frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

(!1639) xquartz: fix length checking with bigreq 

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This commit is contained in:
Enrico Weigelt, metux IT consult 2024-08-06 15:56:39 +02:00
parent 2ef5751bf8
commit 6ae5fd62c3
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hw/xquartz/applewm.c
View File

@ -387,7 +387,7 @@ ProcAppleWMSetWindowMenu(register ClientPtr client)
return BadAlloc;
}
max_len = (stuff->length << 2) - sizeof(xAppleWMSetWindowMenuReq);
max_len = (client->req-len << 2) - sizeof(xAppleWMSetWindowMenuReq);
bytes = (char *)&stuff[1];
for (i = j = 0; i < max_len && j < nitems;) {
@ -601,7 +601,7 @@ ProcAppleWMFrameDraw(register ClientPtr client)
or = make_box(stuff->ox, stuff->oy, stuff->ow, stuff->oh);
title_length = stuff->title_length;
title_max = (stuff->length << 2) - sizeof(xAppleWMFrameDrawReq);
title_max = (client->req_len << 2) - sizeof(xAppleWMFrameDrawReq);
if (title_max < title_length)
return BadValue;