pull patch for libICE denial of service from 4.0.2 (#4450, Branden Robinson)

author: herrb <herrb> 2001-02-08 21:13:14 +0000
committer: herrb <herrb> 2001-02-08 21:13:14 +0000
commit: 6a049437e8c05d0d3aed851f2100b986d340feb1 (patch)
tree: f180ca0fd4257ea3b6cc790f1c47df1c1d839973
parent: 3142dde9866c8b1f8c98bdefd2099d99249ac6ad (diff)
2 files changed, 49 insertions, 20 deletions
diff --git a/lib/ICE/ICElibint.h b/lib/ICE/ICElibint.h
index 27d3a7aeb..679bf067f 100644
--- a/lib/ICE/ICElibint.h
+++ b/lib/ICE/ICElibint.h
@@ -288,20 +288,24 @@ typedef struct {
 }
 
 
-#define SKIP_STRING(_pBuf, _swap) \
+#define SKIP_STRING(_pBuf, _swap, _end) \
 { \
     CARD16 _len; \
     EXTRACT_CARD16 (_pBuf, _swap, _len); \
-    _pBuf += _len; \
-    if (PAD32 (2 + _len)) \
+    if ((_pBuf+_len) < _end) { \
+      _pBuf += _len; \
+      if ( (PAD32 (2 + _len)) && ( (PAD32(2+_len) + _pBuf < _end) )) \
         _pBuf += PAD32 (2 + _len); \
+    } else {\
+	return(0);\
+    }\
 }
 
-#define SKIP_LISTOF_STRING(_pBuf, _swap, _count) \
+#define SKIP_LISTOF_STRING(_pBuf, _swap, _count, _end) \
 { \
     int _i; \
     for (_i = 0; _i < _count; _i++) \
-        SKIP_STRING (_pBuf, _swap); \
+        SKIP_STRING (_pBuf, _swap, _end); \
 }
 
 
diff --git a/lib/ICE/process.c b/lib/ICE/process.c
index 8e725f12a..796e86f93 100644
--- a/lib/ICE/process.c
+++ b/lib/ICE/process.c
@@ -1,4 +1,5 @@
 /* $XConsortium: process.c,v 1.43 94/08/25 15:44:43 mor Exp $ */
+/* $XFree86: xc/lib/ICE/process.c,v 3.0 1994/06/28 12:19:30 dawes Exp $ */
 /******************************************************************************
 
 
@@ -31,6 +32,9 @@ Author: Ralph Mor, X Consortium
 #include <X11/ICE/ICElib.h>
 #include "ICElibint.h"
 
+#ifdef MINIX
+#include <X11/Xtrans.h>
+#endif
 
 /*
  * Check for bad length
@@ -815,7 +819,7 @@ Bool		swap;
     int	 myAuthCount, hisAuthCount;
     int	 found, i, j;
     char *myAuthName, **hisAuthNames;
-    char *pData, *pStart;
+    char *pData, *pStart, *pEnd;
     char *vendor = NULL;
     char *release = NULL;
     int myAuthIndex = 0;
@@ -839,10 +843,11 @@ Bool		swap;
     }
 
     pData = pStart;
+    pEnd = pStart + (length << 3);
 
-    SKIP_STRING (pData, swap);				       /* vendor */
-    SKIP_STRING (pData, swap);				       /* release */
-    SKIP_LISTOF_STRING (pData, swap, (int) message->authCount);/* auth names */
+    SKIP_STRING (pData, swap, pEnd);				       /* vendor */
+    SKIP_STRING (pData, swap, pEnd);				       /* release */
+    SKIP_LISTOF_STRING (pData, swap, (int) message->authCount, pEnd);/* auth names */
     pData += (message->versionCount * 4);		       /* versions */
 
     CHECK_COMPLETE_SIZE (iceConn, ICE_ConnectionSetup,
@@ -1681,7 +1686,7 @@ IceReplyWaitInfo 	*replyWait;
 
 {
     iceConnectionReplyMsg 	*message;
-    char 			*pData, *pStart;
+    char 			*pData, *pStart, *pEnd;
     Bool			replyReady;
 
