From cf49354b6060b71ae41febe67327278fbcb7c74a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 11 Oct 2025 18:26:55 -0700
Subject: [PATCH] dix: assert that size of buffers to swap is a multiple of the
 swap size

If we're swapping 4-byte integers or 2-byte integers, make sure the size
of the buffer doesn't have any bytes left over, since we won't correctly
handle those bytes.

Reported in #1817:

xwayland-24.1.6/redhat-linux-build/../dix/swaprep.c:99:22:
 warning[-Wanalyzer-allocation-size]:
 allocated buffer size is not a multiple of the pointee's size

xwayland-24.1.6/redhat-linux-build/../dix/swaprep.c:146:22:
 warning[-Wanalyzer-allocation-size]:
 allocated buffer size is not a multiple of the pointee's size

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2078>
---
 dix/swaprep.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/dix/swaprep.c b/dix/swaprep.c
index b9afa14a2..e9f724353 100644
--- a/dix/swaprep.c
+++ b/dix/swaprep.c
@@ -46,6 +46,8 @@ SOFTWARE.
 
 #include <dix-config.h>
 
+#include <assert.h>
+
 #include <X11/X.h>
 #include <X11/Xproto.h>
 #include "misc.h"
@@ -93,6 +95,8 @@ CopySwap32Write(ClientPtr pClient, int size, CARD32 *pbuf)
     CARD32 *from, *to, *fromLast, *toLast;
     CARD32 tmpbuf[1];
 
+    assert((bufsize % sizeof(CARD32)) == 0);
+
     /* Allocate as big a buffer as we can... */
     while (!(pbufT = malloc(bufsize))) {
         bufsize >>= 1;
@@ -140,6 +144,8 @@ CopySwap16Write(ClientPtr pClient, int size, short *pbuf)
     short *from, *to, *fromLast, *toLast;
     short tmpbuf[2];
 
+    assert((bufsize % sizeof(short)) == 0);
+
     /* Allocate as big a buffer as we can... */
     while (!(pbufT = malloc(bufsize))) {
         bufsize >>= 1;