[PATCH libXi] Allocate enough memory for raw events + extra data.

Jeremy Huddleston jeremyhu at apple.com
Mon May 2 21:05:53 PDT 2011 

Oh yeah, and:

Reviewed-by: Jeremy Huddleston <jeremyhu at apple.com>

On May 2, 2011, at 8:50 PM, Peter Hutterer wrote:

> Necessary space was calculated, but not actually used to allocate memory. As
> a result, valuator data would overwrite the allocated memory.
> 
> ==4166== Invalid write of size 1
> ==4166==    at 0x4C29F04: memcpy (mc_replace_strmem.c:497)
> ==4166==    by 0x8F39180: ??? (in /usr/lib/libXi.so.6.1.0)
> ==4166==    by 0x7433D48: _XCopyEventCookie (in /usr/lib/libX11.so.6.3.0)
> ==4166==    by 0x7425166: XPeekEvent (in /usr/lib/libX11.so.6.3.0)
> ==4166==    by 0x49C3E3: process_key (x11_be.c:1065)
> ==4166==    by 0x49EA5C: event_key_release (x11_be.c:2201)
> ==4166==    by 0x49DD6E: x11_be_process_events (x11_be.c:1892)
> ==4166==    by 0x4A38F4: x11_be_main_loop (x11_be.c:4353)
> ==4166==    by 0x4A39E1: x11_be_thread_main (x11_be.c:4385)
> ==4166==    by 0x87549C9: start_thread (pthread_create.c:300)
> ==4166==    by 0x8A516FC: clone (clone.S:112)
> ==4166==  Address 0x168afe80 is 0 bytes after a block of size 96 alloc'd
> ==4166==    at 0x4C284A8: malloc (vg_replace_malloc.c:236)
> ==4166==    by 0x8F390BD: ??? (in /usr/lib/libXi.so.6.1.0)
> ==4166==    by 0x7433D48: _XCopyEventCookie (in /usr/lib/libX11.so.6.3.0)
> ==4166==    by 0x7425166: XPeekEvent (in /usr/lib/libX11.so.6.3.0)
> ==4166==    by 0x49C3E3: process_key (x11_be.c:1065)
> ==4166==    by 0x49EA5C: event_key_release (x11_be.c:2201)
> ==4166==    by 0x49DD6E: x11_be_process_events (x11_be.c:1892)
> ==4166==    by 0x4A38F4: x11_be_main_loop (x11_be.c:4353)
> ==4166==    by 0x4A39E1: x11_be_thread_main (x11_be.c:4385)
> ==4166==    by 0x87549C9: start_thread (pthread_create.c:300)
> 
> Reported-by: Roger Cruz <roger.cruz at virtualcomputer.com>
> Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
> ---
> Sorry, was away for a number of days and only got to this now. You're right,
> it's a bug, copy/paste I guess.
> 
> src/XExtInt.c |    2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/src/XExtInt.c b/src/XExtInt.c
> index d1451cc..134ccc6 100644
> --- a/src/XExtInt.c
> +++ b/src/XExtInt.c
> @@ -1259,7 +1259,7 @@ copyRawEvent(XGenericEventCookie *cookie_in,
>     len = sizeof(XIRawEvent) + in->valuators.mask_len;
>     len += bits * sizeof(double) * 2;
> 
> -    ptr = cookie_out->data = malloc(sizeof(XIRawEvent));
> +    ptr = cookie_out->data = malloc(len);
>     if (!ptr)
>         return False;
> 
> -- 
> 1.7.4.4
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
>

More information about the xorg-devel mailing list