch (f->class) | 121 | switch (f->class) | |
113 | { | 122 | { | |
114 | case KbdFeedbackClass: | 123 | case KbdFeedbackClass: | |
115 | size += sizeof (XKbdFeedbackState); | 124 | size += sizeof (XKbdFeedbackState); | |
116 | break; | 125 | break; | |
117 | case PtrFeedbackClass: | 126 | case PtrFeedbackClass: | |
118 | size += sizeof (XPtrFeedbackState); | 127 | size += sizeof (XPtrFeedbackState); | |
119 | break; | 128 | break; | |
120 | case IntegerFeedbackClass: | 129 | case IntegerFeedbackClass: | |
121 | size += sizeof (XIntegerFeedbackState); | 130 | size += sizeof (XIntegerFeedbackState); | |
122 | break; | 131 | break; | |
123 | case StringFeedbackClass: | 132 | case StringFeedbackClass: | |
124 | { | 133 | { | |
@@ -248,26 +257,27 @@ XFeedbackState | @@ -248,26 +257,27 @@ XFeedbackState | |||
248 | B->length = sizeof (XBellFeedbackState); | 257 | B->length = sizeof (XBellFeedbackState); | |
249 | B->id = b->id; | 258 | B->id = b->id; | |
250 | B->percent = b->percent; | 259 | B->percent = b->percent; | |
251 | B->pitch = b->pitch; | 260 | B->pitch = b->pitch; | |
252 | B->duration = b->duration; | 261 | B->duration = b->duration; | |
253 | break; | 262 | break; | |
254 | } | 263 | } | |
255 | default: | 264 | default: | |
256 | break; | 265 | break; | |
257 | } | 266 | } | |
258 | f = (xFeedbackState *) ((char *) f + f->length); | 267 | f = (xFeedbackState *) ((char *) f + f->length); | |
259 | Feedback = (XFeedbackState *) ((char *) Feedback+Feedback->length); | 268 | Feedback = (XFeedbackState *) ((char *) Feedback+Feedback->length); | |
260 | } | 269 | } | |
270 | out: | |||
261 | XFree ((char *)sav); | 271 | XFree ((char *)sav); | |
262 | } | 272 | } | |
263 | 273 | |||
264 | UnlockDisplay(dpy); | 274 | UnlockDisplay(dpy); | |
265 | SyncHandle(); | 275 | SyncHandle(); | |
266 | return (Sav); | 276 | return (Sav); | |
267 | } | 277 | } | |
268 | 278 | |||
269 | void XFreeFeedbackList (list) | 279 | void XFreeFeedbackList (list) | |
270 | XFeedbackState *list; | 280 | XFeedbackState *list; | |
271 | { | 281 | { | |
272 | XFree ((char *)list); | 282 | XFree ((char *)list); | |
273 | } | 283 | } |
--- xsrc/xfree/xc/lib/Xi/Attic/XGetMMap.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XGetMMap.c 2016/10/05 10:49:30 1.1.1.5.30.1
@@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO | @@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO | |||
43 | WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, | 43 | WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, | |
44 | ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS | 44 | ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS | |
45 | SOFTWARE. | 45 | SOFTWARE. | |
46 | 46 | |||
47 | ********************************************************/ | 47 | ********************************************************/ | |
48 | /* $XFree86: xc/lib/Xi/XGetMMap.c,v 3.4 2002/10/16 00:37:29 dawes Exp $ */ | 48 | /* $XFree86: xc/lib/Xi/XGetMMap.c,v 3.4 2002/10/16 00:37:29 dawes Exp $ */ | |
49 | 49 | |||
50 | /*********************************************************************** | 50 | /*********************************************************************** | |
51 | * | 51 | * | |
52 | * XGetDeviceModifierMapping - get the modifier map of an extension device. | 52 | * XGetDeviceModifierMapping - get the modifier map of an extension device. | |
53 | * | 53 | * | |
54 | */ | 54 | */ | |
55 | 55 | |||
56 | #include <limits.h> | |||
56 | #include <X11/extensions/XI.h> | 57 | #include <X11/extensions/XI.h> | |
57 | #include <X11/extensions/XIproto.h> | 58 | #include <X11/extensions/XIproto.h> | |
58 | #include <X11/Xlibint.h> | 59 | #include <X11/Xlibint.h> | |
59 | #include <X11/extensions/XInput.h> | 60 | #include <X11/extensions/XInput.h> | |
60 | #include <X11/extensions/extutil.h> | 61 | #include <X11/extensions/extutil.h> | |
61 | #include "XIint.h" | 62 | #include "XIint.h" | |
62 | 63 | |||
63 | XModifierKeymap | 64 | XModifierKeymap | |
64 | *XGetDeviceModifierMapping (dpy, dev) | 65 | *XGetDeviceModifierMapping (dpy, dev) | |
65 | register Display *dpy; | 66 | register Display *dpy; | |
66 | XDevice *dev; | 67 | XDevice *dev; | |
67 | { | 68 | { | |
68 | unsigned long nbytes; | 69 | unsigned long nbytes; | |
@@ -76,28 +77,34 @@ XModifierKeymap | @@ -76,28 +77,34 @@ XModifierKeymap | |||
76 | return ((XModifierKeymap *) NoSuchExtension); | 77 | return ((XModifierKeymap *) NoSuchExtension); | |
77 | 78 | |||
78 | GetReq(GetDeviceModifierMapping,req); | 79 | GetReq(GetDeviceModifierMapping,req); | |
79 | req->reqType = info->codes->major_opcode; | 80 | req->reqType = info->codes->major_opcode; | |
80 | req->ReqType = X_GetDeviceModifierMapping; | 81 | req->ReqType = X_GetDeviceModifierMapping; | |
81 | req->deviceid = dev->device_id; | 82 | req->deviceid = dev->device_id; | |
82 | 83 | |||
83 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) | 84 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) | |
84 | { | 85 | { | |
85 | UnlockDisplay(dpy); | 86 | UnlockDisplay(dpy); | |
86 | SyncHandle(); | 87 | SyncHandle(); | |
87 | return (XModifierKeymap *) NULL; | 88 | return (XModifierKeymap *) NULL; | |
88 | } | 89 | } | |
89 | nbytes = (unsigned long)rep.length << 2; | 90 | if (rep.length < (INT_MAX >> 2) && | |
90 | res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); | 91 | rep.numKeyPerModifier == rep.length >> 1) { | |
92 | nbytes = (unsigned long)rep.length << 2; | |||
93 | res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); | |||
94 | } else { | |||
95 | nbytes = 0; | |||
96 | res = NULL; | |||
97 | } | |||
91 | if (res) | 98 | if (res) | |
92 | { | 99 | { | |
93 | res->modifiermap = (KeyCode *) Xmalloc (nbytes); | 100 | res->modifiermap = (KeyCode *) Xmalloc (nbytes); | |
94 | if (res->modifiermap) | 101 | if (res->modifiermap) | |
95 | _XReadPad(dpy, (char *) res->modifiermap, nbytes); | 102 | _XReadPad(dpy, (char *) res->modifiermap, nbytes); | |
96 | else | 103 | else | |
97 | _XEatData (dpy, (unsigned long) nbytes); | 104 | _XEatData (dpy, (unsigned long) nbytes); | |
98 | res->max_keypermod = rep.numKeyPerModifier; | 105 | res->max_keypermod = rep.numKeyPerModifier; | |
99 | } | 106 | } | |
100 | 107 | |||
101 | UnlockDisplay(dpy); | 108 | UnlockDisplay(dpy); | |
102 | SyncHandle(); | 109 | SyncHandle(); | |
103 | return (res); | 110 | return (res); |
--- xsrc/xfree/xc/lib/Xi/Attic/XOpenDev.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XOpenDev.c 2016/10/05 10:49:30 1.1.1.5.30.1
@@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO | @@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO | |||
43 | WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, | 43 | WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, | |
44 | ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS | 44 | ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS | |
45 | SOFTWARE. | 45 | SOFTWARE. | |
46 | 46 | |||
47 | ********************************************************/ | 47 | ********************************************************/ | |
