[PATCH libXau] Avoid heap corruption when calling XauFileName from multiple threads.

Erkki Seppala erkki.seppala at vincit.fi
Mon Mar 28 05:37:33 PDT 2011


On 28.03.2011 14:59, Mark Kettenis wrote:
>> -    static int	bsize;
>> +    static char	buf[PATH_MAX] = {0};
>
> Static variables are automatically initialized to 0.  Doing so
> explicitly will increase the size of the binary, so it's better not to
> do this.

That's a good point.

>> -    strcpy (buf, name);
>> -    strcat (buf, slashDotXauthority + (name[1] == '\0' ? 1 : 0));
>
>> +    memcpy (buf, name, size);
>> +    strcpy (buf + size, slashDotXauthority + ((size<= 1) ? 1 : 0));
>
> This really looks like an obfuscation to me.  Since you do check that
> the buffer is large enough beforehands, the origional
> strcpy()/strcat() combo should be fine.  Or if you're paranoid, you
> could use strncpy()/strncat().

The purpose of this change was actually that if multiple threads call 
the same function at the same time, the buffer doesn't at random times 
get an  embedded '\0', because it only ever gets overwritten with the 
exact same values (assuming the environment variables don't vary).


More information about the xorg-devel mailing list