From 73b64a056a56cd713af172ef7adc2a5e63909784 Mon Sep 17 00:00:00 2001 From: Kaleb Keithley Date: Wed, 26 Nov 2003 22:48:31 +0000 Subject: merge latest (4.3.99.16) from XFree86 (vendor) branch --- src/FSFontInfo.c | 16 +++++++++++++++- src/FSFtNames.c | 5 +++-- src/FSGetCats.c | 7 ++++--- src/FSListCats.c | 5 +++-- src/FSListExt.c | 4 +++- src/FSOpenServ.c | 14 ++++++++++---- src/FSQGlyphs.c | 19 ++++++++++++++++++- src/FSQXExt.c | 8 +++++++- src/FSQXInfo.c | 5 ++++- src/FSlibInt.c | 13 ++++++++----- src/FSlibint.h | 2 +- src/FSlibos.h | 9 ++++++++- 12 files changed, 84 insertions(+), 23 deletions(-) diff --git a/src/FSFontInfo.c b/src/FSFontInfo.c index 8ed2c96..f27b190 100644 --- a/src/FSFontInfo.c +++ b/src/FSFontInfo.c @@ -23,6 +23,7 @@ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. */ +/* $XFree86: xc/lib/FS/FSFontInfo.c,v 1.5 2003/10/23 15:23:24 tsi Exp $ */ /* @@ -65,7 +66,7 @@ FSListFontsWithXInfo(svr, pattern, maxNames, count, info, pprops, offsets, prop_ long nbytes; int i, j; - int size = 0; + size_t size = 0; FSXFontInfoHeader **fhdr = (FSXFontInfoHeader **) 0; FSPropInfo **pi = (FSPropInfo **) 0; FSPropOffset **po = (FSPropOffset **) 0; @@ -123,8 +124,14 @@ FSListFontsWithXInfo(svr, pattern, maxNames, count, info, pprops, offsets, prop_ if (reply.nameLength == 0) /* got last reply in version 1 */ break; if ((i + reply.nReplies) >= size) { + + if (reply.nReplies > SIZE_MAX - i - 1) + goto badmem; size = i + reply.nReplies + 1; + if (size > SIZE_MAX / sizeof(char *)) + goto badmem; + if (fhdr) { FSXFontInfoHeader **tmp_fhdr = (FSXFontInfoHeader **) FSrealloc((char *) fhdr, @@ -237,6 +244,9 @@ FSListFontsWithXInfo(svr, pattern, maxNames, count, info, pprops, offsets, prop_ pi[i]->num_offsets = local_pi.num_offsets; pi[i]->data_len = local_pi.data_len; + if (pi[i]->num_offsets > SIZE_MAX / sizeof(FSPropOffset)) + goto badmem; + po[i] = (FSPropOffset *) FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset)); if (!po[i]) { @@ -282,6 +292,10 @@ FSListFontsWithXInfo(svr, pattern, maxNames, count, info, pprops, offsets, prop_ nbytes = pi[i]->data_len + reply.nameLength; _FSEatData(svr, (unsigned long) (((nbytes+3)&~3) - nbytes)); } + /* avoid integer overflow */ + if (i > INT_MAX - 1) { + goto badmem; + } } *info = fhdr; *count = i; diff --git a/src/FSFtNames.c b/src/FSFtNames.c index 9a9025a..7460d9c 100644 --- a/src/FSFtNames.c +++ b/src/FSFtNames.c @@ -1,5 +1,4 @@ /* $Xorg: FSFtNames.c,v 1.4 2001/02/09 02:03:25 xorgcvs Exp $ */ - /* * Copyright 1990 Network Computing Devices; * Portions Copyright 1987 by Digital Equipment Corporation @@ -24,6 +23,7 @@ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. */ +/* $XFree86: xc/lib/FS/FSFtNames.c,v 1.6 2003/10/23 15:23:24 tsi Exp $ */ /* @@ -78,7 +78,8 @@ FSListFonts(svr, pattern, maxNames, actualCount) (SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse)) return (char **) 0; - if (rep.nFonts) { + if (rep.nFonts && rep.nFonts <= SIZE_MAX / sizeof(char *) + && rep.length <= (SIZE_MAX >> 2)) { flist = (char **) FSmalloc((unsigned) rep.nFonts * sizeof(char *)); rlen = (rep.length << 2) - SIZEOF(fsListFontsReply); c = (char *) FSmalloc((unsigned) (rlen + 1)); diff --git a/src/FSGetCats.c b/src/FSGetCats.c index 87f2fcf..a80054d 100644 --- a/src/FSGetCats.c +++ b/src/FSGetCats.c @@ -1,5 +1,4 @@ /* $Xorg: FSGetCats.c,v 1.4 2001/02/09 02:03:25 xorgcvs Exp $ */ - /* * Copyright 1990 Network Computing Devices; * Portions Copyright 1987 by Digital Equipment Corporation @@ -24,6 +23,7 @@ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. */ +/* $XFree86: xc/lib/FS/FSGetCats.c,v 1.6 2003/10/23 15:23:24 tsi Exp $ */ /* @@ -72,9 +72,10 @@ FSGetCatalogues(svr, num) SyncHandle(); return (char **) NULL; } - if (rep.num_catalogues) { + if (rep.num_catalogues && rep.num_catalogues <= SIZE_MAX/sizeof(char *) + && rep.length <= (SIZE_MAX >> 2)) { list = (char **) - FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *))); + FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *))); rlen = (rep.length << 2) - SIZEOF(fsGetCataloguesReply); c = (char *) FSmalloc((unsigned) rlen + 1); if ((!list) || (!c)) { diff --git a/src/FSListCats.c b/src/FSListCats.c index eb4152a..dce37e5 100644 --- a/src/FSListCats.c +++ b/src/FSListCats.c @@ -1,5 +1,4 @@ /* $Xorg: FSListCats.c,v 1.4 2001/02/09 02:03:25 xorgcvs Exp $ */ - /* * Copyright 1990 Network Computing Devices; * Portions Copyright 1987 by Digital Equipment Corporation @@ -24,6 +23,7 @@ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. */ +/* $XFree86: xc/lib/FS/FSListCats.c,v 1.6 2003/10/23 15:23:24 tsi Exp $ */ /* @@ -78,7 +78,8 @@ FSListCatalogues(svr, pattern, maxNames, actualCount) (SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse)) return (char **) 0; - if (rep.num_catalogues) { + if (rep.num_catalogues && rep.num_catalogues <= SIZE_MAX/sizeof(char *) + && rep.length <= (SIZE_MAX>>2)) { clist = (char **) FSmalloc((unsigned) rep.num_catalogues * sizeof(char *)); rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply); diff --git a/src/FSListExt.c b/src/FSListExt.c index fb874a3..ee87a1c 100644 --- a/src/FSListExt.c +++ b/src/FSListExt.c @@ -24,6 +24,7 @@ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. */ +/* $XFree86: xc/lib/FS/FSListExt.c,v 1.6 2003/10/23 15:23:24 tsi Exp $ */ /* @@ -72,7 +73,8 @@ FSListExtensions(svr, next) SyncHandle(); return (char **) NULL; } - if (rep.nExtensions) { + if (rep.nExtensions && rep.nExtensions <= SIZE_MAX / sizeof(char *) + && rep.length <= (SIZE_MAX>>2)) { list = (char **) FSmalloc((unsigned)(rep.nExtensions * sizeof(char *))); rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply); c = (char *) FSmalloc((unsigned) rlen + 1); diff --git a/src/FSOpenServ.c b/src/FSOpenServ.c index b3b8612..a992a65 100644 --- a/src/FSOpenServ.c +++ b/src/FSOpenServ.c @@ -24,7 +24,7 @@ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. */ -/* $XFree86: xc/lib/FS/FSOpenServ.c,v 1.6 2001/12/14 19:53:33 dawes Exp $ */ +/* $XFree86: xc/lib/FS/FSOpenServ.c,v 1.8 2003/09/01 20:50:09 herrb Exp $ */ /* @@ -118,7 +118,7 @@ FSOpenServer(server) AlternateServer *alts; int altlen; char *vendor_string; - long setuplength; + unsigned long setuplength; if (server == NULL || *server == '\0') { if ((server = getenv("FONTSERVER")) == NULL) { @@ -153,7 +153,8 @@ FSOpenServer(server) _FSRead(svr, (char *) &prefix, (long) SIZEOF(fsConnSetup)); setuplength = prefix.alternate_len << 2; - if ((alt_data = (char *) + if (setuplength > (SIZE_MAX>>2) + || (alt_data = (char *) (setup = FSmalloc((unsigned) setuplength))) == NULL) { errno = ENOMEM; FSfree((char *) svr); @@ -162,6 +163,10 @@ FSOpenServer(server) _FSRead(svr, (char *) alt_data, setuplength); ad = alt_data; + if (prefix.num_alternates > SIZE_MAX / sizeof(AlternateServer)) { + errno = ENOMEM; + return (FSServer *) 0; + } alts = (AlternateServer *) FSmalloc(sizeof(AlternateServer) * prefix.num_alternates); if (!alts) { @@ -193,7 +198,8 @@ FSOpenServer(server) svr->num_alternates = prefix.num_alternates; setuplength = prefix.auth_len << 2; - if ((auth_data = (char *) + if (prefix.auth_len > (SIZE_MAX>>2) + || (auth_data = (char *) (setup = FSmalloc((unsigned) setuplength))) == NULL) { errno = ENOMEM; FSfree((char *) svr); diff --git a/src/FSQGlyphs.c b/src/FSQGlyphs.c index 550a042..b13bdde 100644 --- a/src/FSQGlyphs.c +++ b/src/FSQGlyphs.c @@ -1,5 +1,4 @@ /* $Xorg: FSQGlyphs.c,v 1.4 2001/02/09 02:03:25 xorgcvs Exp $ */ - /* * Copyright 1990 Network Computing Devices; * Portions Copyright 1987 by Digital Equipment Corporation @@ -24,6 +23,7 @@ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. */ +/* $XFree86: xc/lib/FS/FSQGlyphs.c,v 1.5 2003/10/23 15:23:24 tsi Exp $ */ /* @@ -85,12 +85,20 @@ FSQueryXBitmaps8(svr, fid, format, range_type, str, str_len, offsets, glyphdata) (SIZEOF(fsQueryXBitmaps8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse)) return FSBadAlloc; + if (reply.num_chars > SIZE_MAX / sizeof(FSOffset)) + return FSBadAlloc; + offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars); *offsets = offs; if (!offs) return FSBadAlloc; left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps8Reply) - (SIZEOF(fsOffset32) * reply.num_chars); + /* XXX This thest is incomplete */ + if (reply.length > (SIZE_MAX >> 2)) { + FSfree((char *) offs); + return FSBadAlloc; + } gd = (unsigned char *) FSmalloc(left); *glyphdata = gd; if (!gd) { @@ -141,6 +149,8 @@ FSQueryXBitmaps16(svr, fid, format, range_type, str, str_len, int i; fsChar2b_version1 *swapped_str; + if (str_len > SIZE_MAX/SIZEOF(fsChar2b_version1)) + return FSBadAlloc; swapped_str = (fsChar2b_version1 *) FSmalloc(SIZEOF(fsChar2b_version1) * str_len); if (!swapped_str) @@ -160,12 +170,19 @@ FSQueryXBitmaps16(svr, fid, format, range_type, str, str_len, fsFalse)) return FSBadAlloc; + if(reply.num_chars > SIZE_MAX/sizeof(FSOffset)) + return FSBadAlloc; offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars); *offsets = offs; if (!offs) return FSBadAlloc; left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps16Reply) - (SIZEOF(fsOffset32) * reply.num_chars); + /* XXX - this test is incomplete */ + if (reply.length > (SIZE_MAX>>2)) { + FSfree((char *) offs); + return FSBadAlloc; + } gd = (unsigned char *) FSmalloc(left); *glyphdata = gd; if (!gd) { diff --git a/src/FSQXExt.c b/src/FSQXExt.c index f96cad0..d288acd 100644 --- a/src/FSQXExt.c +++ b/src/FSQXExt.c @@ -24,7 +24,7 @@ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. */ -/* $XFree86: xc/lib/FS/FSQXExt.c,v 1.5 2001/12/14 19:53:33 dawes Exp $ */ +/* $XFree86: xc/lib/FS/FSQXExt.c,v 1.7 2003/09/01 20:50:09 herrb Exp $ */ /* @@ -92,6 +92,9 @@ FSQueryXExtents8(svr, fid, range_type, str, str_len, extents) (SIZEOF(fsQueryXExtents8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse)) return FSBadAlloc; + + if (reply.num_extents > SIZE_MAX / sizeof(FSXCharInfo)) + return