libX11/CVE-2020-14344.patch

From 9d1ac6f7ddbaa6036d999a2eccd7caaf92d0ea36 Mon Sep 17 00:00:00 2001
Date: Tue, 8 Sep 2020 17:32:53 +0800
Subject: [PATCH] fix CVE-2020-14344

---
 modules/im/ximcp/imDefIc.c  |  6 +++--
 modules/im/ximcp/imDefIm.c  | 25 +++++++++++------
 modules/im/ximcp/imRmAttr.c | 53 +++++++++++++++++++++++--------------
 3 files changed, 54 insertions(+), 30 deletions(-)

diff --git a/modules/im/ximcp/imDefIc.c b/modules/im/ximcp/imDefIc.c
index 7564dba..cf4b8fc 100644
--- a/modules/im/ximcp/imDefIc.c
+++ b/modules/im/ximcp/imDefIc.c
@@ -350,7 +350,7 @@ _XimProtoGetICValues(
 	     + sizeof(INT16)
 	     + XIM_PAD(2 + buf_size);
 
-    if (!(buf = Xmalloc(buf_size)))
+    if (!(buf = Xcalloc(buf_size, 1)))
 	return arg->name;
     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
 
@@ -708,6 +708,7 @@ _XimProtoSetICValues(
 #endif /* XIM_CONNECTABLE */
 
     _XimGetCurrentICValues(ic, &ic_values);
+    memset(tmp_buf, 0, sizeof(tmp_buf32));
     buf = tmp_buf;
     buf_size = XIM_HEADER_SIZE
 	+ sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16);
@@ -730,7 +731,7 @@ _XimProtoSetICValues(
 
 	buf_size += ret_len;
 	if (buf == tmp_buf) {
-	    if (!(tmp = Xmalloc(buf_size + data_len))) {
+	    if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
 		return tmp_name;
 	    }
 	    memcpy(tmp, buf, buf_size);
@@ -740,6 +741,7 @@ _XimProtoSetICValues(
 		Xfree(buf);
 		return tmp_name;
 	    }
+	    memset(&tmp[buf_size], 0, data_len);
 	    buf = tmp;
 	}
     }
diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c
index cf922e4..bd43513 100644
--- a/modules/im/ximcp/imDefIm.c
+++ b/modules/im/ximcp/imDefIm.c
@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE.
 #include "XimTrInt.h"
 #include "Ximint.h"
 
+#include <limits.h>
 
 int
 _XimCheckDataSize(
@@ -807,12 +808,16 @@ _XimOpen(
     int			 buf_size;
     int			 ret_code;
     char		*locale_name;
+    size_t               locale_len;
 
     locale_name = im->private.proto.locale_name;
-    len = strlen(locale_name);
-    buf_b[0] = (BYTE)len;			   /* length of locale name */
-    (void)strcpy((char *)&buf_b[1], locale_name);  /* locale name */
-    len += sizeof(BYTE);			   /* sizeof length */
+    locale_len = strlen(locale_name);
+    if (locale_len > UCHAR_MAX)
+      return False;
+    memset(buf32, 0, sizeof(buf32));
+    buf_b[0] = (BYTE)locale_len;                   /* length of locale name */
+    memcpy(&buf_b[1], locale_name, locale_len);	   /* locale name */
+    len = (INT16)(locale_len + sizeof(BYTE));	   /* sizeof length */
     XIM_SET_PAD(buf_b, len);			   /* pad */
 
     _XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len);
@@ -1287,6 +1292,7 @@ _XimProtoSetIMValues(
 #endif /* XIM_CONNECTABLE */
 
