diff --git a/xkb/xkbSwap.c b/xkb/xkbSwap.c index 00fd04d38..9a4c17e57 100644 --- a/xkb/xkbSwap.c +++ b/xkb/xkbSwap.c @@ -67,10 +67,10 @@ SProcXkbSelectEvents(ClientPtr client) CARD16 *c16; CARD32 *c32; } from; - register unsigned bit, ndx, maskLeft, dataLeft, size; + register unsigned bit, ndx, maskLeft, dataLeft; from.c8 = (CARD8 *) &stuff[1]; - dataLeft = (client->req_len * 4) - SIZEOF(xkbSelectEventsReq); + dataLeft = (client->req_len * 4) - sizeof(xkbSelectEventsReq); maskLeft = (stuff->affectWhich & (~XkbMapNotifyMask)); for (ndx = 0, bit = 1; (maskLeft != 0); ndx++, bit <<= 1) { if (((bit & maskLeft) == 0) || (ndx == XkbMapNotify)) @@ -79,42 +79,43 @@ SProcXkbSelectEvents(ClientPtr client) if ((stuff->selectAll & bit) || (stuff->clear & bit)) continue; switch (ndx) { + // CARD16 case XkbNewKeyboardNotify: case XkbStateNotify: case XkbNamesNotify: case XkbAccessXNotify: case XkbExtensionDeviceNotify: - size = 2; + if (dataLeft < sizeof(CARD16)*2) + return BadLength; + swaps(&from.c16[0]); + swaps(&from.c16[1]); + from.c8 += sizeof(CARD16)*2; + dataLeft -= sizeof(CARD16)*2; break; + // CARD32 case XkbControlsNotify: case XkbIndicatorStateNotify: case XkbIndicatorMapNotify: - size = 4; + if (dataLeft < sizeof(CARD32)*2) + return BadLength; + swapl(&from.c32[0]); + swapl(&from.c32[1]); + from.c8 += sizeof(CARD32)*2; + dataLeft -= sizeof(CARD32)*2; break; + // CARD8 case XkbBellNotify: case XkbActionMessage: case XkbCompatMapNotify: - size = 1; + if (dataLeft < 2) + return BadLength; + from.c8 += 4; + dataLeft -= 4; break; default: client->errorValue = _XkbErrCode2(0x1, bit); return BadValue; } - if (dataLeft < (size * 2)) - return BadLength; - if (size == 2) { - swaps(&from.c16[0]); - swaps(&from.c16[1]); - } - else if (size == 4) { - swapl(&from.c32[0]); - swapl(&from.c32[1]); - } - else { - size = 2; - } - from.c8 += (size * 2); - dataLeft -= (size * 2); } if (dataLeft > 2) { ErrorF("[xkb] Extra data (%d bytes) after SelectEvents\n",