[PATCH:libICE 1/2] Fix reads outside array bounds in error handlers
Alan Coopersmith
alan.coopersmith at oracle.com
Tue Apr 19 18:40:18 PDT 2011
Error: Buffer overrun
Read outside array bounds (CWE 125): In call to memcpy(<unknown>, &mOp, 8), (size(&mOp) < (unsigned) 8)
Array size is 1 bytes
at line 296 of src/error.c in function '_IceErrorMajorOpcodeDuplicate'.
Error: Buffer overrun
Read outside array bounds (CWE 125): In call to memcpy(<unknown>, &maj, 8), (size(&maj) < (unsigned) 8)
Array size is 1 bytes
at line 346 of src/error.c in function '_IceErrorBadMajor'.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
[ This bug was found by the Parfait 0.3.7 bug checking tool.
For more information see http://labs.oracle.com/projects/parfait/ ]
---
src/error.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/error.c b/src/error.c
index 5c9aa51..0e7725a 100644
--- a/src/error.c
+++ b/src/error.c
@@ -284,7 +284,7 @@ _IceErrorMajorOpcodeDuplicate (
int majorOpcode
)
{
- char mOp = (char) majorOpcode;
+ char mOp[8] = { (char) majorOpcode };
IceErrorHeader (iceConn,
0, ICE_ProtocolSetup,
@@ -293,7 +293,7 @@ _IceErrorMajorOpcodeDuplicate (
IceMajorOpcodeDuplicate,
1 /* length */);
- IceWriteData (iceConn, 8, &mOp);
+ IceWriteData (iceConn, 8, mOp);
IceFlush (iceConn);
}
@@ -334,7 +334,7 @@ _IceErrorBadMajor (
int severity
)
{
- char maj = (char) offendingMajor;
+ char maj[8] = { (char) offendingMajor };
IceErrorHeader (iceConn,
0, offendingMinor,
@@ -343,7 +343,7 @@ _IceErrorBadMajor (
IceBadMajor,
1 /* length */);
- IceWriteData (iceConn, 8, &maj);
+ IceWriteData (iceConn, 8, maj);
IceFlush (iceConn);
}
--
1.7.3.2
More information about the xorg-devel
mailing list