[PATCH] xfree86: check for NULL pointer before dereferences it in parser code

Alan Coopersmith alan.coopersmith at oracle.com
Fri Apr 16 09:17:43 PDT 2010


Tiago Vignatti wrote:
> Seems to be harmless. Meh.
> 
> Signed-off-by: Tiago Vignatti <tiago.vignatti at nokia.com>
> ---
>  hw/xfree86/parser/scan.c |    9 +++++++--
>  1 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/xfree86/parser/scan.c b/hw/xfree86/parser/scan.c
> index 8aab0cf..0b9461b 100644
> --- a/hw/xfree86/parser/scan.c
> +++ b/hw/xfree86/parser/scan.c
> @@ -844,11 +844,16 @@ OpenConfigFile(const char *path, const char *cmdline, const char *projroot,
>  static int
>  ConfigFilter(const struct dirent *de)
>  {
> -	const char *name = de->d_name;
> +	const char *name;
>  	size_t len = strlen(name);
>  	size_t suflen = strlen(XCONFIGSUFFIX);
>  
> -	if (!name || name[0] == '.' || len <= suflen)
> +	if (!name)
> +		return 0;
> +
> +	name = de->d_name;

NACK.  You are now checking if the uninitialized variable is not-NULL and
never checking the actual value, as well as calling strlen on the uninitialized
value.  The problem is that strlen(name) is being called before if (!name), so
the correct fix would be:

@@ -845,10 +845,13 @@ static int
 ConfigFilter(const struct dirent *de)
 {
        const char *name = de->d_name;
-       size_t len = strlen(name);
+       size_t len;
        size_t suflen = strlen(XCONFIGSUFFIX);

-       if (!name || name[0] == '.' || len <= suflen)
+       if (!name || name[0] == '.')
+               return 0;
+       len = strlen(name);
+       if (len <= suflen)
                return 0;
        if (strcmp(&name[len-suflen], XCONFIGSUFFIX) != 0)
                return 0;



-- 
	-Alan Coopersmith-        alan.coopersmith at oracle.com
	 Oracle Solaris Platform Engineering: X Window System



More information about the xorg-devel mailing list