48 | /* $XFree86: xc/lib/Xi/XOpenDev.c,v 3.4 2002/10/16 00:37:29 dawes Exp $ */ | 48 | /* $XFree86: xc/lib/Xi/XOpenDev.c,v 3.4 2002/10/16 00:37:29 dawes Exp $ */ | |
49 | 49 | |||
50 | /*********************************************************************** | 50 | /*********************************************************************** | |
51 | * | 51 | * | |
52 | * XOpenDevice - Request the server to open and extension input device. | 52 | * XOpenDevice - Request the server to open and extension input device. | |
53 | * | 53 | * | |
54 | */ | 54 | */ | |
55 | 55 | |||
56 | #include <limits.h> | |||
56 | #include <X11/extensions/XI.h> | 57 | #include <X11/extensions/XI.h> | |
57 | #include <X11/extensions/XIproto.h> | 58 | #include <X11/extensions/XIproto.h> | |
58 | #include <X11/Xlibint.h> | 59 | #include <X11/Xlibint.h> | |
59 | #include <X11/extensions/XInput.h> | 60 | #include <X11/extensions/XInput.h> | |
60 | #include <X11/extensions/extutil.h> | 61 | #include <X11/extensions/extutil.h> | |
61 | #include "XIint.h" | 62 | #include "XIint.h" | |
62 | 63 | |||
63 | XDevice | 64 | XDevice | |
64 | *XOpenDevice(dpy, id) | 65 | *XOpenDevice(dpy, id) | |
65 | register Display *dpy; | 66 | register Display *dpy; | |
66 | register XID id; | 67 | register XID id; | |
67 | { | 68 | { | |
68 | register long rlen; /* raw length */ | 69 | register long rlen; /* raw length */ | |
@@ -77,29 +78,35 @@ XDevice | @@ -77,29 +78,35 @@ XDevice | |||
77 | 78 | |||
78 | GetReq(OpenDevice,req); | 79 | GetReq(OpenDevice,req); | |
79 | req->reqType = info->codes->major_opcode; | 80 | req->reqType = info->codes->major_opcode; | |
80 | req->ReqType = X_OpenDevice; | 81 | req->ReqType = X_OpenDevice; | |
81 | req->deviceid = id; | 82 | req->deviceid = id; | |
82 | 83 | |||
83 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) | 84 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) | |
84 | { | 85 | { | |
85 | UnlockDisplay(dpy); | 86 | UnlockDisplay(dpy); | |
86 | SyncHandle(); | 87 | SyncHandle(); | |
87 | return (XDevice *) NULL; | 88 | return (XDevice *) NULL; | |
88 | } | 89 | } | |
89 | 90 | |||
90 | rlen = rep.length << 2; | 91 | if (rep.length < INT_MAX >> 2 && | |
91 | dev = (XDevice *) Xmalloc (sizeof(XDevice) + rep.num_classes * | 92 | (rep.length << 2) >= rep.num_classes * sizeof(xInputClassInfo)) { | |
92 | sizeof (XInputClassInfo)); | 93 | rlen = rep.length << 2; | |
94 | dev = (XDevice *) Xmalloc (sizeof(XDevice) + rep.num_classes * | |||
95 | sizeof (XInputClassInfo)); | |||
96 | } else { | |||
97 | rlen = 0; | |||
98 | dev = NULL; | |||
99 | } | |||
93 | if (dev) | 100 | if (dev) | |
94 | { | 101 | { | |
95 | int dlen; /* data length */ | 102 | int dlen; /* data length */ | |
96 | 103 | |||
97 | dev->device_id = req->deviceid; | 104 | dev->device_id = req->deviceid; | |
98 | dev->num_classes = rep.num_classes; | 105 | dev->num_classes = rep.num_classes; | |
99 | dev->classes = (XInputClassInfo *) ((char *) dev + sizeof (XDevice)); | 106 | dev->classes = (XInputClassInfo *) ((char *) dev + sizeof (XDevice)); | |
100 | dlen = rep.num_classes * sizeof(xInputClassInfo); | 107 | dlen = rep.num_classes * sizeof(xInputClassInfo); | |
101 | _XRead (dpy, (char *)dev->classes, dlen); | 108 | _XRead (dpy, (char *)dev->classes, dlen); | |
102 | /* could be padding that we still need to eat (yummy!) */ | 109 | /* could be padding that we still need to eat (yummy!) */ | |
103 | if(rlen - dlen > 0) | 110 | if(rlen - dlen > 0) | |
104 | _XEatData (dpy, (unsigned long) rlen - dlen); | 111 | _XEatData (dpy, (unsigned long) rlen - dlen); | |
105 | } | 112 | } |
--- xsrc/xfree/xc/lib/Xi/Attic/XQueryDv.c 2003/02/28 13:18:51 1.1.1.5
+++ xsrc/xfree/xc/lib/Xi/Attic/XQueryDv.c 2016/10/05 10:49:30 1.1.1.5.30.1
@@ -49,84 +49,93 @@ SOFTWARE. | @@ -49,84 +49,93 @@ SOFTWARE. | |||
49 | 49 | |||
50 | /*********************************************************************** | 50 | /*********************************************************************** | |
51 | * | 51 | * | |
52 | * XQueryDeviceState - Query the state of an extension input device. | 52 | * XQueryDeviceState - Query the state of an extension input device. | |
53 | * | 53 | * | |
54 | */ | 54 | */ | |
55 | 55 | |||
56 | #include <X11/extensions/XI.h> | 56 | #include <X11/extensions/XI.h> | |
57 | #include <X11/extensions/XIproto.h> | 57 | #include <X11/extensions/XIproto.h> | |
58 | #include <X11/Xlibint.h> | 58 | #include <X11/Xlibint.h> | |
59 | #include <X11/extensions/XInput.h> | 59 | #include <X11/extensions/XInput.h> | |
60 | #include <X11/extensions/extutil.h> | 60 | #include <X11/extensions/extutil.h> | |
61 | #include "XIint.h" | 61 | #include "XIint.h" | |
62 | #include <limits.h> | |||
62 | 63 | |||
63 | XDeviceState | 64 | XDeviceState | |
64 | *XQueryDeviceState (dpy, dev) | 65 | *XQueryDeviceState (dpy, dev) | |
65 | register Display *dpy; | 66 | register Display *dpy; | |
66 | XDevice *dev; | 67 | XDevice *dev; | |
67 | { | 68 | { | |
68 | int i,j; | 69 | int i,j; | |
69 | int rlen; | 70 | int rlen = 0; | |
70 | int size = 0; | 71 | int size = 0; | |
71 | xQueryDeviceStateReq *req; | 72 | xQueryDeviceStateReq *req; | |
72 | xQueryDeviceStateReply rep; | 73 | xQueryDeviceStateReply rep; | |
73 | XDeviceState *state = NULL; | 74 | XDeviceState *state = NULL; | |
74 | XInputClass *any, *Any; | 75 | XInputClass *any, *Any; | |
75 | char *data; | 76 | char *data = NULL, *end = NULL; | |
76 | XExtDisplayInfo *info = XInput_find_display (dpy); | 77 | XExtDisplayInfo *info = XInput_find_display (dpy); | |
77 | 78 | |||
78 | LockDisplay (dpy); | 79 | LockDisplay (dpy); | |
79 | if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1) | 80 | if (_XiCheckExtInit(dpy, XInput_Initial_Release) == -1) | |
80 | return ((XDeviceState *) NoSuchExtension); | 81 | return ((XDeviceState *) NoSuchExtension); | |
81 | 82 | |||
82 | GetReq(QueryDeviceState,req); | 83 | GetReq(QueryDeviceState,req); | |
83 | req->reqType = info->codes->major_opcode; | 84 | req->reqType = info->codes->major_opcode; | |
84 | req->ReqType = X_QueryDeviceState; | 85 | req->ReqType = X_QueryDeviceState; | |
85 | req->deviceid = dev->device_id; | 86 | req->deviceid = dev->device_id; | |
86 | 87 | |||
87 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) | 88 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) | |
88 | { | 89 | { | |
89 | UnlockDisplay(dpy); | 90 | UnlockDisplay(dpy); | |
90 | SyncHandle(); | 91 | SyncHandle(); | |
91 | return (XDeviceState *) NULL; | 92 | return (XDeviceState *) NULL; | |
92 | } | 93 | } | |
93 | 94 | |||
94 | rlen = rep.length << 2; | 95 | if (rep.length > 0) { | |
95 | if (rlen > 0) | 96 | if (rep.length < (INT_MAX >> 2)) { | |
96 | { | 97 | rlen = (unsigned long) rep.length << 2; | |
97 | data = Xmalloc (rlen); | 98 | data = Xmalloc(rlen); | |
99 | end = data + rlen; | |||
100 | } | |||
98 | if (!data) | 101 | if (!data) | |
99 | { | 102 | { | |
100 | _XEatData (dpy, (unsigned long) rlen); | 103 | _XEatData (dpy, (unsigned long) rlen); | |
101 | UnlockDisplay(dpy); | 104 | UnlockDisplay(dpy); | |
102 | SyncHandle(); | 105 | SyncHandle(); | |
