diff options
| author | Niclas Zeising <zeising@FreeBSD.org> | 2013-06-04 19:31:29 +0000 |
|---|---|---|
| committer | Niclas Zeising <zeising@FreeBSD.org> | 2013-06-04 19:31:29 +0000 |
| commit | d516c8b6633c5fada67c3b1137057008c7553549 (patch) | |
| tree | b5553ea72e286d166ab601ab26b551eaadb9b1e9 /x11/libXrender | |
| parent | d5ff26dc8497868e13985e07980876af5dff9050 (diff) | |
| download | ports-d516c8b6633c5fada67c3b1137057008c7553549.tar.gz ports-d516c8b6633c5fada67c3b1137057008c7553549.zip | |
Notes
Diffstat (limited to 'x11/libXrender')
| -rw-r--r-- | x11/libXrender/Makefile | 1 | ||||
| -rw-r--r-- | x11/libXrender/files/patch-src_Filter.c | 70 | ||||
| -rw-r--r-- | x11/libXrender/files/patch-src_Xrender.c | 114 |
3 files changed, 185 insertions, 0 deletions
diff --git a/x11/libXrender/Makefile b/x11/libXrender/Makefile index 0f605472b6a5..4205a28f20c4 100644 --- a/x11/libXrender/Makefile +++ b/x11/libXrender/Makefile @@ -3,6 +3,7 @@ PORTNAME= libXrender PORTVERSION= 0.9.7 +PORTREVISION= 1 CATEGORIES= x11 MAINTAINER= x11@FreeBSD.org diff --git a/x11/libXrender/files/patch-src_Filter.c b/x11/libXrender/files/patch-src_Filter.c new file mode 100644 index 000000000000..9bd1784ec5ca --- /dev/null +++ b/x11/libXrender/files/patch-src_Filter.c @@ -0,0 +1,70 @@ +--- src/Filter.c.orig 2013-06-03 19:11:25.000000000 +0000 ++++ src/Filter.c 2013-06-03 19:11:31.000000000 +0000 +@@ -25,6 +25,7 @@ + #include <config.h> + #endif + #include "Xrenderint.h" ++#include <limits.h> + + XFilters * + XRenderQueryFilters (Display *dpy, Drawable drawable) +@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawa + char *name; + char len; + int i; +- long nbytes, nbytesAlias, nbytesName; ++ unsigned long nbytes, nbytesAlias, nbytesName; + + if (!RenderHasExtension (info)) + return NULL; +@@ -60,26 +61,36 @@ XRenderQueryFilters (Display *dpy, Drawa + SyncHandle (); + return NULL; + } +- /* +- * Compute total number of bytes for filter names +- */ +- nbytes = (long)rep.length << 2; +- nbytesAlias = rep.numAliases * 2; +- if (rep.numAliases & 1) +- nbytesAlias += 2; +- nbytesName = nbytes - nbytesAlias; + + /* +- * Allocate one giant block for the whole data structure ++ * Limit each component of combined size to 1/4 the max, which is far ++ * more than they should ever possibly need. + */ +- filters = Xmalloc (sizeof (XFilters) + +- rep.numFilters * sizeof (char *) + +- rep.numAliases * sizeof (short) + +- nbytesName); ++ if ((rep.length < (INT_MAX >> 2)) && ++ (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) && ++ (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) { ++ /* ++ * Compute total number of bytes for filter names ++ */ ++ nbytes = (unsigned long)rep.length << 2; ++ nbytesAlias = rep.numAliases * 2; ++ if (rep.numAliases & 1) ++ nbytesAlias += 2; ++ nbytesName = nbytes - nbytesAlias; ++ ++ /* ++ * Allocate one giant block for the whole data structure ++ */ ++ filters = Xmalloc (sizeof (XFilters) + ++ (rep.numFilters * sizeof (char *)) + ++ (rep.numAliases * sizeof (short)) + ++ nbytesName); ++ } else ++ filters = NULL; + + if (!filters) + { +- _XEatData (dpy, (unsigned long) rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; diff --git a/x11/libXrender/files/patch-src_Xrender.c b/x11/libXrender/files/patch-src_Xrender.c new file mode 100644 index 000000000000..0d282cb8c3e9 --- /dev/null +++ b/x11/libXrender/files/patch-src_Xrender.c @@ -0,0 +1,114 @@ +--- src/Xrender.c.orig 2013-06-03 19:11:25.000000000 +0000 ++++ src/Xrender.c 2013-06-03 19:11:34.000000000 +0000 +@@ -26,6 +26,7 @@ + #include <config.h> + #endif + #include "Xrenderint.h" ++#include <limits.h> + + XRenderExtInfo XRenderExtensionInfo; + char XRenderExtensionName[] = RENDER_NAME; +@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy) + CARD32 *xSubpixel; + void *xData; + int nf, ns, nd, nv; +- int rlength; +- int nbytes; ++ unsigned long rlength; ++ unsigned long nbytes; + + RenderCheckExtension (dpy, info, 0); + LockDisplay (dpy); +@@ -458,24 +459,35 @@ XRenderQueryFormats (Display *dpy) + if (async_state.major_version == 0 && async_state.minor_version < 6) + rep.numSubpixel = 0; + +- xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) + +- rep.numFormats * sizeof (XRenderPictFormat) + +- rep.numScreens * sizeof (XRenderScreen) + +- rep.numDepths * sizeof (XRenderDepth) + +- rep.numVisuals * sizeof (XRenderVisual)); +- rlength = (rep.numFormats * sizeof (xPictFormInfo) + +- rep.numScreens * sizeof (xPictScreen) + +- rep.numDepths * sizeof (xPictDepth) + +- rep.numVisuals * sizeof (xPictVisual) + +- rep.numSubpixel * 4); +- xData = (void *) Xmalloc (rlength); +- nbytes = (int) rep.length << 2; ++ if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) && ++ (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) && ++ (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) && ++ (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) && ++ (rep.numSubpixel < ((INT_MAX / 4) / 4)) && ++ (rep.length < (INT_MAX >> 2)) ) { ++ xri = Xmalloc (sizeof (XRenderInfo) + ++ (rep.numFormats * sizeof (XRenderPictFormat)) + ++ (rep.numScreens * sizeof (XRenderScreen)) + ++ (rep.numDepths * sizeof (XRenderDepth)) + ++ (rep.numVisuals * sizeof (XRenderVisual))); ++ rlength = ((rep.numFormats * sizeof (xPictFormInfo)) + ++ (rep.numScreens * sizeof (xPictScreen)) + ++ (rep.numDepths * sizeof (xPictDepth)) + ++ (rep.numVisuals * sizeof (xPictVisual)) + ++ (rep.numSubpixel * 4)); ++ xData = Xmalloc (rlength); ++ nbytes = (unsigned long) rep.length << 2; ++ } else { ++ xri = NULL; ++ xData = NULL; ++ rlength = nbytes = 0; ++ } + + if (!xri || !xData || nbytes < rlength) + { + if (xri) Xfree (xri); + if (xData) Xfree (xData); +- _XEatData (dpy, nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return 0; +@@ -832,7 +844,7 @@ XRenderQueryPictIndexValues(Display *d + xRenderQueryPictIndexValuesReq *req; + xRenderQueryPictIndexValuesReply rep; + XIndexValue *values; +- int nbytes, nread, rlength, i; ++ unsigned int nbytes, nread, rlength, i; + + RenderCheckExtension (dpy, info, NULL); + +@@ -848,18 +860,25 @@ XRenderQueryPictIndexValues(Display *d + return NULL; + } + +- /* request data length */ +- nbytes = (long)rep.length << 2; +- /* bytes of actual data in the request */ +- nread = rep.numIndexValues * SIZEOF (xIndexValue); +- /* size of array returned to application */ +- rlength = rep.numIndexValues * sizeof (XIndexValue); ++ if ((rep.length < (INT_MAX >> 2)) && ++ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) { ++ /* request data length */ ++ nbytes = rep.length << 2; ++ /* bytes of actual data in the request */ ++ nread = rep.numIndexValues * SIZEOF (xIndexValue); ++ /* size of array returned to application */ ++ rlength = rep.numIndexValues * sizeof (XIndexValue); ++ ++ /* allocate returned data */ ++ values = Xmalloc (rlength); ++ } else { ++ nbytes = nread = rlength = 0; ++ values = NULL; ++ } + +- /* allocate returned data */ +- values = (XIndexValue *)Xmalloc (rlength); + if (!values) + { +- _XEatData (dpy, nbytes); ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; |