frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix num_masks/length overflow test for XiSelectEvents 

Have to set windowid to a valid value first, since that check
appears earlier in the code than the masks/length check.

Also have to have data[] set large enough so that reading mask
data for 0xFFFF masks doesn't overflow past the end of the array
into uninitialized data.

Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This commit is contained in:
Alan Coopersmith 2009-09-15 17:53:50 -07:00 committed by Peter Hutterer
parent 13decf5efe
commit 139368f7ae
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
test/xi2/protocol-xiselectevents.c
View File

@ -60,7 +60,7 @@
#include "protocol-common.h" #include "protocol-common.h"
#include <glib.h> #include <glib.h>
static unsigned char *data[4096 * 16]; /* the request data buffer */ static unsigned char *data[4096 * 20]; /* the request data buffer */
int __wrap_XISetEventMask(DeviceIntPtr dev, WindowPtr win, int len, unsigned char* mask) int __wrap_XISetEventMask(DeviceIntPtr dev, WindowPtr win, int len, unsigned char* mask)
{ {
@ -284,6 +284,7 @@ static void test_XISelectEvents(void)
request_XISelectEvent(req, BadWindow); request_XISelectEvent(req, BadWindow);
g_test_message("Triggering num_masks/length overflow"); g_test_message("Triggering num_masks/length overflow");
req->win = ROOT_WINDOW_ID;
/* Integer overflow - req->length can't hold that much */ /* Integer overflow - req->length can't hold that much */
req->num_masks = 0xFFFF; req->num_masks = 0xFFFF;
request_XISelectEvent(req, BadLength); request_XISelectEvent(req, BadLength);