diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c index 896233bec..2f22e64f6 100644 --- a/Xi/xipassivegrab.c +++ b/Xi/xipassivegrab.c @@ -332,7 +332,9 @@ ProcXIPassiveUngrabDevice(ClientPtr client) if ((stuff->grab_type == XIGrabtypeEnter || stuff->grab_type == XIGrabtypeFocusIn || - stuff->grab_type == XIGrabtypeTouchBegin) && stuff->detail != 0) { + stuff->grab_type == XIGrabtypeTouchBegin || + stuff->grab_type == XIGrabtypeGesturePinchBegin || + stuff->grab_type == XIGrabtypeGestureSwipeBegin) && stuff->detail != 0) { client->errorValue = stuff->detail; return BadValue; } diff --git a/glx/single2.c b/glx/single2.c index 36a01f0cb..948d00f1d 100644 --- a/glx/single2.c +++ b/glx/single2.c @@ -61,6 +61,10 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) pc += __GLX_SINGLE_HDR_SIZE; size = *(GLsizei *) (pc + 0); type = *(GLenum *) (pc + 4); + if (size < 0) { + cl->client->errorValue = size; + return BadValue; + } if (cx->feedbackBufSize < size) { cx->feedbackBuf = reallocarray(cx->feedbackBuf, (size_t) size, __GLX_SIZE_FLOAT32); @@ -91,6 +95,10 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc) pc += __GLX_SINGLE_HDR_SIZE; size = *(GLsizei *) (pc + 0); + if (size < 0) { + cl->client->errorValue = size; + return BadValue; + } if (cx->selectBufSize < size) { cx->selectBuf = reallocarray(cx->selectBuf, (size_t) size, __GLX_SIZE_CARD32); diff --git a/glx/single2swap.c b/glx/single2swap.c index b140946ba..fdc093900 100644 --- a/glx/single2swap.c +++ b/glx/single2swap.c @@ -62,6 +62,10 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) __GLX_SWAP_INT(pc + 4); size = *(GLsizei *) (pc + 0); type = *(GLenum *) (pc + 4); + if (size < 0) { + cl->client->errorValue = size; + return BadValue; + } if (cx->feedbackBufSize < size) { cx->feedbackBuf = reallocarray(cx->feedbackBuf, (size_t) size, __GLX_SIZE_FLOAT32); @@ -96,6 +100,10 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc) pc += __GLX_SINGLE_HDR_SIZE; __GLX_SWAP_INT(pc + 0); size = *(GLsizei *) (pc + 0); + if (size < 0) { + cl->client->errorValue = size; + return BadValue; + } if (cx->selectBufSize < size) { cx->selectBuf = reallocarray(cx->selectBuf, (size_t) size, __GLX_SIZE_CARD32); diff --git a/present/present_notify.c b/present/present_notify.c index 00b3b68bd..531b949b6 100644 --- a/present/present_notify.c +++ b/present/present_notify.c @@ -92,6 +92,8 @@ present_create_notifies(ClientPtr client, int num_notifies, xPresentNotify *x_no added++; } + + *p_notifies = notifies; return Success; bail: diff --git a/xkb/XKBGAlloc.c b/xkb/XKBGAlloc.c index f0cda24fe..9b71f6121 100644 --- a/xkb/XKBGAlloc.c +++ b/xkb/XKBGAlloc.c @@ -769,7 +769,7 @@ XkbAddGeomDoodad(XkbGeometryPtr geom, XkbSectionPtr section, Atom name) return doodad; } if (section) { - if ((section->num_doodads >= geom->sz_doodads) && + if ((section->num_doodads >= section->sz_doodads) && (_XkbAllocDoodads(section, 1) != Success)) { return NULL; } diff --git a/xkb/xkb.c b/xkb/xkb.c index 0493210e8..c389448e4 100644 --- a/xkb/xkb.c +++ b/xkb/xkb.c @@ -1857,6 +1857,11 @@ CheckKeyActions(ClientPtr client, if (req->nKeyActs % 4) wire += 4 - (req->nKeyActs % 4); *wireRtrn = (CARD8 *) (((XkbAnyAction *) wire) + nActs); + if (nActs > 0 && + !