103 | return ((XDeviceState *) NULL); | 106 | return ((XDeviceState *) NULL); | |
104 | } | 107 | } | |
108 | end = data + rlen; | |||
105 | _XRead (dpy, data, rlen); | 109 | _XRead (dpy, data, rlen); | |
106 | 110 | |||
107 | for (i=0, any=(XInputClass *) data; i<(int)rep.num_classes; i++) | 111 | for (i=0, any=(XInputClass *) data; i<(int)rep.num_classes; i++) | |
108 | { | 112 | { | |
113 | if ((char *)any + sizeof(XInputClass) > end || | |||
114 | any->length == 0 || any->length > rlen) | |||
115 | goto out; | |||
109 | switch (any->class) | 116 | switch (any->class) | |
110 | { | 117 | { | |
111 | case KeyClass: | 118 | case KeyClass: | |
112 | size += sizeof (XKeyState); | 119 | size += sizeof (XKeyState); | |
113 | break; | 120 | break; | |
114 | case ButtonClass: | 121 | case ButtonClass: | |
115 | size += sizeof (XButtonState); | 122 | size += sizeof (XButtonState); | |
116 | break; | 123 | break; | |
117 | case ValuatorClass: | 124 | case ValuatorClass: | |
118 | { | 125 | { | |
119 | xValuatorState *v = (xValuatorState *) any; | 126 | xValuatorState *v = (xValuatorState *) any; | |
127 | if ((char *)any + sizeof(xValuatorState) > end) | |||
128 | goto out; | |||
120 | size += (sizeof (XValuatorState) + | 129 | size += (sizeof (XValuatorState) + | |
121 | (v->num_valuators * sizeof(int))); | 130 | (v->num_valuators * sizeof(int))); | |
122 | } | 131 | } | |
123 | break; | 132 | break; | |
124 | } | 133 | } | |
125 | any = (XInputClass *) ((char *) any + any->length); | 134 | any = (XInputClass *) ((char *) any + any->length); | |
126 | } | 135 | } | |
127 | state = (XDeviceState *) Xmalloc (size + sizeof(XDeviceState)); | 136 | state = (XDeviceState *) Xmalloc (size + sizeof(XDeviceState)); | |
128 | if (!state) | 137 | if (!state) | |
129 | { | 138 | { | |
130 | UnlockDisplay(dpy); | 139 | UnlockDisplay(dpy); | |
131 | SyncHandle(); | 140 | SyncHandle(); | |
132 | return ((XDeviceState *) NULL); | 141 | return ((XDeviceState *) NULL); | |
@@ -176,23 +185,24 @@ XDeviceState | @@ -176,23 +185,24 @@ XDeviceState | |||
176 | V->valuators = (int *) Any; | 185 | V->valuators = (int *) Any; | |
177 | for (j=0; j<(int)V->num_valuators; j++) | 186 | for (j=0; j<(int)V->num_valuators; j++) | |
178 | *(V->valuators + j) = *valuators++; | 187 | *(V->valuators + j) = *valuators++; | |
179 | Any = (XInputClass *)((char *) Any + | 188 | Any = (XInputClass *)((char *) Any + | |
180 | V->num_valuators * sizeof (int)); | 189 | V->num_valuators * sizeof (int)); | |
181 | } | 190 | } | |
182 | break; | 191 | break; | |
183 | } | 192 | } | |
184 | any = (XInputClass *) ((char *) any + any->length); | 193 | any = (XInputClass *) ((char *) any + any->length); | |
185 | } | 194 | } | |
186 | Xfree(data); | 195 | Xfree(data); | |
187 | } | 196 | } | |
188 | 197 | |||
198 | out: | |||
189 | UnlockDisplay(dpy); | 199 | UnlockDisplay(dpy); | |
190 | SyncHandle(); | 200 | SyncHandle(); | |
191 | return (state); | 201 | return (state); | |
192 | } | 202 | } | |
193 | 203 | |||
194 | void XFreeDeviceState (list) | 204 | void XFreeDeviceState (list) | |
195 | XDeviceState *list; | 205 | XDeviceState *list; | |
196 | { | 206 | { | |
197 | XFree ((char *)list); | 207 | XFree ((char *)list); | |
198 | } | 208 | } |
--- xsrc/xfree/xc/lib/Xi/Attic/XGetKMap.c 2004/03/05 14:24:25 1.1.1.6
+++ xsrc/xfree/xc/lib/Xi/Attic/XGetKMap.c 2016/10/05 10:49:30 1.1.1.6.28.1
@@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO | @@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO | |||
43 | WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, | 43 | WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, | |
44 | ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS | 44 | ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS | |
45 | SOFTWARE. | 45 | SOFTWARE. | |
46 | 46 | |||
47 | ********************************************************/ | 47 | ********************************************************/ | |
48 | /* $XFree86: xc/lib/Xi/XGetKMap.c,v 3.5 2003/11/17 22:20:21 dawes Exp $ */ | 48 | /* $XFree86: xc/lib/Xi/XGetKMap.c,v 3.5 2003/11/17 22:20:21 dawes Exp $ */ | |
49 | 49 | |||
50 | /*********************************************************************** | 50 | /*********************************************************************** | |
51 | * | 51 | * | |
52 | * XGetDeviceKeyMapping - get the keymap of an extension device. | 52 | * XGetDeviceKeyMapping - get the keymap of an extension device. | |
53 | * | 53 | * | |
54 | */ | 54 | */ | |
55 | 55 | |||
56 | #include <limits.h> | |||
56 | #include <X11/extensions/XI.h> | 57 | #include <X11/extensions/XI.h> | |
57 | #include <X11/extensions/XIproto.h> | 58 | #include <X11/extensions/XIproto.h> | |
58 | #include <X11/Xlibint.h> | 59 | #include <X11/Xlibint.h> | |
59 | #include <X11/extensions/XInput.h> | 60 | #include <X11/extensions/XInput.h> | |
60 | #include <X11/extensions/extutil.h> | 61 | #include <X11/extensions/extutil.h> | |
61 | #include "XIint.h" | 62 | #include "XIint.h" | |
62 | 63 | |||
63 | KeySym * | 64 | KeySym * | |
64 | XGetDeviceKeyMapping ( | 65 | XGetDeviceKeyMapping ( | |
65 | register Display *dpy, | 66 | register Display *dpy, | |
66 | XDevice *dev, | 67 | XDevice *dev, | |
67 | #if NeedWidePrototypes | 68 | #if NeedWidePrototypes | |
68 | unsigned int first, | 69 | unsigned int first, | |
@@ -86,26 +87,33 @@ XGetDeviceKeyMapping ( | @@ -86,26 +87,33 @@ XGetDeviceKeyMapping ( | |||
86 | req->reqType = info->codes->major_opcode; | 87 | req->reqType = info->codes->major_opcode; | |
87 | req->ReqType = X_GetDeviceKeyMapping; | 88 | req->ReqType = X_GetDeviceKeyMapping; | |
88 | req->deviceid = dev->device_id; | 89 | req->deviceid = dev->device_id; | |
89 | req->firstKeyCode = first; | 90 | req->firstKeyCode = first; | |
90 | req->count = keycount; | 91 | req->count = keycount; | |
91 | 92 | |||
92 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) | 93 | if (! _XReply (dpy, (xReply *) &rep, 0, xFalse)) | |
93 | { | 94 | { | |
94 | UnlockDisplay(dpy); | 95 | UnlockDisplay(dpy); | |
95 | SyncHandle(); | 96 | SyncHandle(); | |
96 | return (KeySym *) NULL; | 97 | return (KeySym *) NULL; | |
97 | } | 98 | } | |
98 | if (rep.length > 0) { | 99 | if (rep.length > 0) { | |
99 | *syms_per_code = rep.keySymsPerKeyCode; | 100 | if (rep.length < INT_MAX >> 2 && | |
100 | nbytes = (long)rep.length << 2; | 101 | rep.length == rep.keySymsPerKeyCode * keycount) { | |
101 | mapping = (KeySym *) Xmalloc((unsigned) nbytes); | 102 | *syms_per_code = rep.keySymsPerKeyCode; | |
103 | nbytes = (long)rep.length << 2; | |||
104 | mapping = (KeySym *) Xmalloc((unsigned) nbytes); | |||
105 | } else { | |||
106 | *syms_per_code = 0; | |||
107 | nbytes = 0; | |||
108 | mapping = NULL; | |||
109 | } | |||
102 | if (mapping) | 110 | if (mapping) | |
103 | _XRead (dpy, (char *)mapping, nbytes); | 111 | _XRead (dpy, (char *)mapping, nbytes); | |
104 | else | 112 | else | |
105 | _XEatData (dpy, (unsigned long) nbytes); | 113 | _XEatData (dpy, (unsigned long) nbytes); | |
106 | } | 114 | } | |
107 | 115 | |||