     CHECK_AT_LEAST_SIZE (iceConn, ICE_ConnectionReply,
@@ -1697,9 +1702,10 @@ IceReplyWaitInfo 	*replyWait;
     }
 
     pData = pStart;
+    pEnd = pStart + (length << 3);
 
-    SKIP_STRING (pData, swap);				     /* vendor */
-    SKIP_STRING (pData, swap);				     /* release */
+    SKIP_STRING (pData, swap, pEnd);				     /* vendor */
+    SKIP_STRING (pData, swap, pEnd);				     /* release */
 
     CHECK_COMPLETE_SIZE (iceConn, ICE_ConnectionReply,
 	length, pData - pStart + SIZEOF (iceConnectionReplyMsg),
@@ -1785,7 +1791,7 @@ Bool		swap;
     int	 	      	found, i, j;
     char	      	*myAuthName, **hisAuthNames;
     char 	      	*protocolName;
-    char 		*pData, *pStart;
+    char 		*pData, *pStart, *pEnd;
     char 	      	*vendor = NULL;
     char 	      	*release = NULL;
     int  	      	accept_setup_now = 0;
@@ -1820,11 +1826,12 @@ Bool		swap;
     }
 
     pData = pStart;
+    pEnd = pStart + (length << 3);
 
-    SKIP_STRING (pData, swap);				       /* proto name */
-    SKIP_STRING (pData, swap);				       /* vendor */
-    SKIP_STRING (pData, swap);				       /* release */
-    SKIP_LISTOF_STRING (pData, swap, (int) message->authCount);/* auth names */
+    SKIP_STRING (pData, swap, pEnd);				       /* proto name */
+    SKIP_STRING (pData, swap, pEnd);				       /* vendor */
+    SKIP_STRING (pData, swap, pEnd);				       /* release */
+    SKIP_LISTOF_STRING (pData, swap, (int) message->authCount, pEnd);/* auth names */
     pData += (message->versionCount * 4);		       /* versions */
 
     CHECK_COMPLETE_SIZE (iceConn, ICE_ProtocolSetup,
@@ -2166,7 +2173,7 @@ IceReplyWaitInfo 	*replyWait;
 
 {
     iceProtocolReplyMsg *message;
-    char		*pData, *pStart;
+    char		*pData, *pStart, *pEnd;
     Bool		replyReady;
 
     CHECK_AT_LEAST_SIZE (iceConn, ICE_ProtocolReply,
@@ -2182,9 +2189,10 @@ IceReplyWaitInfo 	*replyWait;
     }
 
     pData = pStart;
+    pEnd = pStart + (length << 3);
 
-    SKIP_STRING (pData, swap);				     /* vendor */
-    SKIP_STRING (pData, swap);				     /* release */
+    SKIP_STRING (pData, swap, pEnd);				     /* vendor */
+    SKIP_STRING (pData, swap, pEnd);				     /* release */
 
     CHECK_COMPLETE_SIZE (iceConn, ICE_ProtocolReply,
 	length, pData - pStart + SIZEOF (iceProtocolReplyMsg),
@@ -2489,3 +2497,20 @@ Bool		 *connectionClosedRet;
     if (replyWait)
 	*replyReadyRet = replyReady;
 }
+
+
+#ifdef MINIX
+int 
+MNX_IceMessagesAvailable(iceConn)
+
+IceConn          iceConn;
+{
+	BytesReadable_t bytes;
+
+	_IceTransSetOption(iceConn->trans_conn, TRANS_NONBLOCKING, 1);
+	if (_IceTransBytesReadable(iceConn->trans_conn, &bytes) < 0)
+		bytes= -1;
+	_IceTransSetOption(iceConn->trans_conn, TRANS_NONBLOCKING, 0);
+	return (bytes != 0);
+}
+#endif
author	herrb <herrb>	2001-02-08 21:13:14 +0000
committer	herrb <herrb>	2001-02-08 21:13:14 +0000
commit	6a049437e8c05d0d3aed851f2100b986d340feb1 (patch)
tree	f180ca0fd4257ea3b6cc790f1c47df1c1d839973
parent	3142dde9866c8b1f8c98bdefd2099d99249ac6ad (diff)