     _XimGetCurrentIMValues(im, &im_values);
+    memset(tmp_buf, 0, sizeof(tmp_buf32));
     buf = tmp_buf;
     buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
     data_len = BUFSIZE - buf_size;
@@ -1307,7 +1313,7 @@ _XimProtoSetIMValues(
 
 	buf_size += ret_len;
 	if (buf == tmp_buf) {
-	    if (!(tmp = Xmalloc(buf_size + data_len))) {
+	    if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
 		return arg->name;
 	    }
 	    memcpy(tmp, buf, buf_size);
@@ -1317,6 +1323,7 @@ _XimProtoSetIMValues(
 		Xfree(buf);
 		return arg->name;
 	    }
+	    memset(&tmp[buf_size], 0, data_len);
 	    buf = tmp;
 	}
     }
@@ -1458,7 +1465,7 @@ _XimProtoGetIMValues(
 	     + sizeof(INT16)
 	     + XIM_PAD(buf_size);
 
-    if (!(buf = Xmalloc(buf_size)))
+    if (!(buf = Xcalloc(buf_size, 1)))
 	return arg->name;
     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
 
@@ -1720,7 +1727,7 @@ _XimEncodingNegotiation(
 	+ sizeof(CARD16)
 	+ detail_len;
 
-    if (!(buf = Xmalloc(XIM_HEADER_SIZE + len)))
+    if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1)))
 	goto free_detail_ptr;
 
     buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];
@@ -1816,6 +1823,7 @@ _XimSendSavedIMValues(
     int			 ret_code;
 
     _XimGetCurrentIMValues(im, &im_values);
+    memset(tmp_buf, 0, sizeof(tmp_buf32));
     buf = tmp_buf;
     buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);
     data_len = BUFSIZE - buf_size;
@@ -1838,7 +1846,7 @@ _XimSendSavedIMValues(
 
 	buf_size += ret_len;
 	if (buf == tmp_buf) {
-	    if (!(tmp = Xmalloc(buf_size + data_len))) {
+	    if (!(tmp = Xcalloc(buf_size + data_len, 1))) {
 		return False;
 	    }
 	    memcpy(tmp, buf, buf_size);
@@ -1848,6 +1856,7 @@ _XimSendSavedIMValues(
 		Xfree(buf);
 		return False;
 	    }
+	    memset(&tmp[buf_size], 0, data_len);
 	    buf = tmp;
 	}
     }
diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c
index 9d4e462..cf491ea 100644
--- a/modules/im/ximcp/imRmAttr.c
+++ b/modules/im/ximcp/imRmAttr.c
@@ -29,6 +29,7 @@ PERFORMANCE OF THIS SOFTWARE.
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
+#include <limits.h>
 #include "Xlibint.h"
 #include "Xlcint.h"
 #include "Ximint.h"
@@ -214,7 +215,7 @@ _XimAttributeToValue(
     Xic			  ic,
     XIMResourceList	  res,
     CARD16		 *data,
-    INT16		  data_len,
+    CARD16		  data_len,
     XPointer		  value,
     BITMASK32		  mode)
 {
@@ -250,18 +251,23 @@ _XimAttributeToValue(
 
     case XimType_XIMStyles:
 	{
-	    INT16		 num = data[0];
+	    CARD16               num = data[0];
 	    register CARD32	*style_list = (CARD32 *)&data[2];
 	    XIMStyle		*style;
 	    XIMStyles		*rep;
 	    register int	 i;
 	    char		*p;
-	    int			 alloc_len;
+	    unsigned int         alloc_len;
 
 	    if (!(value))
 		return False;
-
+            if (num > (USHRT_MAX / sizeof(XIMStyle)))
+	        return False;
+	    if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)
+	        return False;
 	    alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;
+	    if (alloc_len < sizeof(XIMStyles))
+	        return False;
 	    if (!(p = Xmalloc(alloc_len)))
 		return False;
 
@@ -313,7 +319,7 @@ _XimAttributeToValue(
 
     case XimType_XFontSet:
 	{
-	    INT16	 len = data[0];
+	    CARD16       len = data[0];
 	    char	*base_name;
 	    XFontSet	 rep = (XFontSet)NULL;
 	    char	**missing_list = NULL;
@@ -324,11 +330,12 @@ _XimAttributeToValue(
 		return False;
 	    if (!ic)
 		return False;
-
+            if (len > data_len)
+		return False;
 	    if (!(base_name = Xmalloc(len + 1)))
 		return False;
 
