From ddc52b9cbae017f04c7a232af4e8b16c9f96823d Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 5 Jul 2013 22:43:17 -0700 Subject: [PATCH] Xephyr: Use _XEatDataWords (from Xlib 1.6) instead of _XEatData Simplifies code and reduces risk of overflow from converting length field in X replies from words to bytes. One call to _XEatData is left in ephyrHostGLXGetStringFromServer where it's already been checked for overflow, and other values have been subtracted from it to reduce the size of data remaining to be eaten. Signed-off-by: Alan Coopersmith --- configure.ac | 2 +- hw/kdrive/ephyr/XF86dri.c | 8 ++++---- hw/kdrive/ephyr/ephyrhostglx.c | 4 +++- hw/kdrive/ephyr/ephyrhostvideo.c | 2 +- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index 206b9c4f4..75281f001 100644 --- a/configure.ac +++ b/configure.ac @@ -2112,7 +2112,7 @@ if test "$KDRIVE" = yes; then AC_DEFINE(KDRIVE_MOUSE, 1, [Enable KDrive mouse driver]) fi - XEPHYR_REQUIRED_LIBS="x11 $LIBXEXT xau xdmcp" + XEPHYR_REQUIRED_LIBS="x11 >= 1.6 $LIBXEXT xau xdmcp" if test "x$XV" = xyes; then XEPHYR_REQUIRED_LIBS="$XEPHYR_REQUIRED_LIBS xv" fi diff --git a/hw/kdrive/ephyr/XF86dri.c b/hw/kdrive/ephyr/XF86dri.c index 9f230fc99..15b62191f 100644 --- a/hw/kdrive/ephyr/XF86dri.c +++ b/hw/kdrive/ephyr/XF86dri.c @@ -231,7 +231,7 @@ XF86DRIOpenConnection(Display * dpy, int screen, else *busIdString = NULL; if (*busIdString == NULL) { - _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("OpenConnection... return False"); @@ -333,7 +333,7 @@ XF86DRIGetClientDriverName(Display * dpy, int screen, else *clientDriverName = NULL; if (*clientDriverName == NULL) { - _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("GetClientDriverName... return False"); @@ -539,7 +539,7 @@ XF86DRIGetDrawableInfo(Display * dpy, int screen, Drawable drawable, SIZEOF(xGenericReply) + total_rects * sizeof(drm_clip_rect_t)) + 3) & ~3) >> 2)) { - _XEatData(dpy, rep.length); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("GetDrawableInfo... return False"); @@ -613,7 +613,7 @@ XF86DRIGetDeviceInfo(Display * dpy, int screen, drm_handle_t * hFrameBuffer, if (rep.length) { if (!(*pDevPrivate = (void *) calloc(rep.devPrivateSize, 1))) { - _XEatData(dpy, ((rep.devPrivateSize + 3) & ~3)); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("GetDeviceInfo... return False"); diff --git a/hw/kdrive/ephyr/ephyrhostglx.c b/hw/kdrive/ephyr/ephyrhostglx.c index 90f450c60..6a4392fee 100644 --- a/hw/kdrive/ephyr/ephyrhostglx.c +++ b/hw/kdrive/ephyr/ephyrhostglx.c @@ -211,8 +211,10 @@ ephyrHostGLXGetStringFromServer(int a_screen_number, _XReply(dpy, (xReply *) &reply, 0, False); #if UINT32_MAX >= (ULONG_MAX / 4) - if (reply.length >= (ULONG_MAX / 4)) + if (reply.length >= (ULONG_MAX / 4)) { + _XEatDataWords(dpy, reply.length); goto eat_out; + } #endif if (reply.length > 0) { length = (unsigned long) reply.length * 4; diff --git a/hw/kdrive/ephyr/ephyrhostvideo.c b/hw/kdrive/ephyr/ephyrhostvideo.c index 362aa055e..05e9ad9f5 100644 --- a/hw/kdrive/ephyr/ephyrhostvideo.c +++ b/hw/kdrive/ephyr/ephyrhostvideo.c @@ -677,7 +677,7 @@ ephyrHostXVQueryImageAttributes(int a_port_id, _XRead(dpy, (char *) a_offsets, rep.num_planes << 2); } else { - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } *a_width = rep.width; *a_height = rep.height;