Tighten out-of-range comparisons.

[For all of these, LONG_MAX was the correct value to prevent overflows for the recent CVEs. Lowering to INT_MAX catches buggy replies from the server that 32-bit clients would reject but 64-bit would accept, so we catch bugs sooner, and really, no sane & working server should ever report more than 2gb of extension names, font path entries, key modifier maps, etc. -alan- ] Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

Tighten out-of-range comparisons.
39c6e5aa · Thomas Klausner · Ulrich Sibiller · ac3d2625 · 39c6e5aa · 39c6e5aa
Commit 39c6e5aa authored Jun 25, 2013 by Thomas Klausner Committed by Ulrich Sibiller Oct 19, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

FontNames.c nx-X11/lib/X11/FontNames.c +1 -1

GetFPath.c nx-X11/lib/X11/GetFPath.c +1 -1

ListExt.c nx-X11/lib/X11/ListExt.c +1 -1

ModMap.c nx-X11/lib/X11/ModMap.c +1 -1

No files found.
--- a/nx-X11/lib/X11/FontNames.c
+++ b/nx-X11/lib/X11/FontNames.c
@@ -66,7 +66,7 @@ int *actualCount)	/* RETURN */

    if (rep.nFonts) {
 	flist = Xmalloc (rep.nFonts * sizeof(char *));
-	if (rep.length < (LONG_MAX >> 2)) {
+	if (rep.length < (INT_MAX >> 2)) {
 	    rlen = rep.length << 2;
 	    ch = Xmalloc(rlen + 1);
 	    /* +1 to leave room for last null-terminator */

--- a/nx-X11/lib/X11/GetFPath.c
+++ b/nx-X11/lib/X11/GetFPath.c
@@ -50,7 +50,7 @@ char **XGetFontPath(

 	if (rep.nPaths) {
 	    flist = Xmalloc(rep.nPaths * sizeof (char *));
-	    if (rep.length < (LONG_MAX >> 2)) {
+	    if (rep.length < (INT_MAX >> 2)) {
 		nbytes = (unsigned long) rep.length << 2;
 		ch = Xmalloc (nbytes + 1);
                /* +1 to leave room for last null-terminator */

--- a/nx-X11/lib/X11/ListExt.c
+++ b/nx-X11/lib/X11/ListExt.c
@@ -55,7 +55,7 @@ char **XListExtensions(

 	if (rep.nExtensions) {
 	    list = Xmalloc (rep.nExtensions * sizeof (char *));
-	    if (rep.length < (LONG_MAX >> 2)) {
+	    if (rep.length < (INT_MAX >> 2)) {
 		rlen = rep.length << 2;
 		ch = Xmalloc (rlen + 1);
                /* +1 to leave room for last null-terminator */

--- a/nx-X11/lib/X11/ModMap.c
+++ b/nx-X11/lib/X11/ModMap.c
@@ -42,7 +42,7 @@ XGetModifierMapping(register Display *dpy)
    GetEmptyReq(GetModifierMapping, req);
    (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);

-    if (rep.length < (LONG_MAX >> 2)) {
+    if (rep.length < (INT_MAX >> 2)) {
 	nbytes = (unsigned long)rep.length << 2;
 	res = Xmalloc(sizeof (XModifierKeymap));
 	if (res)