diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2022-09-07 11:33:13 -0700 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2022-09-07 13:33:02 -0700 |
| commit | 6ca1ea376c7c6c9dc719d607b7684d87bcf96712 (patch) | |
| tree | 87f02175a5958b2305de6058598759f3c87655c6 | |
| parent | 76fd1cf6534358426cddaed045514d79270275b5 (diff) | |
| download | xorg-lib-libICE-6ca1ea376c7c6c9dc719d607b7684d87bcf96712.tar.gz | |
IceGetHeaderExtra: only include extra space in outbufptr if there's room
If there's not room for it in the buffer, we already set pData to
NULL, but still set the outbufptr to include the space, which could
lead to IceFlush() reading past the end of the buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
| -rw-r--r-- | include/X11/ICE/ICEmsg.h | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/include/X11/ICE/ICEmsg.h b/include/X11/ICE/ICEmsg.h index 17e36a6..9688e3c 100644 --- a/include/X11/ICE/ICEmsg.h +++ b/include/X11/ICE/ICEmsg.h @@ -137,15 +137,16 @@ extern IcePaAuthStatus _IcePaMagicCookie1Proc ( _headerSize + ((_extra) << 3)) > _iceConn->outbufmax) \ IceFlush (_iceConn); \ _pMsg = (_msgType *) _iceConn->outbufptr; \ - if ((_iceConn->outbufptr + \ - _headerSize + ((_extra) << 3)) <= _iceConn->outbufmax) \ - _pData = (char *) _pMsg + _headerSize; \ + _iceConn->outbufptr += _headerSize; \ + if ((_iceConn->outbufptr + ((_extra) << 3)) <= _iceConn->outbufmax) { \ + _pData = _iceConn->outbufptr; \ + _iceConn->outbufptr += ((_extra) << 3); \ + } \ else \ _pData = NULL; \ _pMsg->majorOpcode = _major; \ _pMsg->minorOpcode = _minor; \ _pMsg->length = ((_headerSize - SIZEOF (iceMsg)) >> 3) + (_extra); \ - _iceConn->outbufptr += (_headerSize + ((_extra) << 3)); \ _iceConn->send_sequence++ #define IceSimpleMessage(_iceConn, _major, _minor) \ |