diff --git a/configure.ac b/configure.ac index 89a7a9db9..75281f001 100644 --- a/configure.ac +++ b/configure.ac @@ -2003,7 +2003,7 @@ AM_CONDITIONAL(STANDALONE_XPBPROXY, [test "x$STANDALONE_XPBPROXY" = xyes]) dnl DMX DDX PKG_CHECK_MODULES( [DMXMODULES], - [xmuu $LIBXEXT x11 xrender xfixes $LIBXI $DMXPROTO xau $XDMCP_MODULES], + [xmuu $LIBXEXT x11 >= 1.6 xrender xfixes $LIBXI $DMXPROTO xau $XDMCP_MODULES], [PKG_CHECK_MODULES( [XDMXCONFIG_DEP], [xaw7 xmu xt xpm x11], @@ -2112,7 +2112,7 @@ if test "$KDRIVE" = yes; then AC_DEFINE(KDRIVE_MOUSE, 1, [Enable KDrive mouse driver]) fi - XEPHYR_REQUIRED_LIBS="x11 $LIBXEXT xau xdmcp" + XEPHYR_REQUIRED_LIBS="x11 >= 1.6 $LIBXEXT xau xdmcp" if test "x$XV" = xyes; then XEPHYR_REQUIRED_LIBS="$XEPHYR_REQUIRED_LIBS xv" fi diff --git a/hw/dmx/dmx_glxvisuals.c b/hw/dmx/dmx_glxvisuals.c index f903b7491..56bd67b6e 100644 --- a/hw/dmx/dmx_glxvisuals.c +++ b/hw/dmx/dmx_glxvisuals.c @@ -37,6 +37,7 @@ #include #include #include +#include #include "dmx_glxvisuals.h" @@ -84,7 +85,10 @@ GetGLXVisualConfigs(Display * dpy, int screen, int *nconfigs) SyncHandle(); return NULL; } - props = (INT32 *) Xmalloc(nprops * __GLX_SIZE_CARD32); + if (nprops < (INT_MAX / __GLX_SIZE_CARD32)) + props = Xmalloc(nprops * __GLX_SIZE_CARD32); + else + props = NULL; if (!props) { UnlockDisplay(dpy); SyncHandle(); @@ -92,15 +96,16 @@ GetGLXVisualConfigs(Display * dpy, int screen, int *nconfigs) } /* Allocate memory for our config structure */ - config = (__GLXvisualConfig *) - Xmalloc(nvisuals * sizeof(__GLXvisualConfig)); + if (nvisuals < (INT_MAX / sizeof(__GLXvisualConfig))) + config = Xcalloc(nvisuals, sizeof(__GLXvisualConfig)); + else + config = NULL; if (!config) { free(props); UnlockDisplay(dpy); SyncHandle(); return NULL; } - memset(config, 0, nvisuals * sizeof(__GLXvisualConfig)); configs = config; num_good_visuals = 0; @@ -274,7 +279,10 @@ GetGLXFBConfigs(Display * dpy, int glxMajorOpcode, int *nconfigs) return NULL; } - attrs = (INT32 *) Xmalloc(2 * numAttribs * __GLX_SIZE_CARD32); + if (numAttribs < (INT_MAX / (2 * __GLX_SIZE_CARD32))) + attrs = Xmalloc(2 * numAttribs * __GLX_SIZE_CARD32); + else + attrs = NULL; if (!attrs) { UnlockDisplay(dpy); SyncHandle(); @@ -282,15 +290,16 @@ GetGLXFBConfigs(Display * dpy, int glxMajorOpcode, int *nconfigs) } /* Allocate memory for our config structure */ - config = (__GLXFBConfig *) - Xmalloc(numFBConfigs * sizeof(__GLXFBConfig)); + if (numFBConfigs < (INT_MAX / sizeof(__GLXFBConfig))) + config = Xcalloc(numFBConfigs, sizeof(__GLXFBConfig)); + else + config = NULL; if (!config) { free(attrs); UnlockDisplay(dpy); SyncHandle(); return NULL; } - memset(config, 0, numFBConfigs * sizeof(__GLXFBConfig)); fbconfigs = config; /* Convert attribute list into our format */ diff --git a/hw/dmx/glxProxy/glxcmds.c b/hw/dmx/glxProxy/glxcmds.c index 45382748f..8cdb25ec6 100644 --- a/hw/dmx/glxProxy/glxcmds.c +++ b/hw/dmx/glxProxy/glxcmds.c @@ -2582,7 +2582,6 @@ __glXQueryExtensionsString(__GLXclientState * cl, GLbyte * pc) xGLXQueryExtensionsStringReply be_reply; DMXScreenInfo *dmxScreen; Display *dpy; - int slop; #endif screen = req->screen; @@ -2608,16 +2607,13 @@ __glXQueryExtensionsString(__GLXclientState * cl, GLbyte * pc) _XReply(dpy, (xReply *) &be_reply, 0, False); len = (int) be_reply.length; numbytes = (int) be_reply.n; - slop = numbytes * __GLX_SIZE_INT8 & 3; be_buf = (char *) malloc(numbytes); if (!be_buf) { /* Throw data on the floor */ - _XEatData(dpy, len); + _XEatDataWords(dpy, len); } else { - _XRead(dpy, (char *) be_buf, numbytes); - if (slop) - _XEatData(dpy, 4 - slop); + _XReadPad(dpy, (char *) be_buf, numbytes); } UnlockDisplay(dpy); SyncHandle(); @@ -2666,7 +2662,6 @@ __glXQueryServerString(__GLXclientState * cl, GLbyte * pc) xGLXQueryServerStringReply be_reply; DMXScreenInfo *dmxScreen; Display *dpy; - int slop; #endif name = req->name; @@ -2693,16 +2688,13 @@ __glXQueryServerString(__GLXclientState * cl, GLbyte * pc) _XReply(dpy, (xReply *) &be_reply, 0, False); len = (int) be_reply.length; numbytes = (int) be_reply.n; - slop = numbytes * __GLX_SIZE_INT8 & 3; be_buf = (char *) malloc(numbytes); if (!be_buf) { /* Throw data on the floor */ - _XEatData(dpy, len); + _XEatDataWords(dpy, len); } else { - _XRead(dpy, (char *) be_buf, numbytes); - if (slop) - _XEatData(dpy, 4 - slop); + _XReadPad(dpy, (char *) be_buf, numbytes); } UnlockDisplay(dpy); SyncHandle(); diff --git a/hw/dmx/glxProxy/glxscreens.c b/hw/dmx/glxProxy/glxscreens.c index 2a1909244..138afedf2 100644 --- a/hw/dmx/glxProxy/glxscreens.c +++ b/hw/dmx/glxProxy/glxscreens.c @@ -138,7 +138,7 @@ CalcServerVersionAndExtensions(void) Display *dpy = dmxScreen->beDisplay; xGLXQueryServerStringReq *req; xGLXQueryServerStringReply reply; - int length, numbytes, slop; + int length, numbytes; /* Send the glXQueryServerString request */ LockDisplay(dpy); @@ -151,16 +151,13 @@ CalcServerVersionAndExtensions(void) length = (int) reply.length; numbytes = (int) reply.n; - slop = numbytes * __GLX_SIZE_INT8 & 3; be_extensions[s] = (char *) malloc(numbytes); if (!be_extensions[s]) { /* Throw data on the floor */ - _XEatData(dpy, length); + _XEatDataWords(dpy, length); } else { - _XRead(dpy, (char *) be_extensions[s], numbytes); - if (slop) - _XEatData(dpy, 4 - slop); + _XReadPad(dpy, (char *) be_extensions[s], numbytes); } UnlockDisplay(dpy); SyncHandle(); diff --git a/hw/dmx/glxProxy/glxsingle.c b/hw/dmx/glxProxy/glxsingle.c index e60cfeb70..abfb880a3 100644 --- a/hw/dmx/glxProxy/glxsingle.c +++ b/hw/dmx/glxProxy/glxsingle.c @@ -258,7 +258,7 @@ __glXForwardPipe0WithReply(__GLXclientState * cl, GLbyte * pc) } else { /* Throw data on the floor */ - _XEatData(dpy, be_buf_size); + _XEatDataWords(dpy, be_reply.length); return BadAlloc; } } @@ -357,7 +357,7 @@ __glXForwardAllWithReply(__GLXclientState * cl, GLbyte * pc) } else { /* Throw data on the floor */ - _XEatData(dpy, be_buf_size); + _XEatDataWords(dpy, be_reply.length); return BadAlloc; } } @@ -993,7 +993,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc) } else { /* Throw data on the floor */ - _XEatData(dpy, be_buf_size); + _XEatDataWords(dpy, be_reply.length); free(buf); return BadAlloc; } diff --git a/hw/dmx/glxProxy/glxvendor.c b/hw/dmx/glxProxy/glxvendor.c index 5777c6acc..50d505c4b 100644 --- a/hw/dmx/glxProxy/glxvendor.c +++ b/hw/dmx/glxProxy/glxvendor.c @@ -246,7 +246,7 @@ __glXVForwardPipe0WithReply(__GLXclientState * cl, GLbyte * pc) } else { /* Throw data on the floor */ - _XEatData(dpy, be_buf_size); + _XEatDataWords(dpy, be_reply.length); return BadAlloc; } } @@ -340,7 +340,7 @@ __glXVForwardAllWithReply(__GLXclientState * cl, GLbyte * pc) } else { /* Throw data on the floor */ - _XEatData(dpy, be_buf_size); + _XEatDataWords(dpy, be_reply.length); return BadAlloc; } } diff --git a/hw/kdrive/ephyr/XF86dri.c b/hw/kdrive/ephyr/XF86dri.c index 9d742f394..15b62191f 100644 --- a/hw/kdrive/ephyr/XF86dri.c +++ b/hw/kdrive/ephyr/XF86dri.c @@ -64,6 +64,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #include #include "xf86dri.h" #include +#include static XExtensionInfo _xf86dri_info_data; static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; @@ -225,8 +226,12 @@ XF86DRIOpenConnection(Display * dpy, int screen, } if (rep.length) { - if (!(*busIdString = (char *) calloc(rep.busIdStringLength + 1, 1))) { - _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); + if (rep.busIdStringLength < INT_MAX) + *busIdString = calloc(rep.busIdStringLength + 1, 1); + else + *busIdString = NULL; + if (*busIdString == NULL) { + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("OpenConnection... return False"); @@ -323,10 +328,12 @@ XF86DRIGetClientDriverName(Display * dpy, int screen, *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; if (rep.length) { - if (! - (*clientDriverName = - (char *) calloc(rep.clientDriverNameLength + 1, 1))) { - _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); + if (rep.clientDriverNameLength < INT_MAX) + *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1); + else + *clientDriverName = NULL; + if (*clientDriverName == NULL) { + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("GetClientDriverName... return False"); @@ -532,7 +539,7 @@ XF86DRIGetDrawableInfo(Display * dpy, int screen, Drawable drawable, SIZEOF(xGenericReply) + total_rects * sizeof(drm_clip_rect_t)) + 3) & ~3) >> 2)) { - _XEatData(dpy, rep.length); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("GetDrawableInfo... return False"); @@ -606,7 +613,7 @@ XF86DRIGetDeviceInfo(Display * dpy, int screen, drm_handle_t * hFrameBuffer, if (rep.length) { if (!