From c89bcd12f4fc7233830a8dbe7863c312f657da3c Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 14 Apr 2013 09:33:57 -0700 Subject: [PATCH 1/9] Xdmx: integer overflow in GetGLXVisualConfigs() numVisuals & numProps are both CARD32 and need to be bounds checked before multiplying by structure sizes to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- hw/dmx/dmx_glxvisuals.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/hw/dmx/dmx_glxvisuals.c b/hw/dmx/dmx_glxvisuals.c index f903b7491e..027557addd 100644 --- a/hw/dmx/dmx_glxvisuals.c +++ b/hw/dmx/dmx_glxvisuals.c @@ -37,6 +37,7 @@ #include #include #include +#include #include "dmx_glxvisuals.h" @@ -84,7 +85,10 @@ GetGLXVisualConfigs(Display * dpy, int screen, int *nconfigs) SyncHandle(); return NULL; } - props = (INT32 *) Xmalloc(nprops * __GLX_SIZE_CARD32); + if (nprops < (INT_MAX / __GLX_SIZE_CARD32)) + props = Xmalloc(nprops * __GLX_SIZE_CARD32); + else + props = NULL; if (!props) { UnlockDisplay(dpy); SyncHandle(); @@ -92,15 +96,16 @@ GetGLXVisualConfigs(Display * dpy, int screen, int *nconfigs) } /* Allocate memory for our config structure */ - config = (__GLXvisualConfig *) - Xmalloc(nvisuals * sizeof(__GLXvisualConfig)); + if (nvisuals < (INT_MAX / sizeof(__GLXvisualConfig))) + config = Xcalloc(nvisuals, sizeof(__GLXvisualConfig)); + else + config = NULL; if (!config) { free(props); UnlockDisplay(dpy); SyncHandle(); return NULL; } - memset(config, 0, nvisuals * sizeof(__GLXvisualConfig)); configs = config; num_good_visuals = 0; From 5fbd8c45b46ab93522e417240aa770466c30b735 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 14 Apr 2013 09:45:26 -0700 Subject: [PATCH 2/9] Xdmx: integer overflow in GetGLXFBConfigs() numFBConfigs & numAttribs are CARD32s and need to be bounds checked before multiplying by structure sizes to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- hw/dmx/dmx_glxvisuals.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/hw/dmx/dmx_glxvisuals.c b/hw/dmx/dmx_glxvisuals.c index 027557addd..56bd67b6ee 100644 --- a/hw/dmx/dmx_glxvisuals.c +++ b/hw/dmx/dmx_glxvisuals.c @@ -279,7 +279,10 @@ GetGLXFBConfigs(Display * dpy, int glxMajorOpcode, int *nconfigs) return NULL; } - attrs = (INT32 *) Xmalloc(2 * numAttribs * __GLX_SIZE_CARD32); + if (numAttribs < (INT_MAX / (2 * __GLX_SIZE_CARD32))) + attrs = Xmalloc(2 * numAttribs * __GLX_SIZE_CARD32); + else + attrs = NULL; if (!attrs) { UnlockDisplay(dpy); SyncHandle(); @@ -287,15 +290,16 @@ GetGLXFBConfigs(Display * dpy, int glxMajorOpcode, int *nconfigs) } /* Allocate memory for our config structure */ - config = (__GLXFBConfig *) - Xmalloc(numFBConfigs * sizeof(__GLXFBConfig)); + if (numFBConfigs < (INT_MAX / sizeof(__GLXFBConfig))) + config = Xcalloc(numFBConfigs, sizeof(__GLXFBConfig)); + else + config = NULL; if (!config) { free(attrs); UnlockDisplay(dpy); SyncHandle(); return NULL; } - memset(config, 0, numFBConfigs * sizeof(__GLXFBConfig)); fbconfigs = config; /* Convert attribute list into our format */ From c37ceda76bf9ec6f5166122e864663e10f106546 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 14 Apr 2013 10:50:50 -0700 Subject: [PATCH 3/9] Xephyr: integer overflow in ephyrHostGLXGetStringFromServer() reply.length & reply.size are CARD32s and need to be bounds checked before multiplying or adding to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- hw/kdrive/ephyr/ephyrhostglx.c | 47 +++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/hw/kdrive/ephyr/ephyrhostglx.c b/hw/kdrive/ephyr/ephyrhostglx.c index 5c6c40f0be..90f450c600 100644 --- a/hw/kdrive/ephyr/ephyrhostglx.c +++ b/hw/kdrive/ephyr/ephyrhostglx.c @@ -137,7 +137,7 @@ ephyrHostGLXQueryVersion(int *a_major, int *a_minor) } /** - * GLX protocol structure for the ficticious "GXLGenericGetString" request. + * GLX protocol structure for the ficticious "GLXGenericGetString" request. * * This is a non-existant protocol packet. It just so happens that all of * the real protocol packets used to request a string from the server have @@ -169,7 +169,8 @@ ephyrHostGLXGetStringFromServer(int a_screen_number, int default_screen = DefaultScreen(dpy); xGLXGenericGetStringReq *req = NULL; xGLXSingleReply reply; - int length = 0, numbytes = 0, major_opcode = 0, get_string_op = 0; + unsigned long length = 0, numbytes = 0; + int major_opcode = 0, get_string_op = 0; EPHYR_RETURN_VAL_IF_FAIL(dpy && a_string, FALSE); @@ -209,36 +210,46 @@ ephyrHostGLXGetStringFromServer(int a_screen_number, _XReply(dpy, (xReply *) &reply, 0, False); - length = reply.length * 4; - if (!length) { - numbytes = 0; - } - else { +#if UINT32_MAX >= (ULONG_MAX / 4) + if (reply.length >= (ULONG_MAX / 4)) + goto eat_out; +#endif + if (reply.length > 0) { + length = (unsigned long) reply.length * 4; numbytes = reply.size; + if (numbytes > length) { + EPHYR_LOG_ERROR("string length %d longer than reply length %d\n", + numbytes, length); + goto eat_out; + } } EPHYR_LOG("going to get a string of size:%d\n", numbytes); - *a_string = (char *) Xmalloc(numbytes + 1); - if (!a_string) { + if (numbytes < INT_MAX) + *a_string = Xcalloc(numbytes + 1, 1); + else + *a_string = NULL; + if (*a_string == NULL) { EPHYR_LOG_ERROR("allocation failed\n"); - goto out; + goto eat_out; } - memset(*a_string, 0, numbytes + 1); if (_XRead(dpy, *a_string, numbytes)) { - UnlockDisplay(dpy); - SyncHandle(); EPHYR_LOG_ERROR("read failed\n"); - goto out; + length = 0; /* if read failed, no idea how much to eat */ } - length -= numbytes; + else { + length -= numbytes; + EPHYR_LOG("strname:%#x, strvalue:'%s', strlen:%d\n", + a_string_name, *a_string, numbytes); + is_ok = TRUE; + } + + eat_out: _XEatData(dpy, length); UnlockDisplay(dpy); SyncHandle(); - EPHYR_LOG("strname:%#x, strvalue:'%s', strlen:%d\n", - a_string_name, *a_string, numbytes); - is_ok = TRUE; out: EPHYR_LOG("leave\n"); return is_ok; From 20644e53b385c54d73242c86a7d3f981d18a3843 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Mon, 15 Apr 2013 08:39:03 -0700 Subject: [PATCH 4/9] Xephyr: integer overflow in XF86DRIOpenConnection() busIdStringLength is a CARD32 and needs to be bounds checked before adding one to it to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith Reviewed-by: Julien Cristau --- hw/kdrive/ephyr/XF86dri.