From 377b494577a924ee1621177933bee4bb5cc27fff Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 27 Aug 2005 01:45:27 +0000 Subject: Fixes for running X Test Suite via lbxproxy: - Failure for Xproto/GetProperty [Sun bug #4432077] - lbxproxy crash on Xlib5/XGetWindowProperty [Sun bug #4416964] - lbxproxy crash on Xlib7/XCreateColormap-10 [Sun bug #4431077] - lbxproxy crash on Xproto tests for bad length [Sun bug #4414232] (Derek Wang - Sun Microsystems) --- di/cmap.c | 3 +++ di/props.c | 22 +++++++++++++++++++--- include/misc.h | 5 +++++ os/io.c | 7 ++++--- 4 files changed, 31 insertions(+), 6 deletions(-) diff --git a/di/cmap.c b/di/cmap.c index 88c4553..1102ab5 100644 --- a/di/cmap.c +++ b/di/cmap.c @@ -1,4 +1,5 @@ /* $Xorg: cmap.c,v 1.5 2001/02/09 02:05:31 xorgcvs Exp $ */ +/* $XdotOrg: $ */ /* Copyright 1996, 1998 The Open Group @@ -968,6 +969,8 @@ create_colormap(cmap, visual) Pixel **pptr; pvis = GetVisual(visual); + if (!pvis) + return ((ColormapPtr) NULL); csize = pvis->colormapEntries; tsize = (csize * sizeof(Entry)) + (MAXCLIENTS * sizeof(Pixel *)) + (MAXCLIENTS * sizeof(int)); diff --git a/di/props.c b/di/props.c index 9f94bc4..296cdd1 100644 --- a/di/props.c +++ b/di/props.c @@ -1,4 +1,5 @@ /* $Xorg: props.c,v 1.4 2001/02/09 02:05:32 xorgcvs Exp $ */ +/* $XdotOrg: $ */ /* Copyright 1998 The Open Group @@ -254,6 +255,8 @@ ProcLBXGetProperty(client) REQUEST(xGetPropertyReq); ReplyStuffPtr nr; + REQUEST_SIZE_MATCH(xGetPropertyReq); + nr = NewReply(client, client->server->lbxReq, X_LbxGetProperty, GetLbxGetPropertyReply); if (!nr) @@ -289,7 +292,7 @@ GetLbxGetPropertyReply(client, nr, data) PropertyTagDataRec ptd; PropertyTagDataPtr ptdp; pointer pdata = NULL; - char *sdata; + char *sdata = NULL; char n; xGetPropertyReply reply; CARD32 tag, nItems, type, bytesAfter; @@ -387,15 +390,28 @@ GetLbxGetPropertyReply(client, nr, data) len = min(len, nr->request_info.lbxgetprop.length << 2); reply.bytesAfter = (ptdp->length - (len + (nr->request_info.lbxgetprop.offset << 2))); - sdata = sdata + (nr->request_info.lbxgetprop.offset << 2); + if (sdata) + sdata = sdata + (nr->request_info.lbxgetprop.offset << 2); } + if (ptdp->length) { + len = ptdp->length - (nr->request_info.lbxgetprop.offset << 2); + len = min(len, nr->request_info.lbxgetprop.length << 2); + reply.bytesAfter = (ptdp->length - + (len + (nr->request_info.lbxgetprop.offset << 2))); + } else { + len = 0; + reply.bytesAfter = rep->bytesAfter; + } + if(sdata) + sdata = sdata + (nr->request_info.lbxgetprop.offset << 2); + reply.type = X_Reply; reply.sequenceNumber = rep->sequenceNumber; reply.format = ptdp->format; reply.length = (len + 3) >> 2; reply.propertyType = ptdp->type; - if (len) + if (len && ptdp->format) reply.nItems = len / (ptdp->format >> 3); else reply.nItems = 0; diff --git a/include/misc.h b/include/misc.h index 3ead872..3b7ee48 100644 --- a/include/misc.h +++ b/include/misc.h @@ -1,4 +1,5 @@ /* $Xorg: misc.h,v 1.4 2001/02/09 02:05:32 xorgcvs Exp $ */ +/* $XdotOrg: $ */ /* @@ -111,4 +112,8 @@ extern int MaxClients; #define REQUEST(type) \ register type *stuff = (type *)client->requestBuffer +#define REQUEST_SIZE_MATCH(req) \ + if ((sizeof(req) >> 2) != client->req_len) \ + return (BadLength) + #endif diff --git a/os/io.c b/os/io.c index 25df337..56604f8 100644 --- a/os/io.c +++ b/os/io.c @@ -1,4 +1,5 @@ /* $Xorg: io.c,v 1.6 2001/02/09 02:05:33 xorgcvs Exp $ */ +/* $XdotOrg: $ */ /*********************************************************** Copyright 1987, 1989, 1998 The Open Group @@ -112,13 +113,13 @@ StandardRequestLength(req,client,got,partp) { int len; - if (!req) - req = (xReq *) client->requestBuffer; if (got < sizeof (xReq)) { *partp = TRUE; return sizeof (xReq); } + if (!req) + req = (xReq *) client->requestBuffer; len = get_req_len(req,client); if (len > MAXBUFSIZE) { @@ -984,7 +985,7 @@ StandardWriteToClient (who, count, buf) register ConnectionOutputPtr oco = oc->output; int padBytes; - if (!count) + if (!count || !buf) return(0); if (!oco) -- cgit v1.2.3