[PATCH:libXdmcp 4/4] Also reject requests to allocate negative sized amounts of memory
Alan Coopersmith
alan.coopersmith at oracle.com
Fri Sep 27 21:48:03 PDT 2013
Since the API is defined with size as a signed int, deal with it.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
Array.c | 16 ++++++++--------
test/Array.c | 4 ++++
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/Array.c b/Array.c
index cb57d89..6b9b617 100644
--- a/Array.c
+++ b/Array.c
@@ -65,7 +65,7 @@ int
XdmcpAllocARRAY8 (ARRAY8Ptr array, int length)
{
/* length defined in ARRAY8 struct is a CARD16 (not CARD8 like the rest) */
- if (length > UINT16_MAX)
+ if ((length > UINT16_MAX) || (length < 0))
array->data = NULL;
else
array->data = xmalloc(length * sizeof (CARD8));
@@ -82,7 +82,7 @@ int
XdmcpAllocARRAY16 (ARRAY16Ptr array, int length)
{
/* length defined in ARRAY16 struct is a CARD8 */
- if (length > UINT8_MAX)
+ if ((length > UINT8_MAX) || (length < 0))
array->data = NULL;
else
array->data = xmalloc(length * sizeof (CARD16));
@@ -99,7 +99,7 @@ int
XdmcpAllocARRAY32 (ARRAY32Ptr array, int length)
{
/* length defined in ARRAY32 struct is a CARD8 */
- if (length > UINT8_MAX)
+ if ((length > UINT8_MAX) || (length < 0))
array->data = NULL;
else
array->data = xmalloc(length * sizeof (CARD32));
@@ -116,7 +116,7 @@ int
XdmcpAllocARRAYofARRAY8 (ARRAYofARRAY8Ptr array, int length)
{
/* length defined in ARRAYofARRAY8 struct is a CARD8 */
- if (length > UINT8_MAX)
+ if ((length > UINT8_MAX) || (length < 0))
array->data = NULL;
else
/*
@@ -159,7 +159,7 @@ XdmcpReallocARRAY8 (ARRAY8Ptr array, int length)
CARD8Ptr newData;
/* length defined in ARRAY8 struct is a CARD16 (not CARD8 like the rest) */
- if (length > UINT16_MAX)
+ if ((length > UINT16_MAX) || (length < 0))
return FALSE;
newData = (CARD8Ptr) xrealloc(array->data, length * sizeof (CARD8));
@@ -176,7 +176,7 @@ XdmcpReallocARRAYofARRAY8 (ARRAYofARRAY8Ptr array, int length)
ARRAY8Ptr newData;
/* length defined in ARRAYofARRAY8 struct is a CARD8 */
- if (length > UINT8_MAX)
+ if ((length > UINT8_MAX) || (length < 0))
return FALSE;
newData = (ARRAY8Ptr) xrealloc(array->data, length * sizeof (ARRAY8));
@@ -196,7 +196,7 @@ XdmcpReallocARRAY16 (ARRAY16Ptr array, int length)
CARD16Ptr newData;
/* length defined in ARRAY16 struct is a CARD8 */
- if (length > UINT8_MAX)
+ if ((length > UINT8_MAX) || (length < 0))
return FALSE;
newData = (CARD16Ptr) xrealloc(array->data, length * sizeof (CARD16));
if (!newData)
@@ -212,7 +212,7 @@ XdmcpReallocARRAY32 (ARRAY32Ptr array, int length)
CARD32Ptr newData;
/* length defined in ARRAY32 struct is a CARD8 */
- if (length > UINT8_MAX)
+ if ((length > UINT8_MAX) || (length < 0))
return FALSE;
newData = (CARD32Ptr) xrealloc(array->data, length * sizeof (CARD32));
diff --git a/test/Array.c b/test/Array.c
index b246ba8..786fade 100644
--- a/test/Array.c
+++ b/test/Array.c
@@ -52,6 +52,10 @@ TestAllocOversizeArrays(void)
TestAllocOversize(ARRAY16, UINT8_MAX + 1);
TestAllocOversize(ARRAY32, UINT8_MAX + 1);
TestAllocOversize(ARRAYofARRAY8, UINT8_MAX + 1);
+ TestAllocOversize(ARRAY8, -1);
+ TestAllocOversize(ARRAY16, -1);
+ TestAllocOversize(ARRAY32, -1);
+ TestAllocOversize(ARRAYofARRAY8, -1);
}
static void
--
1.7.9.2
More information about the xorg-devel
mailing list