[PATCH xserver/hw/xfree86/parser/scan.c] potential buffer overrun

vdb at picaros.org vdb at picaros.org
Sat Sep 17 09:58:18 PDT 2011 

This patch fixes a potential buffer overrun in xf86addComment().  The 
overrun occurs if the comment string to add doesn't start with a 
leading '#'.  

The bug can be seen from the code assuming 
 curlen > 0 && eol_seen == 0 && iscomment == 0 :

char *
xf86addComment(char *cur, char *add)

<...>

	str = add;
->	iscomment = 0;
	while (*str) {
	    if (*str != ' ' && *str != '\t')
		break;
	    ++str;
	}
->	iscomment = (*str == '#');

        len = strlen(add);
        endnewline = add[len - 1] == '\n';
        len +=  1 + iscomment + (!hasnewline) + (!endnewline) + eol_seen;
                    ^^^^^^^^^
        if ((str = realloc(cur, len + curlen)) == NULL)
                return cur;

        cur = str;

        if (eol_seen || (curlen && !hasnewline))
                cur[curlen++] = '\n';
->      if (!iscomment)
->              cur[curlen++] = '#';
        strcpy(cur + curlen, add);
        if (!endnewline)
                strcat(cur, "\n");

The patch below is just a bugfix and tries to stay as close as 
possible to the original code.  See also: 
 http://lists.x.org/archives/xorg-devel/2011-August/024775.html .

Signed-off-by: Servaas Vandenberghe <vdb at picaros.org>
diff --git a/hw/xfree86/parser/scan.c b/hw/xfree86/parser/scan.c
index 1cff3bc..b188503 100644
--- a/hw/xfree86/parser/scan.c
+++ b/hw/xfree86/parser/scan.c
@@ -1093,7 +1093,7 @@ char *
 xf86addComment(char *cur, char *add)
 {
 	char *str;
-	int len, curlen, iscomment, hasnewline = 0, endnewline;
+	int len, curlen, iscomment, hasnewline = 0, insnewline, endnewline;
 
 	if (add == NULL || add[0] == '\0')
 		return cur;
@@ -1108,7 +1108,6 @@ xf86addComment(char *cur, char *add)
 		curlen = 0;
 
 	str = add;
-	iscomment = 0;
 	while (*str) {
 	    if (*str != ' ' && *str != '\t')
 		break;
@@ -1118,14 +1117,23 @@ xf86addComment(char *cur, char *add)
 
 	len = strlen(add);
 	endnewline = add[len - 1] == '\n';
-	len +=  1 + iscomment + (!hasnewline) + (!endnewline) + eol_seen;
 
-	if ((str = realloc(cur, len + curlen)) == NULL)
+	insnewline = eol_seen || (curlen && !hasnewline);
+	if (insnewline)
+		len++;
+	if (!iscomment)
+		len++;
+	if (!endnewline)
+		len++;
+
+	/* Allocate + 1 char for '\0' terminator. */
+	str = realloc(cur, curlen + len + 1);
+	if (!str)
 		return cur;
 
 	cur = str;
 
-	if (eol_seen || (curlen && !hasnewline))
+	if (insnewline)
 		cur[curlen++] = '\n';
 	if (!iscomment)
 		cur[curlen++] = '#';

More information about the xorg-devel mailing list