[PATCH:libXt] Bug 40577 - Missing bound checking in FreeSelectionProperty()

Alan Coopersmith alan.coopersmith at oracle.com
Tue Sep 20 16:49:00 PDT 2011


From: Olivier Fourdan <fourdan at xfce.org>

https://bugs.freedesktop.org/show_bug.cgi?id=40577

FreeSelectionProperty() did not check for the count of items in array
and relied on a NULL terminated list, which can cause libXt to crash if
FreeSelectionProperty() follows a call to GetSelectionProperty() which
reallocates the array.

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---

Oliver, can we assume your Signed-off-by as well?
http://www.x.org/wiki/Development/Documentation/SubmittingPatches#Signingoffandreviewing

 src/Selection.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/src/Selection.c b/src/Selection.c
index 101ea6a..f35cb44 100644
--- a/src/Selection.c
+++ b/src/Selection.c
@@ -237,6 +237,7 @@ static void FreeSelectionProperty(
     Atom prop)
 {
  SelectionProp p;
+ int propCount;
  PropList sarray;
  if (prop == None) return;
  LOCK_PROCESS;
@@ -247,7 +248,9 @@ static void FreeSelectionProperty(
 		"internal error: no selection property context for display",
 		 (String *)NULL,  (Cardinal *)NULL );
  UNLOCK_PROCESS;
- for (p = sarray->list; p; p++)
+ for (p = sarray->list, propCount=sarray->propCount;
+	propCount;
+	p++, propCount--)
    if (p->prop == prop) {
       p->avail = TRUE;
       return;
-- 
1.7.3.2



More information about the xorg-devel mailing list