patch: libXt-1.0.8 fix possible array overflow

walter harms wharms at bfs.de
Thu Sep 23 09:26:47 PDT 2010



Barry Scott schrieb:
> On Wednesday 22 September 2010 08:18:21 walter harms wrote:
>> hi List,
>> the code checks the upperlimit to 10 while the upperlimit is actualy 9.
> 
> You could use "(sizeof( par )/sizeof( String ))-1" to make the code robust aginst
> a change to the size of par.
> 

yep, i could use XtNumber(), personally i prefer

i%=10;
par=Xtmalloc(i*sizeof(String));

but i wanted to fix the overflow first.

the point i to not understand what do they copy the pointer at all ?
they could yjust do the fprintf() and ready ..


re,
 wh



and change to printf below into a loop



> Barry
> 
>> re,
>>  wh
>>
>>
>> --- libXt-1.0.8/src/Error.c.org 2010-09-21 23:23:00.000000000 +0200
>> +++ libXt-1.0.8/src/Error.c     2010-09-21 23:24:03.000000000 +0200
>> @@ -257,7 +257,7 @@
>>              */
>>             Cardinal i = *num_params;
>>             String par[10];
>> -           if (i > 10) i = 10;
>> +           if (i > 9) i = 9;
>>             (void) memmove((char*)par, (char*)params, i * sizeof(String) );
>>             bzero( &par[i], (10-i) * sizeof(String) );
>>             (void) fprintf (stderr, "%s%s",
>> @@ -292,7 +292,7 @@
>>          */
>>         Cardinal i = *num_params;
>>         String par[10];
>> -       if (i > 10) i = 10;
>> +       if (i > 9) i = 9;
>>         (void) memmove((char*)par, (char*)params, i * sizeof(String) );
>>         bzero( &par[i], (10-i) * sizeof(String) );
>>         if (i != *num_params)
>> _______________________________________________
>> xorg at lists.freedesktop.org: X.Org support
>> Archives: http://lists.freedesktop.org/archives/xorg
>> Info: http://lists.freedesktop.org/mailman/listinfo/xorg
>> Your subscription address: barry.scott at onelan.co.uk
>>
>>
> 


More information about the xorg-devel mailing list