Merge from upstream X.Org : Fix size calculation in _XimAttributeToValue

The check here guards the read below. For `XimType_XIMStyles`, these are `num` of `CARD32` and for `XimType_XIMHotKeyTriggers` these are `num` of `XIMTRIGGERKEY` ref[1] which is defined as 3 x `CARD32`. (There are data after the `XIMTRIGGERKEY` according to the spec but they are not read by this function and doesn't need to be checked.) The old code here used the native datatype size instead of the wire protocol size causing the check to always fail. Also fix the size calculation for the header (size). It is 2 x CARD16 for both types despite the unused `CARD16` for `XimType_XIMStyles`. This fixes a regression caused by previous commit.
2020-08-06 14:28:54 +00:00 · 2020-08-06 14:28:54 +00:00 · 4c672aa51a
commit 4c672aa51a
parent 044da0a592
1 changed files with 2 additions and 2 deletions
--- a/lib/libX11/modules/im/ximcp/imRmAttr.c
+++ b/lib/libX11/modules/im/ximcp/imRmAttr.c
@ -265,7 +265,7 @@ _XimAttributeToValue(

 	    if (num > (USHRT_MAX / sizeof(XIMStyle)))
 		return False;
-	    if ((sizeof(num) + (num * sizeof(XIMStyle))) > data_len)
+	    if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
 		return False;
 	    alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
 	    if (alloc_len < sizeof(XIMStyles))
@ -379,7 +379,7 @@ _XimAttributeToValue(

 	    if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
 		return False;
-	    if ((sizeof(num) + (num * sizeof(XIMHotKeyTrigger))) > data_len)
+	    if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
 		return False;
 	    alloc_len = sizeof(XIMHotKeyTriggers)
 		      + sizeof(XIMHotKeyTrigger) * num;