[PATCH 3/5] Xi: avoid overrun of callback array.
Jamey Sharp
jamey at minilop.net
Thu Oct 20 07:43:56 PDT 2011
On Wed, Oct 19, 2011 at 05:01:45PM +0100, Dave Airlie wrote:
> From: Dave Airlie <airlied at redhat.com>
>
> This code had an off-by-one and would allow writing one past the end of
> the callbacks array.
I think you mean "reading" one past the end? I don't see any bad pointer
writes here, though I'm only looking at the patch context.
Jamey
> Pointed out by coverity.
>
> Signed-off-by: Dave Airlie <airlied at redhat.com>
> ---
> Xi/extinit.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/Xi/extinit.c b/Xi/extinit.c
> index 7724f5f..1fbe0a2 100644
> --- a/Xi/extinit.c
> +++ b/Xi/extinit.c
> @@ -409,7 +409,7 @@ static int
> ProcIDispatch(ClientPtr client)
> {
> REQUEST(xReq);
> - if (stuff->data > ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data])
> + if (stuff->data >= ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data])
> return BadRequest;
>
> return (*ProcIVector[stuff->data])(client);
> @@ -428,7 +428,7 @@ static int
> SProcIDispatch(ClientPtr client)
> {
> REQUEST(xReq);
> - if (stuff->data > ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data])
> + if (stuff->data >= ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data])
> return BadRequest;
>
> return (*SProcIVector[stuff->data])(client);
> --
> 1.7.6.4
>
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.x.org/archives/xorg-devel/attachments/20111020/3d025cf8/attachment.pgp>
More information about the xorg-devel
mailing list