[PATCH libXi] Fix invalid read in XIGrabDevice.
Peter Hutterer
peter.hutterer at who-t.net
Tue Feb 22 21:02:48 PST 2011
On Wed, Feb 23, 2011 at 01:22:36AM +0100, Julien Cristau wrote:
> On Wed, Feb 23, 2011 at 09:36:06 +1000, Peter Hutterer wrote:
>
> > Miscalculation of length caused Data() to memcpy too many bytes.
> >
> > ==2865== Invalid read of size 1
> > ==2865== at 0x4A07480: memcpy (mc_replace_strmem.c:602)
> > ==2865== by 0x544271E: XIGrabDevice (XIGrabDevice.c:69)
> > ==2865== by 0x400B0A: main (gnome642481.c:56)
> > ==2865== Address 0x642f614 is 0 bytes after a block of size 20 alloc'd
> > ==2865== at 0x4A04896: calloc (vg_replace_malloc.c:418)
> > ==2865== by 0x54425D3: XIGrabDevice (XIGrabDevice.c:65)
> > ==2865== by 0x400B0A: main (gnome642481.c:56)
> >
> > SetReqLen() expects 4-byte units.
> > Data() expects bytes.
> >
> > Gnome Bug 642481 <https://bugzilla.gnome.org/show_bug.cgi?id=642481>
> > Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
> > ---
> >
> > src/XIGrabDevice.c | 4 ++--
> > 1 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/src/XIGrabDevice.c b/src/XIGrabDevice.c
> > index 985d3f1..97ab971 100644
> > --- a/src/XIGrabDevice.c
> > +++ b/src/XIGrabDevice.c
> > @@ -61,8 +61,8 @@ XIGrabDevice(Display* dpy, int deviceid, Window grab_window, Time time,
> >
> > /* masks.mask_len is in bytes, but we need 4-byte units on the wire,
>
> typo here (masks → mask)
thanks, I've pushed this as separate patch.
Cheers,
Peter
>
> > * and they need to be padded with 0 */
> > - len = req->mask_len * 4;
> > - buff = calloc(1, len);
> > + len = req->mask_len;
> > + buff = calloc(1, len * 4);
> > memcpy(buff, mask->mask, mask->mask_len);
> >
> > SetReqLen(req, len, len);
>
> Reviewed-by: Julien Cristau <jcristau at debian.org>
>
> Cheers,
> Julien
More information about the xorg-devel
mailing list