From 0b4d531026e5e78e64990b128536a17ead01d811 Mon Sep 17 00:00:00 2001
From: Collin <haplessgaming@gmail.com>
Date: Thu, 26 Jun 2025 19:45:12 -0500
Subject: [PATCH] Update colormap.c with fixes for detected Pointer Overflow
 CodeQL alerts

This fixes multiple issues with pointer overflow that were found in my fork. All were limited to colormap.c and have been tested working on my system.
---
 dix/colormap.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/dix/colormap.c b/dix/colormap.c
index b6afe230e..1cc639afb 100644
--- a/dix/colormap.c
+++ b/dix/colormap.c
@@ -1657,7 +1657,7 @@ AllocDirect(int client, ColormapPtr pmap, int c, int r, int g, int b,
         return BadAlloc;
 
     /* start out with empty pixels */
-    for (p = pixels; p < pixels + c; p++)
+    for (p = pixels; (p - pixels) < c; p++)
         *p = 0;
 
     ppixRed = calloc(npixR, sizeof(Pixel));
@@ -1713,33 +1713,33 @@ AllocDirect(int client, ColormapPtr pmap, int c, int r, int g, int b,
     *pbmask <<= pmap->pVisual->offsetBlue;
 
     ppix = rpix + pmap->numPixelsRed[client];
-    for (pDst = pixels, p = ppixRed; p < ppixRed + npixR; p++) {
+    for (pDst = pixels, p = ppixRed; (size_t)(p - ppixRed) < npixR; p++) {
         *ppix++ = *p;
-        if (p < ppixRed + c)
+        if ((size_t)(p - ppixRed) < c)
             *pDst++ |= *p << pmap->pVisual->offsetRed;
     }
     pmap->numPixelsRed[client] += npixR;
     pmap->freeRed -= npixR;
 
     ppix = gpix + pmap->numPixelsGreen[client];
-    for (pDst = pixels, p = ppixGreen; p < ppixGreen + npixG; p++) {
+    for (pDst = pixels, p = ppixGreen; (size_t)(p - ppixGreen) < npixG; p++) {
         *ppix++ = *p;
-        if (p < ppixGreen + c)
+        if ((size_t)(p - ppixGreen) < c)
             *pDst++ |= *p << pmap->pVisual->offsetGreen;
     }
     pmap->numPixelsGreen[client] += npixG;
     pmap->freeGreen -= npixG;
 
     ppix = bpix + pmap->numPixelsBlue[client];
-    for (pDst = pixels, p = ppixBlue; p < ppixBlue + npixB; p++) {
+    for (pDst = pixels, p = ppixBlue; (size_t)(p - ppixBlue) < npixB; p++) {
         *ppix++ = *p;
-        if (p < ppixBlue + c)
+        if ((size_t)(p - ppixBlue) < c)
             *pDst++ |= *p << pmap->pVisual->offsetBlue;
     }
     pmap->numPixelsBlue[client] += npixB;
     pmap->freeBlue -= npixB;
 
-    for (pDst = pixels; pDst < pixels + c; pDst++)
+    for (pDst = pixels; (pDst - pixels) < c; pDst++)
         *pDst |= ALPHAMASK(pmap->pVisual);
 
     free(ppixBlue);
@@ -1771,7 +1771,7 @@ AllocPseudo(int client, ColormapPtr pmap, int c, int r, Bool contig,
         ppix = reallocarray(pmap->clientPixelsRed[client],
                             pmap->numPixelsRed[client] + npix, sizeof(Pixel));
         if (!ppix) {
-            for (p = ppixTemp; p < ppixTemp + npix; p++)
+            for (p = ppixTemp; (p - ppixTemp) < npix; p++)
                 pmap->red[*p].refcnt = 0;
             free(ppixTemp);
             return BadAlloc;
@@ -1780,9 +1780,9 @@ AllocPseudo(int client, ColormapPtr pmap, int c, int r, Bool contig,
         ppix += pmap->numPixelsRed[client];
         *pppixFirst = ppix;
         pDst = pixels;
-        for (p = ppixTemp; p < ppixTemp + npix; p++) {
+        for (p = ppixTemp; (p - ppixTemp) < npix; p++) {
             *ppix++ = *p;
-            if (p < ppixTemp + c)
+            if ((p - ppixTemp) < c)
                 *pDst++ = *p;
         }
         pmap->numPixelsRed[client] += npix;