summaryrefslogtreecommitdiff
path: root/src/XSync.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/XSync.c')
-rw-r--r--src/XSync.c32
1 files changed, 25 insertions, 7 deletions
diff --git a/src/XSync.c b/src/XSync.c
index 3ca1308..ce4ab44 100644
--- a/src/XSync.c
+++ b/src/XSync.c
@@ -59,6 +59,7 @@ PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/extutil.h>
#include <X11/extensions/sync.h>
#include <X11/extensions/syncproto.h>
+#include <limits.h>
#include "eat.h"
static XExtensionInfo _sync_info_data;
@@ -352,19 +353,28 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return)
if (rep.nCounters > 0)
{
xSyncSystemCounter *pWireSysCounter, *pNextWireSysCounter;
+ xSyncSystemCounter *pLastWireSysCounter;
XSyncCounter counter;
- int replylen;
+ unsigned int replylen;
int i;
- list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter));
- replylen = rep.length << 2;
- pWireSysCounter = Xmalloc ((unsigned) replylen + sizeof(XSyncCounter));
- /* +1 to leave room for last counter read-ahead */
+ if (rep.nCounters < (INT_MAX / sizeof(XSyncSystemCounter)))
+ list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter));
+ if (rep.length < (INT_MAX >> 2)) {
+ replylen = rep.length << 2;
+ pWireSysCounter = Xmalloc (replylen + sizeof(XSyncCounter));
+ /* +1 to leave room for last counter read-ahead */
+ pLastWireSysCounter = (xSyncSystemCounter *)
+ ((char *)pWireSysCounter) + replylen;
+ } else {
+ replylen = 0;
+ pWireSysCounter = NULL;
+ }
if ((!list) || (!pWireSysCounter))
{
- if (list) Xfree((char *) list);
- if (pWireSysCounter) Xfree((char *) pWireSysCounter);
+ Xfree(list);
+ Xfree(pWireSysCounter);
_XEatDataWords(dpy, rep.length);
list = NULL;
goto bail;
@@ -388,6 +398,14 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return)
pNextWireSysCounter = (xSyncSystemCounter *)
(((char *)pWireSysCounter) + ((SIZEOF(xSyncSystemCounter) +
pWireSysCounter->name_length + 3) & ~3));
+ /* Make sure we haven't gone too far */
+ if (pNextWireSysCounter > pLastWireSysCounter) {
+ Xfree(list);
+ Xfree(pWireSysCounter);
+ list = NULL;
+ goto bail;
+ }
+
counter = pNextWireSysCounter->counter;
list[i].name = ((char *)pWireSysCounter) +
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-13 00:40:41 +0000