Fix overflow of ConnectionOutput->size and ->count
When (long) is larger than (int), and when realloc succeeds with sizes larger than INT_MAX, ConnectionOutput->size and ConnectionOutput->count overflow and become negative. When ConnectionOutput->count is negative, InsertIOV does not actually insert an IOV, and FlushClient goes into an infinite loop of writev(fd, iov, 0) [an empty list]. Avoid this situation by killing the client when it has more than INT_MAX unread bytes of data. Signed-off-by: Peter Harris <pharris@opentext.com> Reviewed-by: Keith Packard <keithp@keithp.com> Signed-off-by: Keith Packard <keithp@keithp.com>
This commit is contained in:
parent
802932d112
commit
4b0d0df34f
7
os/io.c
7
os/io.c
|
@ -971,10 +971,11 @@ FlushClient(ClientPtr who, OsCommPtr oc, const void *__extraBuf, int extraCount)
|
|||
}
|
||||
|
||||
if (notWritten > oco->size) {
|
||||
unsigned char *obuf;
|
||||
unsigned char *obuf = NULL;
|
||||
|
||||
obuf = (unsigned char *) realloc(oco->buf,
|
||||
notWritten + BUFSIZE);
|
||||
if (notWritten + BUFSIZE <= INT_MAX) {
|
||||
obuf = realloc(oco->buf, notWritten + BUFSIZE);
|
||||
}
|
||||
if (!obuf) {
|
||||
_XSERVTransDisconnect(oc->trans_conn);
|
||||
_XSERVTransClose(oc->trans_conn);
|
||||
|
|
Loading…
Reference in New Issue
Block a user