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hw/kdrive/ephyr/XF86dri.c b/hw/kdrive/ephyr/XF86dri.c index 9d742f3940..7074bc3710 100644 --- a/hw/kdrive/ephyr/XF86dri.c +++ b/hw/kdrive/ephyr/XF86dri.c @@ -64,6 +64,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #include #include "xf86dri.h" #include +#include static XExtensionInfo _xf86dri_info_data; static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; @@ -225,7 +226,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, } if (rep.length) { - if (!(*busIdString = (char *) calloc(rep.busIdStringLength + 1, 1))) { + if (rep.busIdStringLength < INT_MAX) + *busIdString = calloc(rep.busIdStringLength + 1, 1); + else + *busIdString = NULL; + if (*busIdString == NULL) { _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); UnlockDisplay(dpy); SyncHandle(); From 1cb182cbdc11fc1c97507c57875f1d2453f27328 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Mon, 15 Apr 2013 08:41:14 -0700 Subject: [PATCH 5/9] Xephyr: integer overflow in XF86DRIGetClientDriverName() clientDriverNameLength is a CARD32 and needs to be bounds checked before adding one to it to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith Reviewed-by: Julien Cristau --- hw/kdrive/ephyr/XF86dri.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/hw/kdrive/ephyr/XF86dri.c b/hw/kdrive/ephyr/XF86dri.c index 7074bc3710..9f230fc995 100644 --- a/hw/kdrive/ephyr/XF86dri.c +++ b/hw/kdrive/ephyr/XF86dri.c @@ -328,9 +328,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen, *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; if (rep.length) { - if (! - (*clientDriverName = - (char *) calloc(rep.clientDriverNameLength + 1, 1))) { + if (rep.clientDriverNameLength < INT_MAX) + *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1); + else + *clientDriverName = NULL; + if (*clientDriverName == NULL) { _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); UnlockDisplay(dpy); SyncHandle(); From 87b0cabc145a9b5f6faffdfb544ce1c647b8ab72 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 5 Jul 2013 22:32:10 -0700 Subject: [PATCH 6/9] glxproxy: Use _XReadPad instead of _XEatData to clean up the slop Xlib already provides a function to eat padding bytes after the data read, so use it instead of calculating it ourselves. Signed-off-by: Alan Coopersmith --- hw/dmx/glxProxy/glxcmds.c | 12 ++---------- hw/dmx/glxProxy/glxscreens.c | 7 ++----- 2 files changed, 4 insertions(+), 15 deletions(-) diff --git a/hw/dmx/glxProxy/glxcmds.c b/hw/dmx/glxProxy/glxcmds.c index 45382748fd..0e817ca073 100644 --- a/hw/dmx/glxProxy/glxcmds.c +++ b/hw/dmx/glxProxy/glxcmds.c @@ -2582,7 +2582,6 @@ __glXQueryExtensionsString(__GLXclientState * cl, GLbyte * pc) xGLXQueryExtensionsStringReply be_reply; DMXScreenInfo *dmxScreen; Display *dpy; - int slop; #endif screen = req->screen; @@ -2608,16 +2607,13 @@ __glXQueryExtensionsString(__GLXclientState * cl, GLbyte * pc) _XReply(dpy, (xReply *) &be_reply, 0, False); len = (int) be_reply.length; numbytes = (int) be_reply.n; - slop = numbytes * __GLX_SIZE_INT8 & 3; be_buf = (char *) malloc(numbytes); if (!be_buf) { /* Throw data on the floor */ _XEatData(dpy, len); } else { - _XRead(dpy, (char *) be_buf, numbytes); - if (slop) - _XEatData(dpy, 4 - slop); + _XReadPad(dpy, (char *) be_buf, numbytes); } UnlockDisplay(dpy); SyncHandle(); @@ -2666,7 +2662,6 @@ __glXQueryServerString(__GLXclientState * cl, GLbyte * pc) xGLXQueryServerStringReply be_reply; DMXScreenInfo *dmxScreen; Display *dpy; - int slop; #endif name = req->name; @@ -2693,16 +2688,13 @@ __glXQueryServerString(__GLXclientState * cl, GLbyte * pc) _XReply(dpy, (xReply *) &be_reply, 0, False); len = (int) be_reply.length; numbytes = (int) be_reply.n; - slop = numbytes * __GLX_SIZE_INT8 & 3; be_buf = (char *) malloc(numbytes); if (!be_buf) { /* Throw data on the floor */ _XEatData(dpy, len); } else { - _XRead(dpy, (char *) be_buf, numbytes); - if (slop) - _XEatData(dpy, 4 - slop); + _XReadPad(dpy, (char *) be_buf, numbytes); } UnlockDisplay(dpy); SyncHandle(); diff --git a/hw/dmx/glxProxy/glxscreens.c b/hw/dmx/glxProxy/glxscreens.c index 2a19092441..746d94e07c 100644 --- a/hw/dmx/glxProxy/glxscreens.c +++ b/hw/dmx/glxProxy/glxscreens.c @@ -138,7 +138,7 @@ CalcServerVersionAndExtensions(void) Display *dpy = dmxScreen->beDisplay; xGLXQueryServerStringReq *req; xGLXQueryServerStringReply reply; - int length, numbytes, slop; + int length, numbytes; /* Send the glXQueryServerString request */ LockDisplay(dpy); @@ -151,16 +151,13 @@ CalcServerVersionAndExtensions(void) length = (int) reply.length; numbytes = (int) reply.n; - slop = numbytes * __GLX_SIZE_INT8 & 3; be_extensions[s] = (char *) malloc(numbytes); if (!be_extensions[s]) { /* Throw data on the floor */ _XEatData(dpy, length); } else { - _XRead(dpy, (char *) be_extensions[s], numbytes); - if (slop) - _XEatData(dpy, 4 - slop); + _XReadPad(dpy, (char *) be_extensions[s], numbytes); } UnlockDisplay(dpy); SyncHandle(); From a3d43edf71847f4b486f971405d2b457f81b73d1 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 5 Jul 2013 22:35:32 -0700 Subject: [PATCH 7/9] glxproxy: Use _XEatDataWords (from Xlib 1.6) instead of _XEatData Reduces risk of overflow from converting length field in X replies from words to bytes. (Also seems to be what several calls were already incorrectly passing to _XEatData.) Signed-off-by: Alan Coopersmith --- configure.ac | 2 +- hw/dmx/glxProxy/glxcmds.c | 4 ++-- hw/dmx/glxProxy/glxscreens.c | 2 +- hw/dmx/glxProxy/glxsingle.c | 6 +++--- hw/dmx/glxProxy/glxvendor.c | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/configure.ac b/configure.ac index 89a7a9db90..206b9c4f44 100644 --- a/configure.ac +++ b/configure.ac @@ -2003,7 +2003,7 @@ AM_CONDITIONAL(STANDALONE_XPBPROXY, [test "x$STANDALONE_XPBPROXY" = xyes]) dnl DMX DDX PKG_CHECK_MODULES( [DMXMODULES], - [xmuu $LIBXEXT x11 xrender xfixes $LIBXI $DMXPROTO xau $XDMCP_MODULES], + [xmuu $LIBXEXT x11 >= 1.6 xrender xfixes $LIBXI $DMXPROTO xau $XDMCP_MODULES], [PKG_CHECK_MODULES( [XDMXCONFIG_DEP], [xaw7 xmu xt xpm x11], diff --git a/hw/dmx/glxProxy/glxcmds.c b/hw/dmx/glxProxy/glxcmds.c index 0e817ca073..8cdb25ec6e 100644 --- a/hw/dmx/glxProxy/glxcmds.c +++ b/hw/dmx/glxProxy/glxcmds.c @@ -2610,7 +2610,7 @@ __glXQueryExtensionsString(__GLXclientState * cl, GLbyte * pc) be_buf = (char *) malloc(numbytes); if (!be_buf) { /* Throw data on the floor */ - _XEatData(dpy, len); + _XEatDataWords(dpy, len); } else { _XReadPad(dpy, (char *) be_buf, numbytes); @@ -2691,7 +2691,7 @@ __glXQueryServerString(__GLXclientState * cl, GLbyte * pc) be_buf = (char *) malloc(numbytes); if (!be_buf) { /* Throw data on the floor */ - _XEatData(dpy, len); + _XEatDataWords(dpy, len); } else { _XReadPad(dpy, (char *) be_buf, numbytes); diff --git a/hw/dmx/glxProxy/glxscreens.c b/hw/dmx/glxProxy/glxscreens.c index 746d94e07c..138afedf28 100644 --- a/hw/dmx/glxProxy/glxscreens.c +++ b/hw/dmx/glxProxy/glxscreens.c @@ -154,7 +154,7 @@ CalcServerVersionAndExtensions(void) be_extensions[s] = (char *) malloc(numbytes); if (!be_extensions[s]) { /* Throw data on the floor */ - _XEatData(dpy, length); + _XEatDataWords(dpy, length); } else { _XReadPad(dpy, (char *) be_extensions[s], numbytes); diff --git a/hw/dmx/glxProxy/glxsingle.c b/hw/dmx/glxProxy/glxsingle.c index e60cfeb708..abfb880a34 100644 --- a/hw/dmx/glxProxy/glxsingle.c +++ b/hw/dmx/glxProxy/glxsingle.c @@ -258,7 +258,7 @@ __glXForwardPipe0WithReply(__GLXclientState * cl, GLbyte * pc) } else { /* Throw data on the floor */ - _XEatData(dpy, be_buf_size); + _XEatDataWords(dpy, be_reply.length); return BadAlloc; } } @@ -357,7 +357,7 @@ __glXForwardAllWithReply(__GLXclientState * cl, GLbyte * pc) } else { /* Throw data on the floor */ - _XEatData(dpy, be_buf_size); + _XEatDataWords(dpy, be_reply.length); return BadAlloc; } } @@ -993,7 +993,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc) } else { /* Throw data on the floor */ - _XEatData(dpy, be_buf_size); + _XEatDataWords(dpy, be_reply.length); free(buf); return BadAlloc; } diff --git a/hw/dmx/glxProxy/glxvendor.c b/hw/dmx/glxProxy/glxvendor.c index 5777c6acc5..50d505c4b3 100644 --- a/hw/dmx/glxProxy/glxvendor.c +++ b/hw/dmx/glxProxy/glxvendor.c @@ -246,7 +246,7 @@ __glXVForwardPipe0WithReply(__GLXclientState * cl, GLbyte * pc) } else { /* Throw data on the floor */ - _XEatData(dpy, be_buf_size); + _XEatDataWords(dpy, be_reply.length); return BadAlloc; } } @@ -340,7 +340,7 @@ __glXVForwardAllWithReply(__GLXclientState * cl, GLbyte * pc) } else { /* Throw data on the floor */ - _XEatData(dpy, be_buf_size); + _XEatDataWords(dpy, be_reply.length); return BadAlloc; } } From ddc52b9cbae017f04c7a232af4e8b16c9f96823d Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 5 Jul 2013 22:43:17 -0700 Subject: [PATCH 8/9] Xephyr: Use _XEatDataWords (from Xlib 1.6) instead of _XEatData Simplifies code and reduces risk of overflow from converting length field in X replies from words to bytes. One call to _XEatData is left in ephyrHostGLXGetStringFromServer where it's already been checked for overflow, and other values have been subtracted from it to reduce the size of data remaining to be eaten. Signed-off-by: Alan Coopersmith --- configure.ac | 2 +- hw/kdrive/ephyr/XF86dri.c | 8 ++++---- hw/kdrive/ephyr/ephyrhostglx.c | 4 +++- hw/kdrive/ephyr/ephyrhostvideo.c | 2 +- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index 206b9c4f44..75281f001a 100644 --- a/configure.ac +++ b/configure.ac @@ -2112,7 +2112,7 @@ if test "$KDRIVE" = yes; then AC_DEFINE(KDRIVE_MOUSE, 1, [Enable KDrive mouse driver]) fi - XEPHYR_REQUIRED_LIBS="x11 $LIBXEXT xau xdmcp" + XEPHYR_REQUIRED_LIBS="x11 >= 1.6 $LIBXEXT xau xdmcp" if test "x$XV" = xyes; then XEPHYR_REQUIRED_LIBS="$XEPHYR_REQUIRED_LIBS xv" fi diff --git a/hw/kdrive/ephyr/XF86dri.c b/hw/kdrive/ephyr/XF86dri.c index 9f230fc995..15b62191f5 100644 --- a/hw/kdrive/ephyr/XF86dri.c +++ b/hw/kdrive/ephyr/XF86dri.c @@ -231,7 +231,7 @@ XF86DRIOpenConnection(Display * dpy, int screen, else *busIdString = NULL; if (*busIdString == NULL) { - _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("OpenConnection... return False"); @@ -333,7 +333,7 @@ XF86DRIGetClientDriverName(Display * dpy, int screen, else *clientDriverName = NULL; if (*clientDriverName == NULL) { - _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("GetClientDriverName... return False"); @@ -539,7 +539,7 @@ XF86DRIGetDrawableInfo(Display * dpy, int screen, Drawable drawable, SIZEOF(xGenericReply) + total_rects * sizeof(drm_clip_rect_t)) + 3) & ~3) >> 2)) { - _XEatData(dpy, rep.length); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("GetDrawableInfo... return False"); @@ -613,7 +613,7 @@ XF86DRIGetDeviceInfo(Display * dpy, int screen, drm_handle_t * hFrameBuffer, if (rep.length) { if (!(*pDevPrivate = (void *) calloc(rep.devPrivateSize, 1))) { - _XEatData(dpy, ((rep.devPrivateSize + 3) & ~3)); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); TRACE("GetDeviceInfo... return False"); diff --git a/hw/kdrive/ephyr/ephyrhostglx.c b/hw/kdrive/ephyr/ephyrhostglx.c index 90f450c600..6a4392feec 100644 --- a/hw/kdrive/ephyr/ephyrhostglx.c +++ b/hw/kdrive/ephyr/ephyrhostglx.c @@ -211,8 +211,10 @@ ephyrHostGLXGetStringFromServer(int a_screen_number, _XReply(dpy, (xReply *) &reply, 0, False); #if UINT32_MAX >= (ULONG_MAX / 4) - if (reply.length >= (ULONG_MAX / 4)) + if (reply.length >= (ULONG_MAX / 4)) { + _XEatDataWords(dpy, reply.length); goto eat_out; + } #endif if (reply.length > 0) { length = (unsigned long) reply.length * 4; diff --git a/hw/kdrive/ephyr/ephyrhostvideo.c b/hw/kdrive/ephyr/ephyrhostvideo.c index 362aa055e4..05e9ad9f55 100644 --- a/hw/kdrive/ephyr/ephyrhostvideo.c +++ b/hw/kdrive/ephyr/ephyrhostvideo.c @@ -677,7 +677,7 @@ ephyrHostXVQueryImageAttributes(int a_port_id, _XRead(dpy, (char *) a_offsets, rep.num_planes << 2); } else { - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } *a_width = rep.width; *a_height = rep.height; From 33f7e60785f12770ce10558c2ca7ce1323eefc59 Mon Sep 17 00:00:00 2001 From: Thomas Klausner Date: Fri, 12 Jul 2013 08:21:19 +0200 Subject: [PATCH 9/9] Fix typo in header guard. Signed-off-by: Thomas Klausner Reviewed-by: Alan Coopersmith Signed-off-by: Alan Coopersmith --- hw/xnest/Args.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/xnest/Args.h b/hw/xnest/Args.h index 514a39513a..225418d22e 100644 --- a/hw/xnest/Args.h +++ b/hw/xnest/Args.h @@ -12,7 +12,7 @@ is" without express or implied warranty. */ -#ifndef XNESTARGC_H +#ifndef XNESTARGS_H #define XNESTARGS_H extern char *xnestDisplayName;