[PATCH:xkbcomp 1/2] Make sure to leave room for trailing nil byte in yyGetNumber
Alan Coopersmith
alan.coopersmith at oracle.com
Sun Jan 15 08:59:54 PST 2012
...though really, by the time you've added 1023 digits to the number
you want to parse, you've got much bigger problems than an off-by-one
error in your buffer count.
Fixes parfait warnings:
Buffer overflow (CWE 120): In array dereference of (*buf)[nInBuf] with index 'nInBuf'
Array size is 1024 bytes, nInBuf >= 1 and nInBuf <= 1024
at line 625 of xkbscan.c in function 'yyGetNumber'.
Buffer overflow (CWE 120): In array dereference of (*buf)[nInBuf] with index 'nInBuf'
Array size is 1024 bytes, nInBuf <= 1025
at line 632 of xkbscan.c in function 'yyGetNumber'.
[ This bug was found by the Parfait 0.4.2 bug checking tool.
For more information see http://labs.oracle.com/projects/parfait/ ]
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
xkbscan.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/xkbscan.c b/xkbscan.c
index 814a123..22a034f 100644
--- a/xkbscan.c
+++ b/xkbscan.c
@@ -615,16 +615,16 @@ yyGetNumber(int ch)
nInBuf = 1;
while (((ch = scanchar()) != EOF)
&& (isxdigit(ch) || ((nInBuf == 1) && (ch == 'x')))
- && nInBuf < nMaxBuffSize)
+ && nInBuf < (nMaxBuffSize - 1))
{
buf[nInBuf++] = ch;
}
- if (ch == '.')
+ if ((ch == '.') && (nInBuf < (nMaxBuffSize - 1)))
{
isFloat = 1;
buf[nInBuf++] = ch;
while (((ch = scanchar()) != EOF) && (isxdigit(ch))
- && nInBuf < nMaxBuffSize)
+ && nInBuf < (nMaxBuffSize - 1))
{
buf[nInBuf++] = ch;
}
--
1.7.3.2
More information about the xorg-devel
mailing list