[PATCH] vbe: Fix malloc size bug
Alan Coopersmith
alan.coopersmith at oracle.com
Thu Feb 24 13:26:09 PST 2011
On 02/24/11 01:11 PM, Adam Jackson wrote:
> ==14882== Invalid write of size 2
> ==14882== at 0x6750267: VBEGetVBEInfo (vbe.c:400)
> ==14882== by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)
> ==14882== by 0x471895: InitOutput (xf86Init.c:519)
> ==14882== by 0x422778: main (main.c:205)
> ==14882== Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd
> ==14882== at 0x4A0640D: malloc (vg_replace_malloc.c:236)
> ==14882== by 0x675024B: VBEGetVBEInfo (vbe.c:398)
> ==14882== by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)
> ==14882== by 0x471895: InitOutput (xf86Init.c:519)
> ==14882== by 0x422778: main (main.c:205)
>
> Signed-off-by: Adam Jackson <ajax at redhat.com>
> ---
> hw/xfree86/vbe/vbe.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c
> index bcda5ec..56e3ec4 100644
> --- a/hw/xfree86/vbe/vbe.c
> +++ b/hw/xfree86/vbe/vbe.c
> @@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe)
> i = 0;
> while (modes[i] != 0xffff)
> i++;
> - block->VideoModePtr = malloc(sizeof(CARD16) * i + 1);
> + block->VideoModePtr = malloc(sizeof(CARD16) * i + 2);
Was the original intent malloc(sizeof(CARD16) * (i + 1)) ?
That might be a bit clearer than letting the reader wonder "why 2?"
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Platform Engineering: X Window System
More information about the xorg-devel
mailing list