FSBadAlloc; ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents); *extents = ext; @@ -149,6 +152,9 @@ FSQueryXExtents16(svr, fid, range_type, str, str_len, extents) fsFalse)) return FSBadAlloc; + if (reply.num_extents > SIZE_MAX/sizeof(FSXCharInfo)) + return FSBadAlloc; + ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents); *extents = ext; if (!ext) diff --git a/src/FSQXInfo.c b/src/FSQXInfo.c index f65b4e1..3ee3449 100644 --- a/src/FSQXInfo.c +++ b/src/FSQXInfo.c @@ -1,5 +1,4 @@ /* $Xorg: FSQXInfo.c,v 1.4 2001/02/09 02:03:25 xorgcvs Exp $ */ - /* * Copyright 1990 Network Computing Devices; * Portions Copyright 1987 by Digital Equipment Corporation @@ -24,6 +23,7 @@ * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. */ +/* $XFree86: xc/lib/FS/FSQXInfo.c,v 1.5 2003/10/23 15:23:24 tsi Exp $ */ /* @@ -91,6 +91,9 @@ FSQueryXInfo(svr, fid, info, props, offsets, prop_data) props->num_offsets = local_pi.num_offsets; props->data_len = local_pi.data_len; + if (props->num_offsets > SIZE_MAX / sizeof(FSPropOffset)) + return FSBadAlloc; + /* prepare for prop data */ offset_data = (FSPropOffset *) FSmalloc(props->num_offsets * sizeof(FSPropOffset)); diff --git a/src/FSlibInt.c b/src/FSlibInt.c index accbab4..bf63794 100644 --- a/src/FSlibInt.c +++ b/src/FSlibInt.c @@ -50,7 +50,7 @@ used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from The Open Group. */ -/* $XFree86: xc/lib/FS/FSlibInt.c,v 3.10 2001/12/14 19:53:33 dawes Exp $ */ +/* $XFree86: xc/lib/FS/FSlibInt.c,v 3.11 2003/05/23 14:38:26 tsi Exp $ */ /* * FSlibInt.c - Internal support routines for the C subroutine @@ -497,12 +497,15 @@ _FSReadPad(svr, data, size) if (bytes_read > 0) { size -= bytes_read; - if ((iov[0].iov_len -= bytes_read) < 0) { - iov[1].iov_len += iov[0].iov_len; - iov[1].iov_base = (char *)iov[1].iov_base - iov[0].iov_len; + if (iov[0].iov_len < bytes_read) { + iov[1].iov_len += iov[0].iov_len - bytes_read; + iov[1].iov_base = + (char *)iov[1].iov_base +bytes_read - iov[0].iov_len; iov[0].iov_len = 0; - } else + } else { + iov[0].iov_len -= bytes_read; iov[0].iov_base = (char *)iov[0].iov_base + bytes_read; + } } else if (ETEST()) { _FSWaitForReadable(svr); diff --git a/src/FSlibint.h b/src/FSlibint.h index 06910ce..18d0d24 100644 --- a/src/FSlibint.h +++ b/src/FSlibint.h @@ -50,7 +50,7 @@ used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from The Open Group. */ -/* $XFree86: xc/lib/FS/FSlibint.h,v 3.7 2001/12/14 19:53:33 dawes Exp $ */ +/* $XFree86: xc/lib/FS/FSlibint.h,v 3.9 2003/09/01 20:50:09 herrb Exp $ */ /* * FSlib internal decls diff --git a/src/FSlibos.h b/src/FSlibos.h index 5be36ec..5e4fe92 100644 --- a/src/FSlibos.h +++ b/src/FSlibos.h @@ -50,7 +50,7 @@ used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from The Open Group. */ -/* $XFree86: xc/lib/FS/FSlibos.h,v 3.9 2002/05/31 18:45:39 dawes Exp $ */ +/* $XFree86: xc/lib/FS/FSlibos.h,v 3.10 2003/09/01 20:50:10 herrb Exp $ */ /* * FSlib networking & os include file @@ -76,6 +76,13 @@ in this Software without prior written authorization from The Open Group. #undef _POSIX_SOURCE #endif #endif +#ifndef SIZE_MAX +# ifdef ULONG_MAX +# define SIZE_MAX ULONG_MAX +# else +# define SIZE_MAX UINT_MAX +# endif +#endif #ifndef OPEN_MAX #ifdef SVR4 #define OPEN_MAX 256 -- cgit v1.2.3