forked from pool/xorg-x11-server
Stefan Dirsch
c5550f7b6b
* obsolete patches:
- dmx-silly.patch
- fixed-SYNC-extension-trigger-BlockHandler-test.diff
- sw_cursor_on_randr.patch
- xorg-evdev-conf.diff
- xorg-server-commit-21ed660.diff
- xorg-server-revert-event-mask.patch
- xorg-x11-server-gl-apps-crash.patch
* adjusted patches
- 0001-Fix-segfault-when-killing-X-with-ctrl-alt-backspace.patch
- 0001-Xinput-Catch-missing-configlayout-when-deleting-dev.patch
- CVE-2010-2240-tree_depth_limit.patch
- cache-xkbcomp-output-for-fast-start-up.patch
- confine_to_shape.diff
- driver-autoconfig.diff
- fpic.diff
- xorg-detect-psb.patch
- xorg-server-1.8.0.diff
- xorg-server-nohwaccess.diff
- xorg-server-option_libxf86config.diff
- xorg-server-xf4vnc.patch
- xserver-1.6.1-nouveau.patch
- xserver-bg-none-root.patch
* vbe-bufferoverflow.diff
- fixes vbe buffer overflow
- disabled vnc build for now (standalone server + module)
OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=281
74 lines
1.6 KiB
Diff
74 lines
1.6 KiB
Diff
--- xorg-server-1.9.0/dix/window.c.orig 2010-08-23 16:07:24.000000000 +0200
|
|
+++ xorg-server-1.9.0/dix/window.c 2010-08-23 16:14:09.000000000 +0200
|
|
@@ -535,6 +535,48 @@ RealChildHead(WindowPtr pWin)
|
|
return NullWindow;
|
|
}
|
|
|
|
+static int
|
|
+TreeDepth(WindowPtr pWin)
|
|
+{
|
|
+ int depth = 1;
|
|
+ int max_depth = 1;
|
|
+ WindowPtr pChild;
|
|
+
|
|
+ if (!(pChild = pWin))
|
|
+ return 0;
|
|
+ while (1)
|
|
+ {
|
|
+ if (pChild->firstChild)
|
|
+ {
|
|
+ ++depth;
|
|
+ pChild = pChild->firstChild;
|
|
+ continue;
|
|
+ } else if (depth > max_depth)
|
|
+ max_depth = depth;
|
|
+ while (!pChild->nextSib && (pChild != pWin)) {
|
|
+ --depth;
|
|
+ pChild = pChild->parent;
|
|
+ }
|
|
+ if (pChild == pWin)
|
|
+ break;
|
|
+ pChild = pChild->nextSib;
|
|
+ }
|
|
+ return max_depth;
|
|
+}
|
|
+
|
|
+static int
|
|
+WindowDepth(WindowPtr pWin)
|
|
+{
|
|
+ int depth = 0;
|
|
+ while (pWin) {
|
|
+ ++depth;
|
|
+ pWin = pWin->parent;
|
|
+ }
|
|
+ return depth;
|
|
+}
|
|
+
|
|
+#define MAX_TREE_DEPTH 256
|
|
+
|
|
/*****
|
|
* CreateWindow
|
|
* Makes a window in response to client request
|
|
@@ -555,6 +597,11 @@ CreateWindow(Window wid, WindowPtr pPare
|
|
PixmapFormatRec *format;
|
|
WindowOptPtr ancwopt;
|
|
|
|
+ if (WindowDepth(pParent) >= MAX_TREE_DEPTH - 1) {
|
|
+ *error = BadAlloc;
|
|
+ return NullWindow;
|
|
+ }
|
|
+
|
|
if (class == CopyFromParent)
|
|
class = pParent->drawable.class;
|
|
|
|
@@ -2434,6 +2481,9 @@ ReparentWindow(WindowPtr pWin, WindowPtr
|
|
int bw = wBorderWidth (pWin);
|
|
ScreenPtr pScreen;
|
|
|
|
+ if (WindowDepth(pParent) + TreeDepth(pWin) >= MAX_TREE_DEPTH)
|
|
+ return BadAlloc;
|
|
+
|
|
pScreen = pWin->drawable.pScreen;
|
|
if (TraverseTree(pWin, CompareWIDs, (pointer)&pParent->drawable.id) == WT_STOPWALKING)
|
|
return BadMatch;
|