[PATCH] Xext/xres.c: Possible buffer underrun

Rami Ylimäki rami.ylimaki at vincit.fi
Mon Jul 23 07:37:27 PDT 2012


On 07/23/2012 03:05 PM, Colin Harrison wrote:
> Hi,
>
> I got a crash at free(counts) in ProcXResQueryClientResources() in
> Xext/xres.c when using client xrestop.
>
> Traced to an out-by-one error in ResFindAllRes() (please check code and
> confirm?).
>
> Fixed, for me (MinGW compilation for Windows), with the patch...
>
> --- ./Xext/save_xres.c  2012-07-10 11:16:44.191904782 +0100
> +++ ./Xext/xres.c       2012-07-16 16:19:50.078292944 +0100
> @@ -274,7 +274,7 @@
>   {
>       int *counts = (int *) cdata;
>
> -    counts[(type & TypeMask) - 1]++;
> +    counts[(type & TypeMask)]++;

This would probably send wrong resource counts back to clients. It's 
better to just skip any resources with RT_NONE as the resource type.

It'd be also nice to know whether it's acceptable to have RT_NONE 
resources in the resource database. StoreFontClientFont seems to add 
such resources, but I'm not too familiar with that code.

>   }
>
>   static int
>
> Thanks,
> Colin Harrison
>

Regards,
     Rami Ylimäki



More information about the xorg-devel mailing list