_XkbCheckRequestBounds(client, req, wire, *wireRtrn)) { + *nActsRtrn = _XkbErrCode2(0x25, nActs); + return 0; + } *nActsRtrn = nActs; return 1; } @@ -5357,6 +5362,8 @@ _CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req, } CHK_ATOM_ONLY(olWire->name); ol = XkbAddGeomOverlay(section, olWire->name, olWire->nRows); + if (!ol) + return BadAlloc; rWire = (xkbOverlayRowWireDesc *) &olWire[1]; for (r = 0; r < olWire->nRows; r++) { register int k; @@ -5366,12 +5373,14 @@ _CheckSetOverlay(char **wire_inout, xkbSetGeometryReq *req, if (!_XkbCheckRequestBounds(client, req, rWire, rWire + 1)) return BadLength; - if (rWire->rowUnder > section->num_rows) { + if (rWire->rowUnder >= section->num_rows) { client->errorValue = _XkbErrCode4(0x20, r, section->num_rows, rWire->rowUnder); return BadMatch; } row = XkbAddGeomOverlayRow(ol, rWire->rowUnder, rWire->nKeys); + if (!row) + return BadAlloc; kWire = (xkbOverlayKeyWireDesc *) &rWire[1]; for (k = 0; k < rWire->nKeys; k++, kWire++) { if (!_XkbCheckRequestBounds(client, req, kWire, kWire + 1)) @@ -5561,10 +5570,22 @@ _CheckSetShapes(XkbGeometryPtr geom, ol->num_points = olWire->nPoints; olWire = (xkbOutlineWireDesc *)ptWire; } - if (shapeWire->primaryNdx != XkbNoShape) + if (shapeWire->primaryNdx != XkbNoShape) { + if (shapeWire->primaryNdx >= shapeWire->nOutlines) { + client->errorValue = _XkbErrCode3(0x08, shapeWire->primaryNdx, + shapeWire->nOutlines); + return BadValue; + } shape->primary = &shape->outlines[shapeWire->primaryNdx]; - if (shapeWire->approxNdx != XkbNoShape) + } + if (shapeWire->approxNdx != XkbNoShape) { + if (shapeWire->approxNdx >= shapeWire->nOutlines) { + client->errorValue = _XkbErrCode3(0x08, shapeWire->approxNdx, + shapeWire->nOutlines); + return BadValue; + } shape->approx = &shape->outlines[shapeWire->approxNdx]; + } shapeWire = (xkbShapeWireDesc *) olWire; } wire = (char *) shapeWire; @@ -5614,12 +5635,12 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client) client->errorValue = _XkbErrCode3(0x01, 2, req->nColors); return BadValue; } - if (req->baseColorNdx > req->nColors) { + if (req->baseColorNdx >= req->nColors) { client->errorValue = _XkbErrCode3(0x03, req->nColors, req->baseColorNdx); return BadMatch; } - if (req->labelColorNdx > req->nColors) { + if (req->labelColorNdx >= req->nColors) { client->errorValue = _XkbErrCode3(0x03, req->nColors, req->labelColorNdx); return BadMatch; diff --git a/xkb/xkbtext.c b/xkb/xkbtext.c index d6f688f5c..8fb61137f 100644 --- a/xkb/xkbtext.c +++ b/xkb/xkbtext.c @@ -138,11 +138,11 @@ XkbVModIndexText(XkbDescPtr xkb, unsigned ndx, unsigned format) len = strlen(tmp) + 1; if (format == XkbCFile) - len += 4; + len += 5; rtrn = tbGetBuffer(len); if (format == XkbCFile) { strcpy(rtrn, "vmod_"); - strncpy(&rtrn[5], tmp, len - 4); + strncpy(&rtrn[5], tmp, len - 5); } else strncpy(rtrn, tmp, len);