libXt-1.0.8:fix possible array averflow

Jeremy Huddleston jeremyhu at freedesktop.org
Wed Sep 22 12:56:47 PDT 2010 

I had already mentioned this in the earlier thread:

It looks like we take care of that earlier (Cardinal is an unsigned int):
...
   if (params == NULL || num_params == NULL || *num_params == 0)
       (*fn)(buffer);

The code in question only executes if *num_params >= 1, so it's fine as is.



On Sep 22, 2010, at 10:18, walter harms wrote:

> 
> hi List,
> the code checks the upperlimit to 10 while the upperlimit is actualy 9.
> 
> The org. patch is attacehd since i guess the tabs will be mangeld.
> 
> re,
> wh
> 
> Signed-off-by: walter harms <wharms at bfs.de>
> 
> --- libXt-1.0.8/src/Error.c.org 2010-09-21 23:23:00.000000000 +0200
> +++ libXt-1.0.8/src/Error.c     2010-09-21 23:24:03.000000000 +0200
> @@ -257,7 +257,7 @@
>             */
>            Cardinal i = *num_params;
>            String par[10];
> -           if (i > 10) i = 10;
> +           if (i > 9) i = 9;
>            (void) memmove((char*)par, (char*)params, i * sizeof(String) );
>            bzero( &par[i], (10-i) * sizeof(String) );
>            (void) fprintf (stderr, "%s%s",
> @@ -292,7 +292,7 @@
>         */
>        Cardinal i = *num_params;
>        String par[10];
> -       if (i > 10) i = 10;
> +       if (i > 9) i = 9;
>        (void) memmove((char*)par, (char*)params, i * sizeof(String) );
>        bzero( &par[i], (10-i) * sizeof(String) );
>        if (i != *num_params)
> --- libXt-1.0.8/src/Error.c.org	2010-09-21 23:23:00.000000000 +0200
> +++ libXt-1.0.8/src/Error.c	2010-09-21 23:24:03.000000000 +0200
> @@ -257,7 +257,7 @@
> 	     */
> 	    Cardinal i = *num_params;
> 	    String par[10];
> -	    if (i > 10) i = 10;
> +	    if (i > 9) i = 9;
> 	    (void) memmove((char*)par, (char*)params, i * sizeof(String) );
> 	    bzero( &par[i], (10-i) * sizeof(String) );
> 	    (void) fprintf (stderr, "%s%s",
> @@ -292,7 +292,7 @@
> 	 */
> 	Cardinal i = *num_params;
> 	String par[10];
> -	if (i > 10) i = 10;
> +	if (i > 9) i = 9;
> 	(void) memmove((char*)par, (char*)params, i * sizeof(String) );
> 	bzero( &par[i], (10-i) * sizeof(String) );
> 	if (i != *num_params)
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel

More information about the xorg-devel mailing list