[PATCH] vbe: Fix malloc size bug
Adam Jackson
ajax at redhat.com
Fri Feb 25 10:08:59 PST 2011
v2: Slightly more obvious sizing math.
==14882== Invalid write of size 2
==14882== at 0x6750267: VBEGetVBEInfo (vbe.c:400)
==14882== by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)
==14882== by 0x471895: InitOutput (xf86Init.c:519)
==14882== by 0x422778: main (main.c:205)
==14882== Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd
==14882== at 0x4A0640D: malloc (vg_replace_malloc.c:236)
==14882== by 0x675024B: VBEGetVBEInfo (vbe.c:398)
==14882== by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)
==14882== by 0x471895: InitOutput (xf86Init.c:519)
==14882== by 0x422778: main (main.c:205)
Signed-off-by: Adam Jackson <ajax at redhat.com>
---
hw/xfree86/vbe/vbe.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c
index bcda5ec..04132d9 100644
--- a/hw/xfree86/vbe/vbe.c
+++ b/hw/xfree86/vbe/vbe.c
@@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe)
i = 0;
while (modes[i] != 0xffff)
i++;
- block->VideoModePtr = malloc(sizeof(CARD16) * i + 1);
+ block->VideoModePtr = malloc(sizeof(CARD16) * (i + 1));
memcpy(block->VideoModePtr, modes, sizeof(CARD16) * i);
block->VideoModePtr[i] = 0xffff;
--
1.7.3.5
More information about the xorg-devel
mailing list