From 73e77eb21d649edc1ce1746739f9358e337b2935 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 3 May 2013 22:48:11 -0700
Subject: Use _XEatDataWords to avoid overflow of rep.length bit shifting

rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 configure.ac     |  6 ++++++
 src/Filter.c     |  2 +-
 src/Xrender.c    |  4 ++--
 src/Xrenderint.h | 14 ++++++++++++++
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 19dce7a..7c2496c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -58,6 +58,12 @@ AC_SUBST(RENDER_VERSION)
 # Obtain compiler/linker options for depedencies
 PKG_CHECK_MODULES(RENDER, x11 renderproto >= $RENDER_VERSION)
 
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$RENDER_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
 AC_CONFIG_FILES([Makefile
 		src/Makefile
 		xrender.pc])
diff --git a/src/Filter.c b/src/Filter.c
index 5fe9df9..924b2a3 100644
--- a/src/Filter.c
+++ b/src/Filter.c
@@ -79,7 +79,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
 
     if (!filters)
     {
-	_XEatData (dpy, (unsigned long) rep.length << 2);
+	_XEatDataWords(dpy, rep.length);
 	UnlockDisplay (dpy);
 	SyncHandle ();
 	return NULL;
diff --git a/src/Xrender.c b/src/Xrender.c
index 769503a..5c8e5f5 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -475,7 +475,7 @@ XRenderQueryFormats (Display *dpy)
     {
 	if (xri) Xfree (xri);
 	if (xData) Xfree (xData);
-	_XEatData (dpy, nbytes);
+	_XEatDataWords (dpy, rep.length);
 	UnlockDisplay (dpy);
 	SyncHandle ();
 	return 0;
@@ -859,7 +859,7 @@ XRenderQueryPictIndexValues(Display			*dpy,
     values = (XIndexValue *)Xmalloc (rlength);
     if (!values)
     {
-	_XEatData (dpy, nbytes);
+	_XEatDataWords (dpy, rep.length);
 	UnlockDisplay (dpy);
 	SyncHandle ();
 	return NULL;
diff --git a/src/Xrenderint.h b/src/Xrenderint.h
index 57b13da..daaa6fe 100644
--- a/src/Xrenderint.h
+++ b/src/Xrenderint.h
@@ -109,4 +109,18 @@ XRenderFindDisplay (Display *dpy);
 #define DataInt32(dpy,d,len)	Data(dpy,(char *) (d),len)
 #endif
 
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h>  /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+    if (n >= (ULONG_MAX >> 2))
+        _XIOError(dpy);
+# endif
+    _XEatData (dpy, n << 2);
+}
+#endif
+
 #endif /* _XRENDERINT_H_ */
-- 
cgit v1.2.3