From ca9818d109e53e87d725e7dd53b905c8ccda63b6 Mon Sep 17 00:00:00 2001
From: Stuart Kreitman <stuart.kreitman@sun.com>
Date: Fri, 2 Apr 2004 06:31:37 +0000
Subject: [PATCH] Memory overrun due to incomplete implementation of saveSetElt
 data     structure Modified Files: Tag: DAMAGE-XFIXES window.c dixutils.c

---
 dix/dixutils.c | 21 ++++++++++++++++++---
 dix/window.c   |  4 ++++
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/dix/dixutils.c b/dix/dixutils.c
index 7c2fe09e3..4acb8c532 100644
--- a/dix/dixutils.c
+++ b/dix/dixutils.c
@@ -353,7 +353,11 @@ AlterSaveSetForClient(ClientPtr client,
 		      Bool  remap)
 {
     int numnow;
+#ifdef XFIXES
+    SaveSetElt *pTmp = NULL;
+#else
     pointer *pTmp = NULL;
+#endif
     int j;
 
     numnow = client->numSaved;
@@ -361,7 +365,7 @@ AlterSaveSetForClient(ClientPtr client,
     if (numnow)
     {
 	pTmp = client->saveSet;
-	while ((j < numnow) && (pTmp[j] != (pointer)pWin))
+	while ((j < numnow) && (SaveSetWindow(pTmp[j]) != (pointer)pWin))
 	    j++;
     }
     if (mode == SetModeInsert)
@@ -369,7 +373,11 @@ AlterSaveSetForClient(ClientPtr client,
 	if (j < numnow)         /* duplicate */
 	   return(Success);
 	numnow++;
+#ifdef XFIXES
+	pTmp = (SaveSetElt *)xrealloc(client->saveSet, sizeof(SaveSetElt) * numnow);
+#else
 	pTmp = (pointer *)xrealloc(client->saveSet, sizeof(pointer) * numnow);
+#endif
 	if (!pTmp)
 	    return(BadAlloc);
 	client->saveSet = pTmp;
@@ -389,15 +397,22 @@ AlterSaveSetForClient(ClientPtr client,
 	numnow--;
         if (numnow)
 	{
-    	    pTmp = (pointer *)xrealloc(client->saveSet,
-				       sizeof(pointer) * numnow);
+#ifdef XFIXES
+	    pTmp = (SaveSetElt *)xrealloc(client->saveSet, sizeof(SaveSetElt) * numnow);
+#else
+	    pTmp = (pointer *)xrealloc(client->saveSet, sizeof(pointer) * numnow);
+#endif
 	    if (pTmp)
 		client->saveSet = pTmp;
 	}
         else
         {
             xfree(client->saveSet);
+#ifdef XFIXES
+	    client->saveSet = (SaveSetElt *)NULL;
+#else
 	    client->saveSet = (pointer *)NULL;
+#endif
 	}
 	client->numSaved = numnow;
 	return(Success);
diff --git a/dix/window.c b/dix/window.c
index 7aea71e84..59afa0465 100644
--- a/dix/window.c
+++ b/dix/window.c
@@ -3179,7 +3179,11 @@ HandleSaveSet(client)
     }
     xfree(client->saveSet);
     client->numSaved = 0;
+#ifdef XFIXES
     client->saveSet = (SaveSetElt *)NULL;
+#else
+    client->saveSet = (pointer *)NULL;
+#endif
 }
 
 Bool