[PATCH:xkbcomp 1/2] Make sure to leave room for trailing nil byte in yyGetNumber

Alan Coopersmith alan.coopersmith at oracle.com
Sun Jan 15 08:59:54 PST 2012


...though really, by the time you've added 1023 digits to the number
you want to parse, you've got much bigger problems than an off-by-one
error in your buffer count.

Fixes parfait warnings:
   Buffer overflow (CWE 120): In array dereference of (*buf)[nInBuf] with index 'nInBuf'
      Array size is 1024 bytes, nInBuf >= 1 and nInBuf <= 1024
        at line 625 of xkbscan.c in function 'yyGetNumber'.
   Buffer overflow (CWE 120): In array dereference of (*buf)[nInBuf] with index 'nInBuf'
      Array size is 1024 bytes, nInBuf <= 1025
        at line 632 of xkbscan.c in function 'yyGetNumber'.

[ This bug was found by the Parfait 0.4.2 bug checking tool.
  For more information see http://labs.oracle.com/projects/parfait/ ]

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
 xkbscan.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/xkbscan.c b/xkbscan.c
index 814a123..22a034f 100644
--- a/xkbscan.c
+++ b/xkbscan.c
@@ -615,16 +615,16 @@ yyGetNumber(int ch)
     nInBuf = 1;
     while (((ch = scanchar()) != EOF)
            && (isxdigit(ch) || ((nInBuf == 1) && (ch == 'x')))
-           && nInBuf < nMaxBuffSize)
+           && nInBuf < (nMaxBuffSize - 1))
     {
         buf[nInBuf++] = ch;
     }
-    if (ch == '.')
+    if ((ch == '.') && (nInBuf < (nMaxBuffSize - 1)))
     {
         isFloat = 1;
         buf[nInBuf++] = ch;
         while (((ch = scanchar()) != EOF) && (isxdigit(ch))
-               && nInBuf < nMaxBuffSize)
+               && nInBuf < (nMaxBuffSize - 1))
         {
             buf[nInBuf++] = ch;
         }
-- 
1.7.3.2



More information about the xorg-devel mailing list