108 | UnlockDisplay(dpy); | 116 | UnlockDisplay(dpy); | |
109 | SyncHandle(); | 117 | SyncHandle(); | |
110 | return (mapping); | 118 | return (mapping); | |
111 | } | 119 | } |
--- xsrc/xfree/xc/lib/Xrender/Attic/Filter.c 2003/02/28 13:18:52 1.1.1.1
+++ xsrc/xfree/xc/lib/Xrender/Attic/Filter.c 2016/10/05 10:49:30 1.1.1.1.30.1
@@ -25,27 +25,27 @@ | @@ -25,27 +25,27 @@ | |||
25 | #include "Xrenderint.h" | 25 | #include "Xrenderint.h" | |
26 | 26 | |||
27 | XFilters * | 27 | XFilters * | |
28 | XRenderQueryFilters (Display *dpy, Drawable drawable) | 28 | XRenderQueryFilters (Display *dpy, Drawable drawable) | |
29 | { | 29 | { | |
30 | XExtDisplayInfo *info = XRenderFindDisplay (dpy); | 30 | XExtDisplayInfo *info = XRenderFindDisplay (dpy); | |
31 | XRenderInfo *xri; | 31 | XRenderInfo *xri; | |
32 | xRenderQueryFiltersReq *req; | 32 | xRenderQueryFiltersReq *req; | |
33 | xRenderQueryFiltersReply rep; | 33 | xRenderQueryFiltersReply rep; | |
34 | XFilters *filters; | 34 | XFilters *filters; | |
35 | char *name; | 35 | char *name; | |
36 | char len; | 36 | char len; | |
37 | int i; | 37 | int i; | |
38 | long nbytes, nbytesAlias, nbytesName; | 38 | long nbytes, nbytesAlias, nbytesName, reply_left; | |
39 | 39 | |||
40 | if (!XextHasExtension (info)) | 40 | if (!XextHasExtension (info)) | |
41 | return 0; | 41 | return 0; | |
42 | 42 | |||
43 | if (!XRenderQueryFormats (dpy)) | 43 | if (!XRenderQueryFormats (dpy)) | |
44 | return 0; | 44 | return 0; | |
45 | 45 | |||
46 | xri = (XRenderInfo *) info->data; | 46 | xri = (XRenderInfo *) info->data; | |
47 | if (xri->minor_version < 6) | 47 | if (xri->minor_version < 6) | |
48 | return 0; | 48 | return 0; | |
49 | 49 | |||
50 | LockDisplay (dpy); | 50 | LockDisplay (dpy); | |
51 | GetReq (RenderQueryFilters, req); | 51 | GetReq (RenderQueryFilters, req); | |
@@ -91,37 +91,47 @@ XRenderQueryFilters (Display *dpy, Drawa | @@ -91,37 +91,47 @@ XRenderQueryFilters (Display *dpy, Drawa | |||
91 | * nbytesName char strings | 91 | * nbytesName char strings | |
92 | */ | 92 | */ | |
93 | 93 | |||
94 | filters->nfilter = rep.numFilters; | 94 | filters->nfilter = rep.numFilters; | |
95 | filters->nalias = rep.numAliases; | 95 | filters->nalias = rep.numAliases; | |
96 | filters->filter = (char **) (filters + 1); | 96 | filters->filter = (char **) (filters + 1); | |
97 | filters->alias = (short *) (filters->filter + rep.numFilters); | 97 | filters->alias = (short *) (filters->filter + rep.numFilters); | |
98 | name = (char *) (filters->alias + rep.numAliases); | 98 | name = (char *) (filters->alias + rep.numAliases); | |
99 | 99 | |||
100 | /* | 100 | /* | |
101 | * Read the filter aliases | 101 | * Read the filter aliases | |
102 | */ | 102 | */ | |
103 | _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases); | 103 | _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases); | |
104 | reply_left = 8 + rep.length - 2 * rep.numAliases;; | |||
104 | 105 | |||
105 | /* | 106 | /* | |
106 | * Read the filter names | 107 | * Read the filter names | |
107 | */ | 108 | */ | |
108 | for (i = 0; i < rep.numFilters; i++) | 109 | for (i = 0; i < rep.numFilters; i++) | |
109 | { | 110 | { | |
110 | int l; | 111 | int l; | |
111 | _XRead (dpy, &len, 1); | 112 | _XRead (dpy, &len, 1); | |
113 | reply_left--; | |||
112 | l = len & 0xff; | 114 | l = len & 0xff; | |
115 | if ((unsigned long)l + 1 > nbytesName) { | |||
116 | Xfree(filters); | |||
117 | UnlockDisplay (dpy); | |||
118 | SyncHandle (); | |||
119 | return NULL; | |||
120 | } | |||
121 | nbytesName -= l + 1; | |||
113 | filters->filter[i] = name; | 122 | filters->filter[i] = name; | |
114 | _XRead (dpy, name, l); | 123 | _XRead (dpy, name, l); | |
124 | reply_left -= l; | |||
115 | name[l] = '\0'; | 125 | name[l] = '\0'; | |
116 | name += l + 1; | 126 | name += l + 1; | |
117 | } | 127 | } | |
118 | i = name - (char *) (filters->alias + rep.numAliases); | 128 | i = name - (char *) (filters->alias + rep.numAliases); | |
119 | 129 | |||
120 | if (i & 3) | 130 | if (i & 3) | |
121 | _XEatData (dpy, 4 - (i & 3)); | 131 | _XEatData (dpy, 4 - (i & 3)); | |
122 | 132 | |||
123 | UnlockDisplay (dpy); | 133 | UnlockDisplay (dpy); | |
124 | return filters; | 134 | return filters; | |
125 | } | 135 | } | |
126 | 136 | |||
127 | void | 137 | void |
--- xsrc/xfree/xc/lib/Xrender/Attic/Xrender.c 2003/02/28 13:18:52 1.1.1.5
+++ xsrc/xfree/xc/lib/Xrender/Attic/Xrender.c 2016/10/05 10:49:30 1.1.1.5.30.1
@@ -279,32 +279,48 @@ XRenderQueryFormats (Display *dpy) | @@ -279,32 +279,48 @@ XRenderQueryFormats (Display *dpy) | |||
279 | xFormat++; | 279 | xFormat++; | |
280 | } | 280 | } | |
281 | xScreen = (xPictScreen *) xFormat; | 281 | xScreen = (xPictScreen *) xFormat; | |
282 | screen = xri->screen; | 282 | screen = xri->screen; | |
283 | depth = xri->depth; | 283 | depth = xri->depth; | |
284 | visual = xri->visual; | 284 | visual = xri->visual; | |
285 | for (ns = 0; ns < xri->nscreen; ns++) | 285 | for (ns = 0; ns < xri->nscreen; ns++) | |
286 | { | 286 | { | |
287 | screen->depths = depth; | 287 | screen->depths = depth; | |
288 | screen->ndepths = xScreen->nDepth; | 288 | screen->ndepths = xScreen->nDepth; | |
289 | screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); | 289 | screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); | |
290 | screen->subpixel = SubPixelUnknown; | 290 | screen->subpixel = SubPixelUnknown; | |
291 | xDepth = (xPictDepth *) (xScreen + 1); | 291 | xDepth = (xPictDepth *) (xScreen + 1); | |
292 | if (screen->ndepths > rep.numDepths) { | |||
293 | Xfree (xri); | |||
294 | Xfree (xData); | |||
295 | UnlockDisplay (dpy); | |||
296 | SyncHandle (); | |||
297 | return 0; | |||
298 | } | |||
299 | rep.numDepths -= screen->ndepths; | |||
292 | for (nd = 0; nd < screen->ndepths; nd++) | 300 | for (nd = 0; nd < screen->ndepths; nd++) | |
293 | { | 301 | { | |
294 | depth->depth = xDepth->depth; | 302 | depth->depth = xDepth->depth; | |
295 | depth->nvisuals = xDepth->nPictVisuals; | 303 | depth->nvisuals = xDepth->nPictVisuals; | |
296 | depth->visuals = visual; | 304 | depth->visuals = visual; | |
297 | xVisual = (xPictVisual *) (xDepth + 1); | 305 | xVisual = (xPictVisual *) (xDepth + 1); | |
306 | if (depth->nvisuals > rep.numVisuals) { | |||
307 | Xfree (xri); | |||
308 | Xfree (xData); | |||
309 | UnlockDisplay (dpy); | |||
310 | SyncHandle (); | |||
311 | return 0; | |||
312 | } | |||
313 | rep.numVisuals -= depth->nvisuals; | |||
298 | for (nv = 0; nv < depth->nvisuals; nv++) | 314 | for (nv = 0; nv < depth->nvisuals; nv++) | |
299 | { | 315 | { | |
300 | visual->visual = _XRenderFindVisual (dpy, xVisual->visual); | 316 | visual->visual = _XRenderFindVisual (dpy, xVisual->visual); | |
301 | visual->format = _XRenderFindFormat (xri, xVisual->format); | 317 | visual->format = _XRenderFindFormat (xri, xVisual->format); | |
302 | visual++; | 318 | visual++; | |
303 | xVisual++; | 319 | xVisual++; | |
304 | } | 320 | } | |
305 | depth++; | 321 | depth++; | |
306 | xDepth = (xPictDepth *) xVisual; | 322 | xDepth = (xPictDepth *) xVisual; | |
307 | } | 323 | } | |
308 | screen++; | 324 | screen++; | |
