[PATCH 3/5] Xi: avoid overrun of callback array.
Dave Airlie
airlied at gmail.com
Wed Oct 19 09:01:45 PDT 2011
From: Dave Airlie <airlied at redhat.com>
This code had an off-by-one and would allow writing one past the end of
the callbacks array.
Pointed out by coverity.
Signed-off-by: Dave Airlie <airlied at redhat.com>
---
Xi/extinit.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Xi/extinit.c b/Xi/extinit.c
index 7724f5f..1fbe0a2 100644
--- a/Xi/extinit.c
+++ b/Xi/extinit.c
@@ -409,7 +409,7 @@ static int
ProcIDispatch(ClientPtr client)
{
REQUEST(xReq);
- if (stuff->data > ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data])
+ if (stuff->data >= ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data])
return BadRequest;
return (*ProcIVector[stuff->data])(client);
@@ -428,7 +428,7 @@ static int
SProcIDispatch(ClientPtr client)
{
REQUEST(xReq);
- if (stuff->data > ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data])
+ if (stuff->data >= ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data])
return BadRequest;
return (*SProcIVector[stuff->data])(client);
--
1.7.6.4
More information about the xorg-devel
mailing list