blob: 0507401c736a2ca5d2f243079fe978e6d1bfee50 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
--- xorg-server-1.9.0/dix/window.c.orig 2010-08-23 16:07:24.000000000 +0200
+++ xorg-server-1.9.0/dix/window.c 2010-08-23 16:14:09.000000000 +0200
@@ -535,6 +535,48 @@ RealChildHead(WindowPtr pWin)
return NullWindow;
}
+static int
+TreeDepth(WindowPtr pWin)
+{
+ int depth = 1;
+ int max_depth = 1;
+ WindowPtr pChild;
+
+ if (!(pChild = pWin))
+ return 0;
+ while (1)
+ {
+ if (pChild->firstChild)
+ {
+ ++depth;
+ pChild = pChild->firstChild;
+ continue;
+ } else if (depth > max_depth)
+ max_depth = depth;
+ while (!pChild->nextSib && (pChild != pWin)) {
+ --depth;
+ pChild = pChild->parent;
+ }
+ if (pChild == pWin)
+ break;
+ pChild = pChild->nextSib;
+ }
+ return max_depth;
+}
+
+static int
+WindowDepth(WindowPtr pWin)
+{
+ int depth = 0;
+ while (pWin) {
+ ++depth;
+ pWin = pWin->parent;
+ }
+ return depth;
+}
+
+#define MAX_TREE_DEPTH 256
+
/*****
* CreateWindow
* Makes a window in response to client request
@@ -555,6 +597,11 @@ CreateWindow(Window wid, WindowPtr pPare
PixmapFormatRec *format;
WindowOptPtr ancwopt;
+ if (WindowDepth(pParent) >= MAX_TREE_DEPTH - 1) {
+ *error = BadAlloc;
+ return NullWindow;
+ }
+
if (class == CopyFromParent)
class = pParent->drawable.class;
@@ -2434,6 +2481,9 @@ ReparentWindow(WindowPtr pWin, WindowPtr
int bw = wBorderWidth (pWin);
ScreenPtr pScreen;
+ if (WindowDepth(pParent) + TreeDepth(pWin) >= MAX_TREE_DEPTH)
+ return BadAlloc;
+
pScreen = pWin->drawable.pScreen;
if (TraverseTree(pWin, CompareWIDs, (pointer)&pParent->drawable.id) == WT_STOPWALKING)
return BadMatch;
|