-	    (void)strncpy(base_name, (char *)&data[1], (int)len);
+	    (void)strncpy(base_name, (char *)&data[1], (size_t)len);
 	    base_name[len] = '\0';
 
 	    if (mode & XIM_PREEDIT_ATTR) {
@@ -357,19 +364,24 @@ _XimAttributeToValue(
 
     case XimType_XIMHotKeyTriggers:
 	{
-	    INT32			 num = *((CARD32 *)data);
+	    CARD32                       num = *((CARD32 *)data);
 	    register CARD32		*key_list = (CARD32 *)&data[2];
 	    XIMHotKeyTrigger		*key;
 	    XIMHotKeyTriggers		*rep;
 	    register int		 i;
 	    char			*p;
-	    int				 alloc_len;
+	    unsigned int                 alloc_len;
 
 	    if (!(value))
 		return False;
-
+            if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))
+                return False;
+	    if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)
+	        return False;
 	    alloc_len = sizeof(XIMHotKeyTriggers)
 		      + sizeof(XIMHotKeyTrigger) * num;
+	    if (alloc_len < sizeof(XIMHotKeyTriggers))
+	        return False;
 	    if (!(p = Xmalloc(alloc_len)))
 		return False;
 
@@ -1378,13 +1390,13 @@ _XimEncodeSavedICATTRIBUTE(
 
 static unsigned int
 _XimCountNumberOfAttr(
-    INT16	 total,
-    CARD16	*attr,
-    int		*names_len)
+    CARD16          total,
+    CARD16	   *attr,
+    unsigned int   *names_len)
 {
     unsigned int n;
-    INT16	 len;
-    INT16	 min_len = sizeof(CARD16)	/* sizeof attribute ID */
+    CARD16       len;
+    CARD16       min_len = sizeof(CARD16)	/* sizeof attribute ID */
 			 + sizeof(CARD16)	/* sizeof type of value */
 			 + sizeof(INT16);	/* sizeof length of attribute */
 
@@ -1392,6 +1404,9 @@ _XimCountNumberOfAttr(
     *names_len = 0;
     while (total > min_len) {
 	len = attr[2];
+	if (len >= (total - min_len)) {
+	    return 0;
+	}
 	*names_len += (len + 1);
 	len += (min_len + XIM_PAD(len + 2));
 	total -= len;
@@ -1406,17 +1421,15 @@ _XimGetAttributeID(
     Xim			  im,
     CARD16		 *buf)
 {
-    unsigned int	  n;
+    unsigned int	  n, names_len, values_len;
     XIMResourceList	  res;
     char		 *names;
-    int			  names_len;
     XPointer		  tmp;
     XIMValuesList	 *values_list;
     char		**values;
-    int			  values_len;
     register int	  i;
-    INT16		  len;
-    INT16		  min_len = sizeof(CARD16) /* sizeof attribute ID */
+    CARD16		  len;
+    CARD16		  min_len = sizeof(CARD16) /* sizeof attribute ID */
 				  + sizeof(CARD16) /* sizeof type of value */
 				  + sizeof(INT16); /* sizeof length of attr */
     /*
-- 
2.23.0
fix CVE-2020-14344 2020-09-11 21:08:34 +08:00			`From 9d1ac6f7ddbaa6036d999a2eccd7caaf92d0ea36 Mon Sep 17 00:00:00 2001`
			`Date: Tue, 8 Sep 2020 17:32:53 +0800`
			`Subject: [PATCH] fix CVE-2020-14344`

			`---`
			`modules/im/ximcp/imDefIc.c \| 6 +++--`
			`modules/im/ximcp/imDefIm.c \| 25 +++++++++++------`
			`modules/im/ximcp/imRmAttr.c \| 53 +++++++++++++++++++++++--------------`
			`3 files changed, 54 insertions(+), 30 deletions(-)`

