1
Description: fix denial of service and possible code execution via
2
incorrect memory size calculations from signedness issues
3
Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=81b4df8ac6aa1520c41c3526961014a6f115cc46
5
Index: libxi-1.6.99.1/src/XListDev.c
6
===================================================================
7
--- libxi-1.6.99.1.orig/src/XListDev.c 2013-05-29 10:06:41.916395291 -0400
8
+++ libxi-1.6.99.1/src/XListDev.c 2013-05-29 10:06:56.004395156 -0400
10
return ((base_size + padsize - 1)/padsize) * padsize;
15
SizeClassInfo(xAnyClassPtr *any, int num_classes)
19
register Display *dpy,
24
xListInputDevicesReq *req;
25
xListInputDevicesReply rep;
26
xDeviceInfo *list, *slist = NULL;
28
XDeviceInfo *clist = NULL;
29
xAnyClassPtr any, sav_any;
32
+ unsigned char *nptr, *Nptr;
35
XExtDisplayInfo *info = XInput_find_display(dpy);
37
size += SizeClassInfo(&any, (int)list->num_classes);
40
- for (i = 0, nptr = (char *)any; i < *ndevices; i++) {
41
+ Nptr = ((unsigned char *)list) + rlen + 1;
42
+ for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) {
49
clist = (XDeviceInfoPtr) Xmalloc(size);
56
+ nptr = (unsigned char *)any;
57
+ Nptr = (unsigned char *)Any;
58
for (i = 0; i < *ndevices; i++, clist++) {
59
clist->name = (char *)Nptr;
60
memcpy(Nptr, nptr + 1, *nptr);