summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDave Airlie <airlied@redhat.com>2008-06-12 09:04:24 +1000
committerDave Airlie <airlied@redhat.com>2008-06-12 09:04:24 +1000
commit23e71ef71a178505494d4b410f9314acfff81524 (patch)
treeaddd4e2754f52933509d736c5a639e210cbc4c35
parent390b155135a451fa728b73c8107aea91dfd56ed1 (diff)
dbe: fix DoS reported by iDefense.
This isn't a security problem just a user could DoS themselves for fun or profit.
-rw-r--r--dbe/dbe.c53
1 files changed, 27 insertions, 26 deletions
diff --git a/dbe/dbe.c b/dbe/dbe.c
index 8175a352f..d34708d38 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -229,6 +229,7 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
xDbeSwapAction swapAction;
VisualID visual;
int status;
+ int add_index;
REQUEST_SIZE_MATCH(xDbeAllocateBackBufferNameReq);
@@ -299,14 +300,6 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
return(BadAlloc);
bzero(pDbeWindowPriv, sizeof(DbeWindowPrivRec));
- /* Make the window priv a DBE window priv resource. */
- if (!AddResource(stuff->buffer, dbeWindowPrivResType,
- (pointer)pDbeWindowPriv))
- {
- xfree(pDbeWindowPriv);
- return(BadAlloc);
- }
-
/* Fill out window priv information. */
pDbeWindowPriv->pWindow = pWin;
pDbeWindowPriv->width = pWin->drawable.width;
@@ -321,14 +314,15 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
/* Initialize the buffer ID list. */
pDbeWindowPriv->maxAvailableIDs = DBE_INIT_MAX_IDS;
pDbeWindowPriv->IDs[0] = stuff->buffer;
- for (i = 1; i < DBE_INIT_MAX_IDS; i++)
+
+ add_index = 0;
+ for (i = 0; i < DBE_INIT_MAX_IDS; i++)
{
pDbeWindowPriv->IDs[i] = DBE_FREE_ID_ELEMENT;
}
-
/* Actually connect the window priv to the window. */
- dixSetPrivate(&pWin->devPrivates, dbeWindowPrivKey, pDbeWindowPriv);
+ dixSetPrivate(&pWin->devPrivates, dbeWindowPrivKey, pDbeWindowPriv);
} /* if -- There is no buffer associated with the window. */
@@ -354,7 +348,6 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
/* No more room in the ID array -- reallocate another array. */
XID *pIDs;
-
/* Setup an array pointer for the realloc operation below. */
if (pDbeWindowPriv->maxAvailableIDs == DBE_INIT_MAX_IDS)
{
@@ -391,16 +384,7 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
pDbeWindowPriv->maxAvailableIDs += DBE_INCR_MAX_IDS;
}
- /* Finally, record the buffer ID in the array. */
- pDbeWindowPriv->IDs[i] = stuff->buffer;
-
- /* Associate the new ID with an existing window priv. */
- if (!AddResource(stuff->buffer, dbeWindowPrivResType,
- (pointer)pDbeWindowPriv))
- {
- pDbeWindowPriv->IDs[i] = DBE_FREE_ID_ELEMENT;
- return(BadAlloc);
- }
+ add_index = i;
} /* else -- A buffer is already associated with the window. */
@@ -409,13 +393,26 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
status = (*pDbeScreenPriv->AllocBackBufferName)(pWin, stuff->buffer,
stuff->swapAction);
- if ((status != Success) && (pDbeWindowPriv->nBufferIDs == 0))
+ if (status == Success)
{
+ pDbeWindowPriv->IDs[add_index] = stuff->buffer;
+ if (!AddResource(stuff->buffer, dbeWindowPrivResType,
+ (pointer)pDbeWindowPriv))
+ {
+ pDbeWindowPriv->IDs[add_index] = DBE_FREE_ID_ELEMENT;
+
+ if (pDbeWindowPriv->nBufferIDs == 0) {
+ status = BadAlloc;
+ goto out_free;
+ }
+ }
+ } else {
/* The DDX buffer allocation routine failed for the first buffer of
* this window.
*/
- xfree(pDbeWindowPriv);
- return(status);
+ if (pDbeWindowPriv->nBufferIDs == 0) {
+ goto out_free;
+ }
}
/* Increment the number of buffers (XIDs) associated with this window. */
@@ -424,9 +421,13 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
/* Set swap action on all calls. */
pDbeWindowPriv->swapAction = stuff->swapAction;
-
return(status);
+out_free:
+ dixSetPrivate(&pWin->devPrivates, dbeWindowPrivKey, NULL);
+ xfree(pDbeWindowPriv);
+ return (status);
+
} /* ProcDbeAllocateBackBufferName() */