[PATCH 3/5] Xi: avoid overrun of callback array.

walter harms wharms at bfs.de
Fri Oct 21 06:02:52 PDT 2011



Am 20.10.2011 16:43, schrieb Jamey Sharp:
> On Wed, Oct 19, 2011 at 05:01:45PM +0100, Dave Airlie wrote:
>> From: Dave Airlie <airlied at redhat.com>
>>
>> This code had an off-by-one and would allow writing one past the end of
>> the callbacks array.
> 
> I think you mean "reading" one past the end? I don't see any bad pointer
> writes here, though I'm only looking at the patch context.
> 

Hi Jamey,
you are right a "write" is not visible in the patch. NTL any "access"
beyond  index >= ARRAY_SIZE(SProcIVector) is wrong. So the patch
is ok.

More interessing is: why do i see the same code two times ?
(1. ProcIVector, 1. SProcIVector; can this be merged in future ?)

re,
 wh

Reviewed-by: Walter Harms <wharms at bfs.de>

> 
>> Pointed out by coverity.
>>
>> Signed-off-by: Dave Airlie <airlied at redhat.com>
>> ---
>>  Xi/extinit.c |    4 ++--
>>  1 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/Xi/extinit.c b/Xi/extinit.c
>> index 7724f5f..1fbe0a2 100644
>> --- a/Xi/extinit.c
>> +++ b/Xi/extinit.c
>> @@ -409,7 +409,7 @@ static int
>>  ProcIDispatch(ClientPtr client)
>>  {
>>      REQUEST(xReq);
>> -    if (stuff->data > ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data])
>> +    if (stuff->data >= ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data])
>>          return BadRequest;
>>  
>>      return (*ProcIVector[stuff->data])(client);
>> @@ -428,7 +428,7 @@ static int
>>  SProcIDispatch(ClientPtr client)
>>  {
>>      REQUEST(xReq);
>> -    if (stuff->data > ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data])
>> +    if (stuff->data >= ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data])
>>          return BadRequest;
>>  
>>      return (*SProcIVector[stuff->data])(client);
>> -- 
>> 1.7.6.4
>>


More information about the xorg-devel mailing list