patch: libXt-1.0.8 fix possible array overflow

Jeremy Huddleston jeremyhu at apple.com
Wed Sep 22 09:52:18 PDT 2010


On Sep 22, 2010, at 09:10, Jeremy Huddleston wrote:

> I think it's right as it is (assuming *num_params is always >= 1).  This zeroes out the remaining, unused entries in par.
> 
> A problem comes in if i < 1.  Where do we enforce the bounds on *num_params?

It looks like we take care of that earlier (Cardinal is an unsigned int):
...
    if (params == NULL || num_params == NULL || *num_params == 0)
        (*fn)(buffer);

The code in question only executes if *num_params >= 1.


> 
> On Sep 22, 2010, at 00:18, walter harms wrote:
> 
>> hi List,
>> the code checks the upperlimit to 10 while the upperlimit is actualy 9.
>> 
>> re,
>> wh
>> 
>> 
>> --- libXt-1.0.8/src/Error.c.org 2010-09-21 23:23:00.000000000 +0200
>> +++ libXt-1.0.8/src/Error.c     2010-09-21 23:24:03.000000000 +0200
>> @@ -257,7 +257,7 @@
>>            */
>>           Cardinal i = *num_params;
>>           String par[10];
>> -           if (i > 10) i = 10;
>> +           if (i > 9) i = 9;
>>           (void) memmove((char*)par, (char*)params, i * sizeof(String) );
>>           bzero( &par[i], (10-i) * sizeof(String) );
>>           (void) fprintf (stderr, "%s%s",
>> @@ -292,7 +292,7 @@
>>        */
>>       Cardinal i = *num_params;
>>       String par[10];
>> -       if (i > 10) i = 10;
>> +       if (i > 9) i = 9;
>>       (void) memmove((char*)par, (char*)params, i * sizeof(String) );
>>       bzero( &par[i], (10-i) * sizeof(String) );
>>       if (i != *num_params)
>> _______________________________________________
>> xorg at lists.freedesktop.org: X.Org support
>> Archives: http://lists.freedesktop.org/archives/xorg
>> Info: http://lists.freedesktop.org/mailman/listinfo/xorg
>> Your subscription address: jeremyhu at freedesktop.org
> 
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel



More information about the xorg-devel mailing list