andreacavalli/xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix a couple off-by-one array boundary checks.

Browse Source 
Error: Write outside array bounds at Xext/geext.c:406
        in function 'GEWindowSetMask' [Symbolic analysis]
       In array dereference of cli->nextSib[extension] with index 'extension'
       Array size is 128 elements (of 4 bytes each), index <= 128

Error: Buffer overflow at dix/events.c:592
	in function 'SetMaskForEvent' [Symbolic analysis]
       In array dereference of filters[deviceid] with index 'deviceid'
       Array size is 20 elements (of 512 bytes each), index >= 0 and index <= 20

Error: Read buffer overflow at hw/xfree86/loader/loader.c:226
	in function 'LoaderOpen' [Symbolic analysis]
       In array dereference of refCount[new_handle] with index 'new_handle'
       Array size is 256 elements (of 4 bytes each), index >= 1 and index <= 256

These bugs were found using the Parfait source code analysis tool.
For more information see http://research.sun.com/projects/parfait

Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit b680bda34d)
(cherry picked from commit 04c9e80f08)

Signed-off-by: Keith Packard <keithp@keithp.com>
This commit is contained in:
Jeremy Huddleston 2009-05-09 11:42:17 -07:00 committed by Keith Packard
parent 10c06ddeef
commit 597747c655
3 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Xext/geext.c
View File

@ -364,7 +364,7 @@ GEWindowSetMask(ClientPtr pClient, DeviceIntPtr pDev,
extension = (extension & 0x7F);
if (extension > MAXEXTENSIONS)
if (extension >= MAXEXTENSIONS)
{
ErrorF("Invalid extension number.\n");
return;

2
dix/events.c
View File

@ -778,7 +778,7 @@ void
SetMaskForEvent(int deviceid, Mask mask, int event)
{
int coretype;
if (deviceid < 0 || deviceid > MAXDEVICES)
if (deviceid < 0 || deviceid >= MAXDEVICES)
FatalError("SetMaskForEvent: bogus device id");
if ((event < LASTEvent) || (event >= 128))
FatalError("SetMaskForEvent: bogus event number");

2
hw/xfree86/loader/loader.c
View File

@ -249,7 +249,7 @@ LoaderOpen(const char *module, const char *cname, int handle,
* Find a free handle.
*/
new_handle = 1;
while (freeHandles[new_handle] && new_handle < MAX_HANDLE)
while (new_handle < MAX_HANDLE && freeHandles[new_handle])
new_handle++;
if (new_handle == MAX_HANDLE) {