309 | xScreen = (xPictScreen *) xDepth; | 325 | xScreen = (xPictScreen *) xDepth; | |
310 | } | 326 | } |
--- xsrc/xfree/xc/lib/Xtst/Attic/XRecord.c 2005/03/18 13:04:54 1.1.1.6
+++ xsrc/xfree/xc/lib/Xtst/Attic/XRecord.c 2016/10/05 10:49:30 1.1.1.6.16.1
@@ -41,26 +41,27 @@ from The Open Group. | @@ -41,26 +41,27 @@ from The Open Group. | |||
41 | * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY | 41 | * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY | |
42 | * AND FITNESS, IN NO EVENT SHALL NETWORK COMPUTING DEVICES BE LIABLE | 42 | * AND FITNESS, IN NO EVENT SHALL NETWORK COMPUTING DEVICES BE LIABLE | |
43 | * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | 43 | * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | |
44 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN | 44 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN | |
45 | * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING | 45 | * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING | |
46 | * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 46 | * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | |
47 | **************************************************************************/ | 47 | **************************************************************************/ | |
48 | /* | 48 | /* | |
49 | * By Stephen Gildea, X Consortium, and Martha Zimet, NCD. | 49 | * By Stephen Gildea, X Consortium, and Martha Zimet, NCD. | |
50 | */ | 50 | */ | |
51 | /* $XFree86: xc/lib/Xtst/XRecord.c,v 1.8 2005/01/27 02:28:59 dawes Exp $ */ | 51 | /* $XFree86: xc/lib/Xtst/XRecord.c,v 1.8 2005/01/27 02:28:59 dawes Exp $ */ | |
52 | 52 | |||
53 | #include <stdio.h> | 53 | #include <stdio.h> | |
54 | #include <limits.h> | |||
54 | #include <assert.h> | 55 | #include <assert.h> | |
55 | #define NEED_EVENTS | 56 | #define NEED_EVENTS | |
56 | #define NEED_REPLIES | 57 | #define NEED_REPLIES | |
57 | #include <X11/Xlibint.h> | 58 | #include <X11/Xlibint.h> | |
58 | #include <X11/extensions/Xext.h> | 59 | #include <X11/extensions/Xext.h> | |
59 | #include <X11/Xtrans.h> | 60 | #include <X11/Xtrans.h> | |
60 | #include <X11/extensions/extutil.h> | 61 | #include <X11/extensions/extutil.h> | |
61 | #include <X11/extensions/recordstr.h> | 62 | #include <X11/extensions/recordstr.h> | |
62 | 63 | |||
63 | static XExtensionInfo _xrecord_info_data; | 64 | static XExtensionInfo _xrecord_info_data; | |
64 | static XExtensionInfo *xrecord_info = &_xrecord_info_data; | 65 | static XExtensionInfo *xrecord_info = &_xrecord_info_data; | |
65 | static /* const */ char *xrecord_extension_name = RECORD_NAME; | 66 | static /* const */ char *xrecord_extension_name = RECORD_NAME; | |
66 | 67 | |||
@@ -718,89 +719,118 @@ parse_reply_call_callback(Display *dpy, | @@ -718,89 +719,118 @@ parse_reply_call_callback(Display *dpy, | |||
718 | return Error; | 719 | return Error; | |
719 | 720 | |||
720 | data->id_base = rep->idBase; | 721 | data->id_base = rep->idBase; | |
721 | data->category = rep->category; | 722 | data->category = rep->category; | |
722 | data->client_swapped = rep->clientSwapped; | 723 | data->client_swapped = rep->clientSwapped; | |
723 | data->server_time = rep->serverTime; | 724 | data->server_time = rep->serverTime; | |
724 | data->client_seq = rep->recordedSequenceNumber; | 725 | data->client_seq = rep->recordedSequenceNumber; | |
725 | /* | 726 | /* | |
726 | * compute the size of this protocol element. | 727 | * compute the size of this protocol element. | |
727 | */ | 728 | */ | |
728 | switch (rep->category) { | 729 | switch (rep->category) { | |
729 | case XRecordFromServer: | 730 | case XRecordFromServer: | |
730 | if (rep->elementHeader&XRecordFromServerTime) { | 731 | if (rep->elementHeader&XRecordFromServerTime) { | |
732 | if (current_index + 4 > rep->length << 2) | |||
733 | return Error; | |||
731 | EXTRACT_CARD32(rep->clientSwapped, | 734 | EXTRACT_CARD32(rep->clientSwapped, | |
732 | reply->buf+current_index, | 735 | reply->buf+current_index, | |
733 | data->server_time); | 736 | data->server_time); | |
734 | current_index += 4; | 737 | current_index += 4; | |
735 | } | 738 | } | |
739 | if (current_index + 1 > rep->length << 2) | |||
740 | return Error; | |||
736 | switch (reply->buf[current_index]) { | 741 | switch (reply->buf[current_index]) { | |
737 | case X_Reply: /* reply */ | 742 | case X_Reply: /* reply */ | |
743 | if (current_index + 8 > rep->length << 2) | |||
744 | return Error; | |||
738 | EXTRACT_CARD32(rep->clientSwapped, | 745 | EXTRACT_CARD32(rep->clientSwapped, | |
739 | reply->buf+current_index+4, datum_bytes); | 746 | reply->buf+current_index+4, datum_bytes); | |
747 | if (datum_bytes < 0 || datum_bytes > ((INT_MAX >> 2) - 8)) | |||
748 | return Error; | |||
740 | datum_bytes = (datum_bytes+8) << 2; | 749 | datum_bytes = (datum_bytes+8) << 2; | |
741 | break; | 750 | break; | |
742 | default: /* error or event */ | 751 | default: /* error or event */ | |
743 | datum_bytes = 32; | 752 | datum_bytes = 32; | |
744 | } | 753 | } | |
745 | break; | 754 | break; | |
746 | case XRecordFromClient: | 755 | case XRecordFromClient: | |
747 | if (rep->elementHeader&XRecordFromClientTime) { | 756 | if (rep->elementHeader&XRecordFromClientTime) { | |
757 | if (current_index + 4 > rep->length << 2) | |||
758 | return Error; | |||
748 | EXTRACT_CARD32(rep->clientSwapped, | 759 | EXTRACT_CARD32(rep->clientSwapped, | |
749 | reply->buf+current_index, | 760 | reply->buf+current_index, | |
750 | data->server_time); | 761 | data->server_time); | |
751 | current_index += 4; | 762 | current_index += 4; | |
752 | } | 763 | } | |
753 | if (rep->elementHeader&XRecordFromClientSequence) { | 764 | if (rep->elementHeader&XRecordFromClientSequence) { | |
765 | if (current_index + 4 > rep->length << 2) | |||
766 | return Error; | |||
754 | EXTRACT_CARD32(rep->clientSwapped, | 767 | EXTRACT_CARD32(rep->clientSwapped, | |
755 | reply->buf+current_index, | 768 | reply->buf+current_index, | |
756 | data->client_seq); | 769 | data->client_seq); | |
757 | current_index += 4; | 770 | current_index += 4; | |
758 | } | 771 | } | |
772 | if (current_index + 4 > rep->length<<2) | |||
773 | return Error; | |||
759 | if (reply->buf[current_index+2] == 0 | 774 | if (reply->buf[current_index+2] == 0 | |
760 | && reply->buf[current_index+3] == 0) /* needn't swap 0 */ | 775 | && reply->buf[current_index+3] == 0) /* needn't swap 0 */ | |
761 | { /* BIG-REQUESTS */ | 776 | { /* BIG-REQUESTS */ | |
777 | if (current_index + 8 > rep->length << 2) | |||
778 | return Error; | |||
762 | EXTRACT_CARD32(rep->clientSwapped, | 779 | EXTRACT_CARD32(rep->clientSwapped, | |
763 | reply->buf+current_index+4, datum_bytes); | 780 | reply->buf+current_index+4, datum_bytes); | |
764 | } else { | 781 | } else { | |
765 | EXTRACT_CARD16(rep->clientSwapped, | 782 | EXTRACT_CARD16(rep->clientSwapped, | |
766 | reply->buf+current_index+2, datum_bytes); | 783 | reply->buf+current_index+2, datum_bytes); | |
767 | } | 784 | } | |
785 | if (datum_bytes < 0 || datum_bytes > INT_MAX >> 2) | |||
