[PATCH libXau] Avoid heap corruption when calling XauFileName from multiple threads.
Erkki Seppala
erkki.seppala at vincit.fi
Mon Mar 28 05:37:33 PDT 2011
On 28.03.2011 14:59, Mark Kettenis wrote:
>> - static int bsize;
>> + static char buf[PATH_MAX] = {0};
>
> Static variables are automatically initialized to 0. Doing so
> explicitly will increase the size of the binary, so it's better not to
> do this.
That's a good point.
>> - strcpy (buf, name);
>> - strcat (buf, slashDotXauthority + (name[1] == '\0' ? 1 : 0));
>
>> + memcpy (buf, name, size);
>> + strcpy (buf + size, slashDotXauthority + ((size<= 1) ? 1 : 0));
>
> This really looks like an obfuscation to me. Since you do check that
> the buffer is large enough beforehands, the origional
> strcpy()/strcat() combo should be fine. Or if you're paranoid, you
> could use strncpy()/strncat().
The purpose of this change was actually that if multiple threads call
the same function at the same time, the buffer doesn't at random times
get an embedded '\0', because it only ever gets overwritten with the
exact same values (assuming the environment variables don't vary).
More information about the xorg-devel
mailing list