From dc2811874729ee83fa2aef110f60808c450f9a5a Mon Sep 17 00:00:00 2001 From: Ran Benita Date: Tue, 17 Nov 2020 23:18:53 +0200 Subject: Avoid request counter truncation in replies map after 2**32 requests The c->in request counters are uint64_t, and can realistically go over 2**32 over a lifetime of a client. The c->in->replies map however uses unsigned int keys and the passed request numbers are silently truncated. I haven't analyzed in depth what happens what it wraps around but it's probably nothing good. The only user of the xcb_list.c map code is c->in->replies, so just change it to use uint64_t keys. Reviewed-by: Uli Schlachter Signed-off-by: Ran Benita --- src/xcb_list.c | 6 +++--- src/xcbint.h | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/xcb_list.c b/src/xcb_list.c index 129540b..bdd2d43 100644 --- a/src/xcb_list.c +++ b/src/xcb_list.c @@ -36,7 +36,7 @@ typedef struct node { struct node *next; - unsigned int key; + uint64_t key; void *data; } node; @@ -73,7 +73,7 @@ void _xcb_map_delete(_xcb_map *list, xcb_list_free_func_t do_free) free(list); } -int _xcb_map_put(_xcb_map *list, unsigned int key, void *data) +int _xcb_map_put(_xcb_map *list, uint64_t key, void *data) { node *cur = malloc(sizeof(node)); if(!cur) @@ -86,7 +86,7 @@ int _xcb_map_put(_xcb_map *list, unsigned int key, void *data) return 1; } -void *_xcb_map_remove(_xcb_map *list, unsigned int key) +void *_xcb_map_remove(_xcb_map *list, uint64_t key) { node **cur; for(cur = &list->head; *cur; cur = &(*cur)->next) diff --git a/src/xcbint.h b/src/xcbint.h index 524d6c7..6a070f8 100644 --- a/src/xcbint.h +++ b/src/xcbint.h @@ -83,8 +83,8 @@ typedef struct _xcb_map _xcb_map; _xcb_map *_xcb_map_new(void); void _xcb_map_delete(_xcb_map *q, xcb_list_free_func_t do_free); -int _xcb_map_put(_xcb_map *q, unsigned int key, void *data); -void *_xcb_map_remove(_xcb_map *q, unsigned int key); +int _xcb_map_put(_xcb_map *q, uint64_t key, void *data); +void *_xcb_map_remove(_xcb_map *q, uint64_t key); /* xcb_out.c */ -- cgit v1.2.3