[PATCH] Fix num_masks/length overflow test for XiSelectEvents
Peter Hutterer
peter.hutterer at who-t.net
Tue Sep 15 19:59:01 PDT 2009
On Tue, Sep 15, 2009 at 05:53:50PM -0700, Alan Coopersmith wrote:
> Have to set windowid to a valid value first, since that check
> appears earlier in the code than the masks/length check.
>
> Also have to have data[] set large enough so that reading mask
> data for 0xFFFF masks doesn't overflow past the end of the array
> into uninitialized data.
>
> Signed-off-by: Alan Coopersmith <alan.coopersmith at sun.com>
> ---
>
> Improved version of earlier patch that also addresses the root cause of
> why Peter & I saw different results for this test - since we had different
> uninitialized data for the masks read past the end of the data[] array.
>
> Also changed to leave the setting of req->win for the next test case,
> copying it instead of moving it up, to avoid failure due to the swapl()
> of the req->win value during testing.
>
> test/xi2/protocol-xiselectevents.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/test/xi2/protocol-xiselectevents.c b/test/xi2/protocol-xiselectevents.c
> index f314462..fe1c26d 100644
> --- a/test/xi2/protocol-xiselectevents.c
> +++ b/test/xi2/protocol-xiselectevents.c
> @@ -60,7 +60,7 @@
> #include "protocol-common.h"
> #include <glib.h>
>
> -static unsigned char *data[4096 * 16]; /* the request data buffer */
> +static unsigned char *data[4096 * 20]; /* the request data buffer */
>
> int __wrap_XISetEventMask(DeviceIntPtr dev, WindowPtr win, int len, unsigned char* mask)
> {
> @@ -284,6 +284,7 @@ static void test_XISelectEvents(void)
> request_XISelectEvent(req, BadWindow);
>
> g_test_message("Triggering num_masks/length overflow");
> + req->win = ROOT_WINDOW_ID;
> /* Integer overflow - req->length can't hold that much */
> req->num_masks = 0xFFFF;
> request_XISelectEvent(req, BadLength);
> --
> 1.5.6.5
Thanks for the patches, all three merged and pushed.
Cheers,
Peter
More information about the xorg-devel
mailing list