786 | return Error; | |||
768 | datum_bytes <<= 2; | 787 | datum_bytes <<= 2; | |
769 | break; | 788 | break; | |
770 | case XRecordClientStarted: | 789 | case XRecordClientStarted: | |
790 | if (current_index + 8 > rep->length << 2) | |||
791 | return Error; | |||
771 | EXTRACT_CARD16(rep->clientSwapped, | 792 | EXTRACT_CARD16(rep->clientSwapped, | |
772 | reply->buf+current_index+6, datum_bytes); | 793 | reply->buf+current_index+6, datum_bytes); | |
773 | datum_bytes = (datum_bytes+2) << 2; | 794 | datum_bytes = (datum_bytes+2) << 2; | |
774 | break; | 795 | break; | |
775 | case XRecordClientDied: | 796 | case XRecordClientDied: | |
776 | if (rep->elementHeader&XRecordFromClientSequence) { | 797 | if (rep->elementHeader&XRecordFromClientSequence) { | |
798 | if (current_index + 4 > rep->length << 2) | |||
799 | return Error; | |||
777 | EXTRACT_CARD32(rep->clientSwapped, | 800 | EXTRACT_CARD32(rep->clientSwapped, | |
778 | reply->buf+current_index, | 801 | reply->buf+current_index, | |
779 | data->client_seq); | 802 | data->client_seq); | |
780 | current_index += 4; | 803 | current_index += 4; | |
781 | } | 804 | } else if (current_index < rep->length << 2) | |
782 | /* fall through */ | 805 | return Error; | |
806 | datum_bytes = 0; | |||
807 | break; | |||
783 | case XRecordStartOfData: | 808 | case XRecordStartOfData: | |
784 | case XRecordEndOfData: | 809 | case XRecordEndOfData: | |
810 | if (current_index < rep->length << 2) | |||
811 | return Error; | |||
785 | datum_bytes = 0; | 812 | datum_bytes = 0; | |
813 | break; | |||
786 | } | 814 | } | |
787 | 815 | |||
788 | if (datum_bytes > 0) { | 816 | if (datum_bytes > 0) { | |
789 | if (current_index + datum_bytes > rep->length << 2) | 817 | if (INT_MAX - datum_bytes < (rep->length << 2) - current_index) { | |
790 | fprintf(stderr, | 818 | fprintf(stderr, | |
791 | "XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n", | 819 | "XRecord: %lu-byte reply claims %d-byte element (seq %lu)\n", | |
792 | (long)rep->length << 2, current_index + datum_bytes, | 820 | (unsigned long)rep->length << 2, current_index + datum_bytes, | |
793 | dpy->last_request_read); | 821 | dpy->last_request_read); | |
822 | return Error; | |||
823 | } | |||
794 | /* | 824 | /* | |
795 | * This assignment (and indeed the whole buffer sharing | 825 | * This assignment (and indeed the whole buffer sharing | |
796 | * scheme) assumes arbitrary 4-byte boundaries are | 826 | * scheme) assumes arbitrary 4-byte boundaries are | |
797 | * addressable. | 827 | * addressable. | |
798 | */ | 828 | */ | |
799 | data->data = reply->buf+current_index; | 829 | data->data = reply->buf+current_index; | |
800 | reply->ref_count++; | 830 | reply->ref_count++; | |
801 | } else { | 831 | } else { | |
802 | data->data = NULL; | 832 | data->data = NULL; | |
803 | } | 833 | } | |
804 | data->data_len = datum_bytes >> 2; | 834 | data->data_len = datum_bytes >> 2; | |
805 | 835 | |||
806 | (*callback)(closure, data); | 836 | (*callback)(closure, data); | |
@@ -832,26 +862,32 @@ XRecordEnableContext(Display *dpy, XReco | @@ -832,26 +862,32 @@ XRecordEnableContext(Display *dpy, XReco | |||
832 | req->recordReqType = X_RecordEnableContext; | 862 | req->recordReqType = X_RecordEnableContext; | |
833 | req->context = context; | 863 | req->context = context; | |
834 | 864 | |||
835 | while (1) | 865 | while (1) | |
836 | { | 866 | { | |
837 | /* This code should match that in XRecordEnableContextAsync */ | 867 | /* This code should match that in XRecordEnableContextAsync */ | |
838 | if (!_XReply (dpy, (xReply *)&rep, 0, xFalse)) | 868 | if (!_XReply (dpy, (xReply *)&rep, 0, xFalse)) | |
839 | { | 869 | { | |
840 | UnlockDisplay(dpy); | 870 | UnlockDisplay(dpy); | |
841 | SyncHandle(); | 871 | SyncHandle(); | |
842 | return 0; | 872 | return 0; | |
843 | } | 873 | } | |
844 | 874 | |||
875 | if (rep.length > INT_MAX >> 2) { | |||
876 | UnlockDisplay(dpy); | |||
877 | SyncHandle(); | |||
878 | return 0; | |||
879 | } | |||
880 | ||||
845 | if (rep.length > 0) { | 881 | if (rep.length > 0) { | |
846 | reply = alloc_reply_buffer(info, rep.length<<2); | 882 | reply = alloc_reply_buffer(info, rep.length<<2); | |
847 | if (!reply) { | 883 | if (!reply) { | |
848 | UnlockDisplay(dpy); | 884 | UnlockDisplay(dpy); | |
849 | SyncHandle(); | 885 | SyncHandle(); | |
850 | return 0; | 886 | return 0; | |
851 | } | 887 | } | |
852 | _XRead (dpy, (char *)reply->buf, rep.length<<2); | 888 | _XRead (dpy, (char *)reply->buf, rep.length<<2); | |
853 | } else { | 889 | } else { | |
854 | reply = NULL; | 890 | reply = NULL; | |
855 | } | 891 | } | |
856 | 892 | |||
857 | status = parse_reply_call_callback(dpy, info, &rep, reply, | 893 | status = parse_reply_call_callback(dpy, info, &rep, reply, |
--- xsrc/xfree/xc/lib/Xv/Attic/Xv.c 2005/03/18 13:04:54 1.1.1.6
+++ xsrc/xfree/xc/lib/Xv/Attic/Xv.c 2016/10/05 10:49:30 1.1.1.6.16.1
@@ -140,61 +140,66 @@ XvQueryExtension( | @@ -140,61 +140,66 @@ XvQueryExtension( | |||
140 | 140 | |||
141 | int | 141 | int | |
142 | XvQueryAdaptors( | 142 | XvQueryAdaptors( | |
143 | Display *dpy, | 143 | Display *dpy, | |
144 | Window window, | 144 | Window window, | |
145 | unsigned int *p_nAdaptors, | 145 | unsigned int *p_nAdaptors, | |
146 | XvAdaptorInfo **p_pAdaptors | 146 | XvAdaptorInfo **p_pAdaptors | |
147 | ){ | 147 | ){ | |
148 | XExtDisplayInfo *info = xv_find_display(dpy); | 148 | XExtDisplayInfo *info = xv_find_display(dpy); | |
149 | xvQueryAdaptorsReq *req; | 149 | xvQueryAdaptorsReq *req; | |
150 | xvQueryAdaptorsReply rep; | 150 | xvQueryAdaptorsReply rep; | |
151 | int size,ii,jj; | 151 | int size,ii,jj; | |
152 | char *name; | 152 | char *name; | |
153 | char *end; | |||
153 | XvAdaptorInfo *pas, *pa; | 154 | XvAdaptorInfo *pas, *pa; | |
154 | XvFormat *pfs, *pf; | 155 | XvFormat *pfs, *pf; | |
155 | char *buffer; | 156 | char *buffer; | |
157 | int status; | |||
156 | union | 158 | union | |
157 | { | 159 | { | |
158 | char *buffer; | 160 | char *buffer; | |
159 | char *string; | 161 | char *string; | |
160 | xvAdaptorInfo *pa; | 162 | xvAdaptorInfo *pa; | |
161 | xvFormat *pf; | 163 | xvFormat *pf; | |
162 | } u; | 164 | } u; | |
163 | 165 | |||
164 | XvCheckExtension(dpy, info, XvBadExtension); | 166 | XvCheckExtension(dpy, info, XvBadExtension); | |
165 | 167 | |||
166 | LockDisplay(dpy); | 168 | LockDisplay(dpy); | |
167 | 169 | |||
168 | XvGetReq(QueryAdaptors, req); | 170 | XvGetReq(QueryAdaptors, req); | |
169 | req->window = window; | 171 | req->window = window; | |
170 | 172 | |||
171 | /* READ THE REPLY */ | 173 | /* READ THE REPLY */ | |
172 | 174 | |||
173 | if (_XReply(dpy, (xReply *)&rep, 0, xFalse) == 0) { | 175 | if (_XReply(dpy, (xReply *)&rep, 0, xFalse) == 0) { | |
174 | UnlockDisplay(dpy); | 176 | UnlockDisplay(dpy); | |
175 | SyncHandle(); | 177 | SyncHandle(); | |
176 | return(XvBadReply); | 178 | return(XvBadReply); | |
177 | } | 179 | } | |
178 | 180 | |||
179 | size = rep.length << 2; | 181 | size = rep.length << 2; | |
180 | if ( (buffer = (char *)Xmalloc ((unsigned) size)) == NULL) { | 182 | if (size > 0) { | |