			`diff --git a/modules/im/ximcp/imDefIc.c b/modules/im/ximcp/imDefIc.c`
			`index 7564dba..cf4b8fc 100644`
			`--- a/modules/im/ximcp/imDefIc.c`
			`+++ b/modules/im/ximcp/imDefIc.c`
			`@@ -350,7 +350,7 @@ _XimProtoGetICValues(`
			`+ sizeof(INT16)`
			`+ XIM_PAD(2 + buf_size);`

			`- if (!(buf = Xmalloc(buf_size)))`
			`+ if (!(buf = Xcalloc(buf_size, 1)))`
			`return arg->name;`
			`buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];`

			`@@ -708,6 +708,7 @@ _XimProtoSetICValues(`
			`#endif /* XIM_CONNECTABLE */`

			`_XimGetCurrentICValues(ic, &ic_values);`
			`+ memset(tmp_buf, 0, sizeof(tmp_buf32));`
			`buf = tmp_buf;`
			`buf_size = XIM_HEADER_SIZE`
			`+ sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16);`
			`@@ -730,7 +731,7 @@ _XimProtoSetICValues(`

			`buf_size += ret_len;`
			`if (buf == tmp_buf) {`
			`- if (!(tmp = Xmalloc(buf_size + data_len))) {`
			`+ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {`
			`return tmp_name;`
			`}`
			`memcpy(tmp, buf, buf_size);`
			`@@ -740,6 +741,7 @@ _XimProtoSetICValues(`
			`Xfree(buf);`
			`return tmp_name;`
			`}`
			`+ memset(&tmp[buf_size], 0, data_len);`
			`buf = tmp;`
			`}`
			`}`
			`diff --git a/modules/im/ximcp/imDefIm.c b/modules/im/ximcp/imDefIm.c`
			`index cf922e4..bd43513 100644`
			`--- a/modules/im/ximcp/imDefIm.c`
			`+++ b/modules/im/ximcp/imDefIm.c`
			`@@ -62,6 +62,7 @@ PERFORMANCE OF THIS SOFTWARE.`
			`#include "XimTrInt.h"`
			`#include "Ximint.h"`

			`+#include <limits.h>`

			`int`
			`_XimCheckDataSize(`
			`@@ -807,12 +808,16 @@ _XimOpen(`
			`int buf_size;`
			`int ret_code;`
			`char *locale_name;`
			`+ size_t locale_len;`

			`locale_name = im->private.proto.locale_name;`
			`- len = strlen(locale_name);`
			`- buf_b[0] = (BYTE)len; /* length of locale name */`
			`- (void)strcpy((char )&buf_b[1], locale_name); / locale name */`
			`- len += sizeof(BYTE); /* sizeof length */`
			`+ locale_len = strlen(locale_name);`
			`+ if (locale_len > UCHAR_MAX)`
			`+ return False;`
			`+ memset(buf32, 0, sizeof(buf32));`
			`+ buf_b[0] = (BYTE)locale_len; /* length of locale name */`
			`+ memcpy(&buf_b[1], locale_name, locale_len); /* locale name */`
			`+ len = (INT16)(locale_len + sizeof(BYTE)); /* sizeof length */`
			`XIM_SET_PAD(buf_b, len); /* pad */`

			`_XimSetHeader((XPointer)buf, XIM_OPEN, 0, &len);`
			`@@ -1287,6 +1292,7 @@ _XimProtoSetIMValues(`
			`#endif /* XIM_CONNECTABLE */`

			`_XimGetCurrentIMValues(im, &im_values);`
			`+ memset(tmp_buf, 0, sizeof(tmp_buf32));`
			`buf = tmp_buf;`
			`buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);`
			`data_len = BUFSIZE - buf_size;`
			`@@ -1307,7 +1313,7 @@ _XimProtoSetIMValues(`

