| 1 |
diff --git a/Xext/security.c b/Xext/security.c
|
| 2 |
index ba057de..f34c463 100644
|
| 3 |
--- a/Xext/security.c
|
| 4 |
+++ b/Xext/security.c
|
| 5 |
@@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization(
|
| 6 |
register char n;
|
| 7 |
CARD32 *values;
|
| 8 |
unsigned long nvalues;
|
| 9 |
+ int values_offset;
|
| 10 |
|
| 11 |
swaps(&stuff->length, n);
|
| 12 |
REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
|
| 13 |
swaps(&stuff->nbytesAuthProto, n);
|
| 14 |
swaps(&stuff->nbytesAuthData, n);
|
| 15 |
swapl(&stuff->valueMask, n);
|
| 16 |
- values = (CARD32 *)(&stuff[1]) +
|
| 17 |
- ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
|
| 18 |
- ((stuff->nbytesAuthData + (unsigned)3) >> 2);
|
| 19 |
+ values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
|
| 20 |
+ ((stuff->nbytesAuthData + (unsigned)3) >> 2);
|
| 21 |
+ if (values_offset >
|
| 22 |
+ stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
|
| 23 |
+ return BadLength;
|
| 24 |
+ values = (CARD32 *)(&stuff[1]) + values_offset;
|
| 25 |
nvalues = (((CARD32 *)stuff) + stuff->length) - values;
|
| 26 |
SwapLongs(values, nvalues);
|
| 27 |
return ProcSecurityGenerateAuthorization(client);
|
| 28 |
diff --git a/record/record.c b/record/record.c
|
| 29 |
index 0ed8f84..9a166d6 100644
|
| 30 |
--- a/record/record.c
|
| 31 |
+++ b/record/record.c
|
| 32 |
@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client)
|
| 33 |
} /* SProcRecordQueryVersion */
|
| 34 |
|
| 35 |
|
| 36 |
-static void
|
| 37 |
+static int
|
| 38 |
SwapCreateRegister(xRecordRegisterClientsReq *stuff)
|
| 39 |
{
|
| 40 |
register char n;
|
| 41 |
@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
|
| 42 |
swapl(&stuff->nClients, n);
|
| 43 |
swapl(&stuff->nRanges, n);
|
| 44 |
pClientID = (XID *)&stuff[1];
|
| 45 |
+ if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
|
| 46 |
+ return BadLength;
|
| 47 |
for (i = 0; i < stuff->nClients; i++, pClientID++)
|
| 48 |
{
|
| 49 |
swapl(pClientID, n);
|
| 50 |
}
|
| 51 |
+ if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
|
| 52 |
+ - stuff->nClients)
|
| 53 |
+ return BadLength;
|
| 54 |
RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
|
| 55 |
+ return Success;
|
| 56 |
} /* SwapCreateRegister */
|
| 57 |
|
| 58 |
|
| 59 |
@@ -2679,11 +2685,13 @@ static int
|
| 60 |
SProcRecordCreateContext(ClientPtr client)
|
| 61 |
{
|
| 62 |
REQUEST(xRecordCreateContextReq);
|
| 63 |
+ int status;
|
| 64 |
register char n;
|
| 65 |
|
| 66 |
swaps(&stuff->length, n);
|
| 67 |
REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
|
| 68 |
- SwapCreateRegister((pointer)stuff);
|
| 69 |
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
|
| 70 |
+ return status;
|
| 71 |
return ProcRecordCreateContext(client);
|
| 72 |
} /* SProcRecordCreateContext */
|
| 73 |
|
| 74 |
@@ -2692,11 +2700,13 @@ static int
|
| 75 |
SProcRecordRegisterClients(ClientPtr client)
|
| 76 |
{
|
| 77 |
REQUEST(xRecordRegisterClientsReq);
|
| 78 |
+ int status;
|
| 79 |
register char n;
|
| 80 |
|
| 81 |
swaps(&stuff->length, n);
|
| 82 |
REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
|
| 83 |
- SwapCreateRegister((pointer)stuff);
|
| 84 |
+ if ((status = SwapCreateRegister((pointer)stuff)) != Success)
|
| 85 |
+ return status;
|
| 86 |
return ProcRecordRegisterClients(client);
|
| 87 |
} /* SProcRecordRegisterClients */
|
| 88 |
|
Parent Directory
| 
Revision Log