183 | if ((buffer = Xmalloc(size)) == NULL) { | |||
181 | UnlockDisplay(dpy); | 184 | UnlockDisplay(dpy); | |
182 | SyncHandle(); | 185 | SyncHandle(); | |
183 | return(XvBadAlloc); | 186 | return(XvBadAlloc); | |
187 | } | |||
188 | _XRead(dpy, buffer, (long) size); | |||
184 | } | 189 | } | |
185 | _XRead (dpy, buffer, size); | |||
186 | 190 | |||
187 | u.buffer = buffer; | 191 | u.buffer = buffer; | |
192 | end = buffer + size; | |||
188 | 193 | |||
189 | /* GET INPUT ADAPTORS */ | 194 | /* GET INPUT ADAPTORS */ | |
190 | 195 | |||
191 | if (rep.num_adaptors == 0) { | 196 | if (rep.num_adaptors == 0) { | |
192 | pas = NULL; | 197 | pas = NULL; | |
193 | } else { | 198 | } else { | |
194 | size = rep.num_adaptors*sizeof(XvAdaptorInfo); | 199 | size = rep.num_adaptors*sizeof(XvAdaptorInfo); | |
195 | if ((pas=(XvAdaptorInfo *)Xmalloc(size))==NULL) { | 200 | if ((pas=(XvAdaptorInfo *)Xmalloc(size))==NULL) { | |
196 | Xfree(buffer); | 201 | Xfree(buffer); | |
197 | UnlockDisplay(dpy); | 202 | UnlockDisplay(dpy); | |
198 | SyncHandle(); | 203 | SyncHandle(); | |
199 | return(XvBadAlloc); | 204 | return(XvBadAlloc); | |
200 | } | 205 | } | |
@@ -202,37 +207,46 @@ XvQueryAdaptors( | @@ -202,37 +207,46 @@ XvQueryAdaptors( | |||
202 | 207 | |||
203 | /* INIT ADAPTOR FIELDS */ | 208 | /* INIT ADAPTOR FIELDS */ | |
204 | 209 | |||
205 | pa = pas; | 210 | pa = pas; | |
206 | for (ii=0; ii<rep.num_adaptors; ii++) { | 211 | for (ii=0; ii<rep.num_adaptors; ii++) { | |
207 | pa->num_adaptors = 0; | 212 | pa->num_adaptors = 0; | |
208 | pa->name = (char *)NULL; | 213 | pa->name = (char *)NULL; | |
209 | pa->formats = (XvFormat *)NULL; | 214 | pa->formats = (XvFormat *)NULL; | |
210 | pa++; | 215 | pa++; | |
211 | } | 216 | } | |
212 | 217 | |||
213 | pa = pas; | 218 | pa = pas; | |
214 | for (ii=0; ii<rep.num_adaptors; ii++) { | 219 | for (ii=0; ii<rep.num_adaptors; ii++) { | |
220 | if (u.buffer + sz_xvAdaptorInfo > end) { | |||
221 | status = XvBadReply; | |||
222 | goto out; | |||
223 | } | |||
215 | pa->type = u.pa->type; | 224 | pa->type = u.pa->type; | |
216 | pa->base_id = u.pa->base_id; | 225 | pa->base_id = u.pa->base_id; | |
217 | pa->num_ports = u.pa->num_ports; | 226 | pa->num_ports = u.pa->num_ports; | |
218 | pa->num_formats = u.pa->num_formats; | 227 | pa->num_formats = u.pa->num_formats; | |
219 | pa->num_adaptors = rep.num_adaptors - ii; | 228 | pa->num_adaptors = rep.num_adaptors - ii; | |
220 | 229 | |||
221 | /* GET ADAPTOR NAME */ | 230 | /* GET ADAPTOR NAME */ | |
222 | 231 | |||
223 | size = u.pa->name_size; | 232 | size = u.pa->name_size; | |
224 | u.buffer += (sz_xvAdaptorInfo + 3) & ~3; | 233 | u.buffer += (sz_xvAdaptorInfo + 3) & ~3; | |
225 | 234 | |||
235 | if (u.buffer + size > end) { | |||
236 | status = XvBadReply; | |||
237 | goto out; | |||
238 | } | |||
239 | ||||
226 | if ( (name = (char *)Xmalloc(size+1)) == NULL) | 240 | if ( (name = (char *)Xmalloc(size+1)) == NULL) | |
227 | { | 241 | { | |
228 | XvFreeAdaptorInfo(pas); | 242 | XvFreeAdaptorInfo(pas); | |
229 | Xfree(buffer); | 243 | Xfree(buffer); | |
230 | UnlockDisplay(dpy); | 244 | UnlockDisplay(dpy); | |
231 | SyncHandle(); | 245 | SyncHandle(); | |
232 | return(XvBadAlloc); | 246 | return(XvBadAlloc); | |
233 | } | 247 | } | |
234 | (void)strncpy(name, u.string, size); | 248 | (void)strncpy(name, u.string, size); | |
235 | name[size] = '\0'; | 249 | name[size] = '\0'; | |
236 | pa->name = name; | 250 | pa->name = name; | |
237 | 251 | |||
238 | u.buffer += (size + 3) & ~3; | 252 | u.buffer += (size + 3) & ~3; | |
@@ -240,47 +254,55 @@ XvQueryAdaptors( | @@ -240,47 +254,55 @@ XvQueryAdaptors( | |||
240 | /* GET FORMATS */ | 254 | /* GET FORMATS */ | |
241 | 255 | |||
242 | size = pa->num_formats*sizeof(XvFormat); | 256 | size = pa->num_formats*sizeof(XvFormat); | |
243 | if ((pfs=(XvFormat *)Xmalloc(size))==NULL) { | 257 | if ((pfs=(XvFormat *)Xmalloc(size))==NULL) { | |
244 | XvFreeAdaptorInfo(pas); | 258 | XvFreeAdaptorInfo(pas); | |
245 | Xfree(buffer); | 259 | Xfree(buffer); | |
246 | UnlockDisplay(dpy); | 260 | UnlockDisplay(dpy); | |
247 | SyncHandle(); | 261 | SyncHandle(); | |
248 | return(XvBadAlloc); | 262 | return(XvBadAlloc); | |
249 | } | 263 | } | |
250 | 264 | |||
251 | pf = pfs; | 265 | pf = pfs; | |
252 | for (jj=0; jj<pa->num_formats; jj++) { | 266 | for (jj=0; jj<pa->num_formats; jj++) { | |
267 | if (u.buffer + sz_xvFormat > end) { | |||
268 | Xfree(pfs); | |||
269 | status = XvBadReply; | |||
270 | goto out; | |||
271 | } | |||
253 | pf->depth = u.pf->depth; | 272 | pf->depth = u.pf->depth; | |
254 | pf->visual_id = u.pf->visual; | 273 | pf->visual_id = u.pf->visual; | |
255 | pf++; | 274 | pf++; | |
256 | 275 | |||
257 | u.buffer += (sz_xvFormat + 3) & ~3; | 276 | u.buffer += (sz_xvFormat + 3) & ~3; | |
258 | } | 277 | } | |
259 | 278 | |||
260 | pa->formats = pfs; | 279 | pa->formats = pfs; | |
261 | 280 | |||
262 | pa++; | 281 | pa++; | |
263 | 282 | |||
264 | } | 283 | } | |
265 | 284 | |||
266 | *p_nAdaptors = rep.num_adaptors; | 285 | *p_nAdaptors = rep.num_adaptors; | |
267 | *p_pAdaptors = pas; | 286 | *p_pAdaptors = pas; | |
268 | 287 | |||
288 | status = Success; | |||
289 | ||||
290 | out: | |||
269 | Xfree(buffer); | 291 | Xfree(buffer); | |
270 | UnlockDisplay(dpy); | 292 | UnlockDisplay(dpy); | |
271 | SyncHandle(); | 293 | SyncHandle(); | |
272 | 294 | |||
273 | return (Success); | 295 | return (status); | |
274 | } | 296 | } | |
275 | 297 | |||
276 | 298 | |||
277 | void | 299 | void | |
278 | XvFreeAdaptorInfo(XvAdaptorInfo *pAdaptors) | 300 | XvFreeAdaptorInfo(XvAdaptorInfo *pAdaptors) | |
279 | { | 301 | { | |
280 | 302 | |||
281 | XvAdaptorInfo *pa; | 303 | XvAdaptorInfo *pa; | |
282 | int ii; | 304 | int ii; | |
283 | 305 | |||
284 | if (!pAdaptors) return; | 306 | if (!pAdaptors) return; | |
285 | 307 | |||
286 | pa = pAdaptors; | 308 | pa = pAdaptors; | |
@@ -302,113 +324,129 @@ XvFreeAdaptorInfo(XvAdaptorInfo *pAdapto | @@ -302,113 +324,129 @@ XvFreeAdaptorInfo(XvAdaptorInfo *pAdapto | |||
302 | 324 | |||
303 | int | 325 | int | |
304 | XvQueryEncodings( | 326 | XvQueryEncodings( | |
305 | Display *dpy, | 327 | Display *dpy, | |
306 | XvPortID port, | 328 | XvPortID port, | |
307 | unsigned int *p_nEncodings, | 329 | unsigned int *p_nEncodings, | |
308 | XvEncodingInfo **p_pEncodings | 330 | XvEncodingInfo **p_pEncodings | |
309 | ){ | 331 | ){ | |
310 | XExtDisplayInfo *info = xv_find_display(dpy); | 332 | XExtDisplayInfo *info = xv_find_display(dpy); | |
311 | xvQueryEncodingsReq *req; | 333 | xvQueryEncodingsReq *req; | |
312 | xvQueryEncodingsReply rep; | 334 | xvQueryEncodingsReply rep; | |
313 | int size, jj; | 335 | int size, jj; | |
314 | char *name; | 336 | char *name; | |
337 | char *end; | |||
338 | int status; | |||
315 | XvEncodingInfo *pes, *pe; | 339 | XvEncodingInfo *pes, *pe; | |
316 | char *buffer; | 340 | char *buffer; | |
317 | union | 341 | union | |
318 | { | 342 | { | |
319 | char *buffer; | 343 | char *buffer; | |
320 | char *string; | 344 | char *string; | |
321 | xvEncodingInfo *pe; | 345 | xvEncodingInfo *pe; | |
