xserver: Branch 'xorg-server-1.6-apple'

Jeremy Huddleston jeremyhu at kemper.freedesktop.org
Sat May 9 11:42:30 PDT 2009 

 Xext/geext.c               |    2 +-
 dix/events.c               |    2 +-
 hw/xfree86/loader/loader.c |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

New commits:
commit 04c9e80f083659e63cffec8969fb3a0cfc551a97
Author: Jeremy Huddleston <jeremyhu at freedesktop.org>
Date:   Sat May 9 11:42:17 2009 -0700

    Fix a couple off-by-one array boundary checks.
    
    Error: Write outside array bounds at Xext/geext.c:406
            in function 'GEWindowSetMask' [Symbolic analysis]
           In array dereference of cli->nextSib[extension] with index 'extension'
           Array size is 128 elements (of 4 bytes each), index <= 128
    
    Error: Buffer overflow at dix/events.c:592
    	in function 'SetMaskForEvent' [Symbolic analysis]
           In array dereference of filters[deviceid] with index 'deviceid'
           Array size is 20 elements (of 512 bytes each), index >= 0 and index <= 20
    
    Error: Read buffer overflow at hw/xfree86/loader/loader.c:226
    	in function 'LoaderOpen' [Symbolic analysis]
           In array dereference of refCount[new_handle] with index 'new_handle'
           Array size is 256 elements (of 4 bytes each), index >= 1 and index <= 256
    
    These bugs were found using the Parfait source code analysis tool.
    For more information see http://research.sun.com/projects/parfait
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at sun.com>
    Signed-off-by: Adam Jackson <ajax at redhat.com>
    Acked-by: Peter Hutterer <peter.hutterer at who-t.net>
    (cherry picked from commit b680bda34da130ce408783f04214771471e41e8d)

diff --git a/Xext/geext.c b/Xext/geext.c
index a58db03..7ab9951 100644
--- a/Xext/geext.c
+++ b/Xext/geext.c
@@ -364,7 +364,7 @@ GEWindowSetMask(ClientPtr pClient, DeviceIntPtr pDev,
 
     extension = (extension & 0x7F);
 
-    if (extension > MAXEXTENSIONS)
+    if (extension >= MAXEXTENSIONS)
     {
         ErrorF("Invalid extension number.\n");
         return;
diff --git a/dix/events.c b/dix/events.c
index 6743cae..a605e8f 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -761,7 +761,7 @@ void
 SetMaskForEvent(int deviceid, Mask mask, int event)
 {
     int coretype;
-    if (deviceid < 0 || deviceid > MAXDEVICES)
+    if (deviceid < 0 || deviceid >= MAXDEVICES)
         FatalError("SetMaskForEvent: bogus device id");
     if ((event < LASTEvent) || (event >= 128))
 	FatalError("SetMaskForEvent: bogus event number");
diff --git a/hw/xfree86/loader/loader.c b/hw/xfree86/loader/loader.c
index a5e8912..fc0db28 100644
--- a/hw/xfree86/loader/loader.c
+++ b/hw/xfree86/loader/loader.c
@@ -249,7 +249,7 @@ LoaderOpen(const char *module, const char *cname, int handle,
      * Find a free handle.
      */
     new_handle = 1;
-    while (freeHandles[new_handle] && new_handle < MAX_HANDLE)
+    while (new_handle < MAX_HANDLE && freeHandles[new_handle])
 	new_handle++;
 
     if (new_handle == MAX_HANDLE) {

More information about the xorg-commit mailing list