andreacavalli/xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix overflow of ConnectionOutput->size and ->count

Browse Source 
When (long) is larger than (int), and when realloc succeeds with sizes
larger than INT_MAX, ConnectionOutput->size and ConnectionOutput->count
overflow and become negative.

When ConnectionOutput->count is negative, InsertIOV does not actually
insert an IOV, and FlushClient goes into an infinite loop of writev(fd,
iov, 0) [an empty list].

Avoid this situation by killing the client when it has more than INT_MAX
unread bytes of data.

Signed-off-by: Peter Harris <pharris@opentext.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This commit is contained in:
Peter Harris 2014-11-17 14:31:24 -05:00 committed by Keith Packard
parent 802932d112
commit 4b0d0df34f
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
os/io.c
View File

@ -971,10 +971,11 @@ FlushClient(ClientPtr who, OsCommPtr oc, const void *__extraBuf, int extraCount)
}
if (notWritten > oco->size) {
unsigned char *obuf;
unsigned char *obuf = NULL;
obuf = (unsigned char *) realloc(oco->buf,
notWritten + BUFSIZE);
if (notWritten + BUFSIZE <= INT_MAX) {
obuf = realloc(oco->buf, notWritten + BUFSIZE);
}
if (!obuf) {
_XSERVTransDisconnect(oc->trans_conn);
_XSERVTransClose(oc->trans_conn);