322 | } u; | 346 | } u; | |
323 | 347 | |||
324 | XvCheckExtension(dpy, info, XvBadExtension); | 348 | XvCheckExtension(dpy, info, XvBadExtension); | |
325 | 349 | |||
326 | LockDisplay(dpy); | 350 | LockDisplay(dpy); | |
327 | 351 | |||
328 | XvGetReq(QueryEncodings, req); | 352 | XvGetReq(QueryEncodings, req); | |
329 | req->port = port; | 353 | req->port = port; | |
330 | 354 | |||
331 | /* READ THE REPLY */ | 355 | /* READ THE REPLY */ | |
332 | 356 | |||
333 | if (_XReply(dpy, (xReply *)&rep, 0, xFalse) == 0) { | 357 | if (_XReply(dpy, (xReply *)&rep, 0, xFalse) == 0) { | |
334 | UnlockDisplay(dpy); | 358 | UnlockDisplay(dpy); | |
335 | SyncHandle(); | 359 | SyncHandle(); | |
336 | return(XvBadReply); | 360 | return(XvBadReply); | |
337 | } | 361 | } | |
338 | 362 | |||
339 | size = rep.length << 2; | 363 | size = rep.length << 2; | |
340 | if ( (buffer = (char *)Xmalloc ((unsigned) size)) == NULL) { | 364 | if (size > 0) { | |
365 | if ( (buffer = (char *)Xmalloc ((unsigned) size)) == NULL) { | |||
341 | UnlockDisplay(dpy); | 366 | UnlockDisplay(dpy); | |
342 | SyncHandle(); | 367 | SyncHandle(); | |
343 | return(XvBadAlloc); | 368 | return(XvBadAlloc); | |
369 | } | |||
370 | _XRead (dpy, buffer, size); | |||
344 | } | 371 | } | |
345 | _XRead (dpy, buffer, size); | |||
346 | 372 | |||
347 | u.buffer = buffer; | 373 | u.buffer = buffer; | |
374 | end = buffer + size; | |||
348 | 375 | |||
349 | /* GET ENCODINGS */ | 376 | /* GET ENCODINGS */ | |
350 | 377 | |||
351 | size = rep.num_encodings*sizeof(XvEncodingInfo); | 378 | size = rep.num_encodings*sizeof(XvEncodingInfo); | |
352 | if ( (pes = (XvEncodingInfo *)Xmalloc(size)) == NULL) { | 379 | if ( (pes = (XvEncodingInfo *)Xmalloc(size)) == NULL) { | |
353 | Xfree(buffer); | 380 | Xfree(buffer); | |
354 | UnlockDisplay(dpy); | 381 | UnlockDisplay(dpy); | |
355 | SyncHandle(); | 382 | SyncHandle(); | |
356 | return(XvBadAlloc); | 383 | return(XvBadAlloc); | |
357 | } | 384 | } | |
358 | 385 | |||
359 | /* INITIALIZE THE ENCODING POINTER */ | 386 | /* INITIALIZE THE ENCODING POINTER */ | |
360 | 387 | |||
361 | pe = pes; | 388 | pe = pes; | |
362 | for (jj=0; jj<rep.num_encodings; jj++) { | 389 | for (jj=0; jj<rep.num_encodings; jj++) { | |
363 | pe->name = (char *)NULL; | 390 | pe->name = (char *)NULL; | |
364 | pe->num_encodings = 0; | 391 | pe->num_encodings = 0; | |
365 | pe++; | 392 | pe++; | |
366 | } | 393 | } | |
367 | 394 | |||
368 | pe = pes; | 395 | pe = pes; | |
369 | for (jj=0; jj<rep.num_encodings; jj++) { | 396 | for (jj=0; jj<rep.num_encodings; jj++) { | |
397 | if (u.buffer + sz_xvEncodingInfo > end) { | |||
398 | status = XvBadReply; | |||
399 | goto out; | |||
400 | } | |||
370 | pe->encoding_id = u.pe->encoding; | 401 | pe->encoding_id = u.pe->encoding; | |
371 | pe->width = u.pe->width; | 402 | pe->width = u.pe->width; | |
372 | pe->height = u.pe->height; | 403 | pe->height = u.pe->height; | |
373 | pe->rate.numerator = u.pe->rate.numerator; | 404 | pe->rate.numerator = u.pe->rate.numerator; | |
374 | pe->rate.denominator = u.pe->rate.denominator; | 405 | pe->rate.denominator = u.pe->rate.denominator; | |
375 | pe->num_encodings = rep.num_encodings - jj; | 406 | pe->num_encodings = rep.num_encodings - jj; | |
376 | 407 | |||
377 | size = u.pe->name_size; | 408 | size = u.pe->name_size; | |
378 | u.buffer += (sz_xvEncodingInfo + 3) & ~3; | 409 | u.buffer += (sz_xvEncodingInfo + 3) & ~3; | |
379 | 410 | |||
411 | if (u.buffer + size > end) { | |||
412 | status = XvBadReply; | |||
413 | goto out; | |||
414 | } | |||
380 | if ( (name = (char *)Xmalloc(size+1)) == NULL) { | 415 | if ( (name = (char *)Xmalloc(size+1)) == NULL) { | |
381 | Xfree(buffer); | 416 | Xfree(buffer); | |
382 | UnlockDisplay(dpy); | 417 | UnlockDisplay(dpy); | |
383 | SyncHandle(); | 418 | SyncHandle(); | |
384 | return(XvBadAlloc); | 419 | return(XvBadAlloc); | |
385 | } | 420 | } | |
386 | strncpy(name, u.string, size); | 421 | strncpy(name, u.string, size); | |
387 | name[size] = '\0'; | 422 | name[size] = '\0'; | |
388 | pe->name = name; | 423 | pe->name = name; | |
389 | pe++; | 424 | pe++; | |
390 | 425 | |||
391 | u.buffer += (size + 3) & ~3; | 426 | u.buffer += (size + 3) & ~3; | |
392 | } | 427 | } | |
393 | 428 | |||
394 | *p_nEncodings = rep.num_encodings; | 429 | *p_nEncodings = rep.num_encodings; | |
395 | *p_pEncodings = pes; | 430 | *p_pEncodings = pes; | |
396 | 431 | |||
432 | status = Success; | |||
433 | ||||
434 | out: | |||
397 | Xfree(buffer); | 435 | Xfree(buffer); | |
398 | UnlockDisplay(dpy); | 436 | UnlockDisplay(dpy); | |
399 | SyncHandle(); | 437 | SyncHandle(); | |
400 | 438 | |||
401 | return (Success); | 439 | return (status); | |
402 | } | 440 | } | |
403 | 441 | |||
404 | void | 442 | void | |
405 | XvFreeEncodingInfo(XvEncodingInfo *pEncodings) | 443 | XvFreeEncodingInfo(XvEncodingInfo *pEncodings) | |
406 | { | 444 | { | |
407 | 445 | |||
408 | XvEncodingInfo *pe; | 446 | XvEncodingInfo *pe; | |
409 | int ii; | 447 | int ii; | |
410 | 448 | |||
411 | if (!pEncodings) return; | 449 | if (!pEncodings) return; | |
412 | 450 | |||
413 | pe = pEncodings; | 451 | pe = pEncodings; | |
414 | 452 |
--- xsrc/xfree/xc/programs/Xserver/include/Attic/dix.h 2014/12/12 07:25:34 1.1.1.6.28.1
+++ xsrc/xfree/xc/programs/Xserver/include/Attic/dix.h 2016/10/05 10:49:31 1.1.1.6.28.2
@@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO | @@ -43,26 +43,27 @@ ANY DAMAGES WHATSOEVER RESULTING FROM LO | |||
43 | WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, | 43 | WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, | |
44 | ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS | 44 | ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS | |
45 | SOFTWARE. | 45 | SOFTWARE. | |
46 | 46 | |||
47 | ******************************************************************/ | 47 | ******************************************************************/ | |
48 | /* $Xorg: dix.h,v 1.4 2001/02/09 02:05:15 xorgcvs Exp $ */ | 48 | /* $Xorg: dix.h,v 1.4 2001/02/09 02:05:15 xorgcvs Exp $ */ | |
49 | 49 | |||
50 | #ifndef DIX_H | 50 | #ifndef DIX_H | |
51 | #define DIX_H | 51 | #define DIX_H | |
52 | 52 | |||
53 | #include "gc.h" | 53 | #include "gc.h" | |
54 | #include "window.h" | 54 | #include "window.h" | |
55 | #include "input.h" | 55 | #include "input.h" | |
56 | #include <stdint.h> | |||
56 | 57 | |||
57 | #define EARLIER -1 | 58 | #define EARLIER -1 | |
58 | #define SAMETIME 0 | 59 | #define SAMETIME 0 | |
59 | #define LATER 1 | 60 | #define LATER 1 | |
60 | 61 | |||
61 | #define NullClient ((ClientPtr) 0) | 62 | #define NullClient ((ClientPtr) 0) | |
62 | #define REQUEST(type) \ | 63 | #define REQUEST(type) \ | |
63 | register type *stuff = (type *)client->requestBuffer | 64 | register type *stuff = (type *)client->requestBuffer | |
64 | 65 | |||
65 | 66 | |||
66 | #define REQUEST_SIZE_MATCH(req)\ | 67 | #define REQUEST_SIZE_MATCH(req)\ | |
67 | if ((sizeof(req) >> 2) != client->req_len)\ | 68 | if ((sizeof(req) >> 2) != client->req_len)\ | |
68 | return(BadLength) | 69 | return(BadLength) |