Fix a couple off-by-one array boundary checks.
Error: Write outside array bounds at Xext/geext.c:406 in function 'GEWindowSetMask' [Symbolic analysis] In array dereference of cli->nextSib[extension] with index 'extension' Array size is 128 elements (of 4 bytes each), index <= 128 Error: Buffer overflow at dix/events.c:592 in function 'SetMaskForEvent' [Symbolic analysis] In array dereference of filters[deviceid] with index 'deviceid' Array size is 20 elements (of 512 bytes each), index >= 0 and index <= 20 Error: Read buffer overflow at hw/xfree86/loader/loader.c:226 in function 'LoaderOpen' [Symbolic analysis] In array dereference of refCount[new_handle] with index 'new_handle' Array size is 256 elements (of 4 bytes each), index >= 1 and index <= 256 These bugs were found using the Parfait source code analysis tool. For more information see http://research.sun.com/projects/parfait Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
This commit is contained in:
parent
5cf7018381
commit
b680bda34d
|
@ -364,7 +364,7 @@ GEWindowSetMask(ClientPtr pClient, DeviceIntPtr pDev,
|
|||
|
||||
extension = (extension & 0x7F);
|
||||
|
||||
if (extension > MAXEXTENSIONS)
|
||||
if (extension >= MAXEXTENSIONS)
|
||||
{
|
||||
ErrorF("Invalid extension number.\n");
|
||||
return;
|
||||
|
|
|
@ -588,7 +588,7 @@ XineramaConfineCursorToWindow(DeviceIntPtr pDev,
|
|||
void
|
||||
SetMaskForEvent(int deviceid, Mask mask, int event)
|
||||
{
|
||||
if (deviceid < 0 || deviceid > MAXDEVICES)
|
||||
if (deviceid < 0 || deviceid >= MAXDEVICES)
|
||||
FatalError("SetMaskForEvent: bogus device id");
|
||||
filters[deviceid][event] = mask;
|
||||
}
|
||||
|
|
|
@ -223,7 +223,7 @@ LoaderOpen(const char *module, const char *cname, int handle,
|
|||
* Find a free handle.
|
||||
*/
|
||||
new_handle = 1;
|
||||
while (refCount[new_handle] && new_handle < MAX_HANDLE)
|
||||
while (new_handle < MAX_HANDLE && refCount[new_handle])
|
||||
new_handle++;
|
||||
|
||||
if (new_handle == MAX_HANDLE) {
|
||||
|
|
Loading…
Reference in New Issue