(*pDevPrivate = (void *) calloc(rep.devPrivateSize, 1))) { - _XEatData(dpy, ((rep.devPrivateSize + 3) & ~3)); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("GetDeviceInfo... return False"); diff --git a/hw/kdrive/ephyr/ephyrhostglx.c b/hw/kdrive/ephyr/ephyrhostglx.c index 5c6c40f0b..6a4392fee 100644 --- a/hw/kdrive/ephyr/ephyrhostglx.c +++ b/hw/kdrive/ephyr/ephyrhostglx.c @@ -137,7 +137,7 @@ ephyrHostGLXQueryVersion(int *a_major, int *a_minor) } /** - * GLX protocol structure for the ficticious "GXLGenericGetString" request. + * GLX protocol structure for the ficticious "GLXGenericGetString" request. * * This is a non-existant protocol packet. It just so happens that all of * the real protocol packets used to request a string from the server have @@ -169,7 +169,8 @@ ephyrHostGLXGetStringFromServer(int a_screen_number, int default_screen = DefaultScreen(dpy); xGLXGenericGetStringReq *req = NULL; xGLXSingleReply reply; - int length = 0, numbytes = 0, major_opcode = 0, get_string_op = 0; + unsigned long length = 0, numbytes = 0; + int major_opcode = 0, get_string_op = 0; EPHYR_RETURN_VAL_IF_FAIL(dpy && a_string, FALSE); @@ -209,36 +210,48 @@ ephyrHostGLXGetStringFromServer(int a_screen_number, _XReply(dpy, (xReply *) &reply, 0, False); - length = reply.length * 4; - if (!length) { - numbytes = 0; +#if UINT32_MAX >= (ULONG_MAX / 4) + if (reply.length >= (ULONG_MAX / 4)) { + _XEatDataWords(dpy, reply.length); + goto eat_out; } - else { +#endif + if (reply.length > 0) { + length = (unsigned long) reply.length * 4; numbytes = reply.size; + if (numbytes > length) { + EPHYR_LOG_ERROR("string length %d longer than reply length %d\n", + numbytes, length); + goto eat_out; + } } EPHYR_LOG("going to get a string of size:%d\n", numbytes); - *a_string = (char *) Xmalloc(numbytes + 1); - if (!a_string) { + if (numbytes < INT_MAX) + *a_string = Xcalloc(numbytes + 1, 1); + else + *a_string = NULL; + if (*a_string == NULL) { EPHYR_LOG_ERROR("allocation failed\n"); - goto out; + goto eat_out; } - memset(*a_string, 0, numbytes + 1); if (_XRead(dpy, *a_string, numbytes)) { - UnlockDisplay(dpy); - SyncHandle(); EPHYR_LOG_ERROR("read failed\n"); - goto out; + length = 0; /* if read failed, no idea how much to eat */ } - length -= numbytes; + else { + length -= numbytes; + EPHYR_LOG("strname:%#x, strvalue:'%s', strlen:%d\n", + a_string_name, *a_string, numbytes); + is_ok = TRUE; + } + + eat_out: _XEatData(dpy, length); UnlockDisplay(dpy); SyncHandle(); - EPHYR_LOG("strname:%#x, strvalue:'%s', strlen:%d\n", - a_string_name, *a_string, numbytes); - is_ok = TRUE; out: EPHYR_LOG("leave\n"); return is_ok; diff --git a/hw/kdrive/ephyr/ephyrhostvideo.c b/hw/kdrive/ephyr/ephyrhostvideo.c index 362aa055e..05e9ad9f5 100644 --- a/hw/kdrive/ephyr/ephyrhostvideo.c +++ b/hw/kdrive/ephyr/ephyrhostvideo.c @@ -677,7 +677,7 @@ ephyrHostXVQueryImageAttributes(int a_port_id, _XRead(dpy, (char *) a_offsets, rep.num_planes << 2); } else { - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } *a_width = rep.width; *a_height = rep.height; diff --git a/hw/xnest/Args.h b/hw/xnest/Args.h index 514a39513..225418d22 100644 --- a/hw/xnest/Args.h +++ b/hw/xnest/Args.h @@ -12,7 +12,7 @@ is" without express or implied warranty. */ -#ifndef XNESTARGC_H +#ifndef XNESTARGS_H #define XNESTARGS_H extern char *xnestDisplayName;