modesetting: Fix potential buffer overflow
If one misconfigures a ZaphodHeads value (more than 20 characters without a delimiter), we get an overflow of our buffer. Use xstrtokenize() instead of writing/fixing our own tokenizer. Signed-off-by: Daniel Martin <consume.noise@gmail.com> Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
This commit is contained in:
parent
2230e6c8af
commit
04a305121f
|
@ -57,34 +57,22 @@ static PixmapPtr drmmode_create_pixmap_header(ScreenPtr pScreen, int width, int
|
|||
static Bool
|
||||
drmmode_zaphod_string_matches(ScrnInfoPtr scrn, const char *s, char *output_name)
|
||||
{
|
||||
int i = 0;
|
||||
char s1[20];
|
||||
char **token = xstrtokenize(s, ", \t\n\r");
|
||||
Bool ret = FALSE;
|
||||
|
||||
do {
|
||||
switch(*s) {
|
||||
case ',':
|
||||
s1[i] = '\0';
|
||||
i = 0;
|
||||
if (strcmp(s1, output_name) == 0)
|
||||
return TRUE;
|
||||
break;
|
||||
case ' ':
|
||||
case '\t':
|
||||
case '\n':
|
||||
case '\r':
|
||||
break;
|
||||
default:
|
||||
s1[i] = *s;
|
||||
i++;
|
||||
break;
|
||||
}
|
||||
} while(*s++);
|
||||
if (!token)
|
||||
return FALSE;
|
||||
|
||||
s1[i] = '\0';
|
||||
if (strcmp(s1, output_name) == 0)
|
||||
return TRUE;
|
||||
for (int i = 0; token[i]; i++) {
|
||||
if (strcmp(token[i], output_name) == 0)
|
||||
ret = TRUE;
|
||||
|
||||
return FALSE;
|
||||
free(token[i]);
|
||||
}
|
||||
|
||||
free(token);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int
|
||||
|
|
|
@ -233,7 +233,7 @@ padding_for_int32(const int bytes)
|
|||
}
|
||||
|
||||
|
||||
extern char **xstrtokenize(const char *str, const char *separators);
|
||||
extern _X_EXPORT char **xstrtokenize(const char *str, const char *separators);
|
||||
extern void FormatInt64(int64_t num, char *string);
|
||||
extern void FormatUInt64(uint64_t num, char *string);
|
||||
extern void FormatUInt64Hex(uint64_t num, char *string);
|
||||
|
|
Loading…
Reference in New Issue
Block a user