summaryrefslogtreecommitdiff
path: root/src/XGetFCtl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/XGetFCtl.c')
-rw-r--r--src/XGetFCtl.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c
index 7fd6d0e..82dcc64 100644
--- a/src/XGetFCtl.c
+++ b/src/XGetFCtl.c
@@ -73,6 +73,7 @@ XGetFeedbackControl(
XFeedbackState *Sav = NULL;
xFeedbackState *f = NULL;
xFeedbackState *sav = NULL;
+ char *end = NULL;
xGetFeedbackControlReq *req;
xGetFeedbackControlReply rep;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -105,10 +106,12 @@ XGetFeedbackControl(
goto out;
}
sav = f;
+ end = (char *)f + nbytes;
_XRead(dpy, (char *)f, nbytes);
for (i = 0; i < *num_feedbacks; i++) {
- if (f->length > nbytes)
+ if ((char *)f + sizeof(*f) > end ||
+ f->length == 0 || f->length > nbytes)
goto out;
nbytes -= f->length;
@@ -125,6 +128,8 @@ XGetFeedbackControl(
case StringFeedbackClass:
{
xStringFeedbackState *strf = (xStringFeedbackState *) f;
+ if ((char *)f + sizeof(*strf) > end)
+ goto out;
size += sizeof(XStringFeedbackState) +
(strf->num_syms_supported * sizeof(KeySym));
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-24 12:23:57 +0000