			`buf_size += ret_len;`
			`if (buf == tmp_buf) {`
			`- if (!(tmp = Xmalloc(buf_size + data_len))) {`
			`+ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {`
			`return arg->name;`
			`}`
			`memcpy(tmp, buf, buf_size);`
			`@@ -1317,6 +1323,7 @@ _XimProtoSetIMValues(`
			`Xfree(buf);`
			`return arg->name;`
			`}`
			`+ memset(&tmp[buf_size], 0, data_len);`
			`buf = tmp;`
			`}`
			`}`
			`@@ -1458,7 +1465,7 @@ _XimProtoGetIMValues(`
			`+ sizeof(INT16)`
			`+ XIM_PAD(buf_size);`

			`- if (!(buf = Xmalloc(buf_size)))`
			`+ if (!(buf = Xcalloc(buf_size, 1)))`
			`return arg->name;`
			`buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];`

			`@@ -1720,7 +1727,7 @@ _XimEncodingNegotiation(`
			`+ sizeof(CARD16)`
			`+ detail_len;`

			`- if (!(buf = Xmalloc(XIM_HEADER_SIZE + len)))`
			`+ if (!(buf = Xcalloc(XIM_HEADER_SIZE + len, 1)))`
			`goto free_detail_ptr;`

			`buf_s = (CARD16 *)&buf[XIM_HEADER_SIZE];`
			`@@ -1816,6 +1823,7 @@ _XimSendSavedIMValues(`
			`int ret_code;`

			`_XimGetCurrentIMValues(im, &im_values);`
			`+ memset(tmp_buf, 0, sizeof(tmp_buf32));`
			`buf = tmp_buf;`
			`buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16);`
			`data_len = BUFSIZE - buf_size;`
			`@@ -1838,7 +1846,7 @@ _XimSendSavedIMValues(`

			`buf_size += ret_len;`
			`if (buf == tmp_buf) {`
			`- if (!(tmp = Xmalloc(buf_size + data_len))) {`
			`+ if (!(tmp = Xcalloc(buf_size + data_len, 1))) {`
			`return False;`
			`}`
			`memcpy(tmp, buf, buf_size);`
			`@@ -1848,6 +1856,7 @@ _XimSendSavedIMValues(`
			`Xfree(buf);`
			`return False;`
			`}`
			`+ memset(&tmp[buf_size], 0, data_len);`
			`buf = tmp;`
			`}`
			`}`
			`diff --git a/modules/im/ximcp/imRmAttr.c b/modules/im/ximcp/imRmAttr.c`
			`index 9d4e462..cf491ea 100644`
			`--- a/modules/im/ximcp/imRmAttr.c`
			`+++ b/modules/im/ximcp/imRmAttr.c`
			`@@ -29,6 +29,7 @@ PERFORMANCE OF THIS SOFTWARE.`
			`#ifdef HAVE_CONFIG_H`
			`#include <config.h>`
			`#endif`
			`+#include <limits.h>`
			`#include "Xlibint.h"`
			`#include "Xlcint.h"`
			`#include "Ximint.h"`
			`@@ -214,7 +215,7 @@ _XimAttributeToValue(`
			`Xic ic,`
			`XIMResourceList res,`
			`CARD16 *data,`
			`- INT16 data_len,`
			`+ CARD16 data_len,`
			`XPointer value,`
			`BITMASK32 mode)`
			`{`
			`@@ -250,18 +251,23 @@ _XimAttributeToValue(`

			`case XimType_XIMStyles:`
			`{`
			`- INT16 num = data[0];`
			`+ CARD16 num = data[0];`
			`register CARD32 style_list = (CARD32 )&data[2];`
			`XIMStyle *style;`
			`XIMStyles *rep;`
			`register int i;`
			`char *p;`
			`- int alloc_len;`
			`+ unsigned int alloc_len;`

			`if (!(value))`
			`return False;`
			`-`
			`+ if (num > (USHRT_MAX / sizeof(XIMStyle)))`
			`+ return False;`
			`+ if ((2 * sizeof(CARD16) + (num * sizeof(CARD32))) > data_len)`
			`+ return False;`
			`alloc_len = sizeof(XIMStyles) + sizeof(XIMStyle) * num;`
			`+ if (alloc_len < sizeof(XIMStyles))`
			`+ return False;`
			`if (!(p = Xmalloc(alloc_len)))`
			`return False;`

