[PATCH 3/5] Xi: avoid overrun of callback array.

Dave Airlie airlied at gmail.com
Wed Oct 19 09:01:45 PDT 2011


From: Dave Airlie <airlied at redhat.com>

This code had an off-by-one and would allow writing one past the end of
the callbacks array.

Pointed out by coverity.

Signed-off-by: Dave Airlie <airlied at redhat.com>
---
 Xi/extinit.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Xi/extinit.c b/Xi/extinit.c
index 7724f5f..1fbe0a2 100644
--- a/Xi/extinit.c
+++ b/Xi/extinit.c
@@ -409,7 +409,7 @@ static int
 ProcIDispatch(ClientPtr client)
 {
     REQUEST(xReq);
-    if (stuff->data > ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data])
+    if (stuff->data >= ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data])
         return BadRequest;
 
     return (*ProcIVector[stuff->data])(client);
@@ -428,7 +428,7 @@ static int
 SProcIDispatch(ClientPtr client)
 {
     REQUEST(xReq);
-    if (stuff->data > ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data])
+    if (stuff->data >= ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data])
         return BadRequest;
 
     return (*SProcIVector[stuff->data])(client);
-- 
1.7.6.4



More information about the xorg-devel mailing list