			`@@ -313,7 +319,7 @@ _XimAttributeToValue(`

			`case XimType_XFontSet:`
			`{`
			`- INT16 len = data[0];`
			`+ CARD16 len = data[0];`
			`char *base_name;`
			`XFontSet rep = (XFontSet)NULL;`
			`char **missing_list = NULL;`
			`@@ -324,11 +330,12 @@ _XimAttributeToValue(`
			`return False;`
			`if (!ic)`
			`return False;`
			`-`
			`+ if (len > data_len)`
			`+ return False;`
			`if (!(base_name = Xmalloc(len + 1)))`
			`return False;`

			`- (void)strncpy(base_name, (char *)&data[1], (int)len);`
			`+ (void)strncpy(base_name, (char *)&data[1], (size_t)len);`
			`base_name[len] = '\0';`

			`if (mode & XIM_PREEDIT_ATTR) {`
			`@@ -357,19 +364,24 @@ _XimAttributeToValue(`

			`case XimType_XIMHotKeyTriggers:`
			`{`
			`- INT32 num = ((CARD32 )data);`
			`+ CARD32 num = ((CARD32 )data);`
			`register CARD32 key_list = (CARD32 )&data[2];`
			`XIMHotKeyTrigger *key;`
			`XIMHotKeyTriggers *rep;`
			`register int i;`
			`char *p;`
			`- int alloc_len;`
			`+ unsigned int alloc_len;`

			`if (!(value))`
			`return False;`
			`-`
			`+ if (num > (UINT_MAX / sizeof(XIMHotKeyTrigger)))`
			`+ return False;`
			`+ if ((2 * sizeof(CARD16) + (num * 3 * sizeof(CARD32))) > data_len)`
			`+ return False;`
			`alloc_len = sizeof(XIMHotKeyTriggers)`
			`+ sizeof(XIMHotKeyTrigger) * num;`
			`+ if (alloc_len < sizeof(XIMHotKeyTriggers))`
			`+ return False;`
			`if (!(p = Xmalloc(alloc_len)))`
			`return False;`

			`@@ -1378,13 +1390,13 @@ _XimEncodeSavedICATTRIBUTE(`

			`static unsigned int`
			`_XimCountNumberOfAttr(`
			`- INT16 total,`
			`- CARD16 *attr,`
			`- int *names_len)`
			`+ CARD16 total,`
			`+ CARD16 *attr,`
			`+ unsigned int *names_len)`
			`{`
			`unsigned int n;`
			`- INT16 len;`
			`- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */`
			`+ CARD16 len;`
			`+ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */`
			`+ sizeof(CARD16) /* sizeof type of value */`
			`+ sizeof(INT16); /* sizeof length of attribute */`

			`@@ -1392,6 +1404,9 @@ _XimCountNumberOfAttr(`
			`*names_len = 0;`
			`while (total > min_len) {`
			`len = attr[2];`
			`+ if (len >= (total - min_len)) {`
			`+ return 0;`
			`+ }`
			`*names_len += (len + 1);`
			`len += (min_len + XIM_PAD(len + 2));`
			`total -= len;`
			`@@ -1406,17 +1421,15 @@ _XimGetAttributeID(`
			`Xim im,`
			`CARD16 *buf)`
			`{`
			`- unsigned int n;`
			`+ unsigned int n, names_len, values_len;`
			`XIMResourceList res;`
			`char *names;`
			`- int names_len;`
			`XPointer tmp;`
			`XIMValuesList *values_list;`
			`char **values;`
			`- int values_len;`
			`register int i;`
			`- INT16 len;`
			`- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */`
			`+ CARD16 len;`
			`+ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */`
			`+ sizeof(CARD16) /* sizeof type of value */`
			`+ sizeof(INT16); /* sizeof length of attr */`
			`/*`
			`--`
			`2.23.0`