[PATCH libXvMC] avoid overflowing by making nameLen and busIDLen addition overflow
Julien Cristau
jcristau at debian.org
Sat Jun 1 02:26:15 PDT 2013
Al Viro pointed this out on lwn: if nameLen + busIDLen overflows, we end
up copying data from outside tmpBuf.
Reported-by: Al Viro <viro at zeniv.linux.org.uk>
Signed-off-by: Julien Cristau <jcristau at debian.org>
---
src/XvMC.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/XvMC.c b/src/XvMC.c
index 74c8b85..00ac760 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -573,7 +573,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
unsigned long realSize = 0;
char *tmpBuf = NULL;
- if (rep.length < (INT_MAX >> 2)) {
+ if ((rep.length < (INT_MAX >> 2)) &&
+ /* protect against overflow in strncpy below */
+ (rep.nameLen + rep.busIDLen > rep.nameLen)) {
realSize = rep.length << 2;
if (realSize >= (rep.nameLen + rep.busIDLen)) {
tmpBuf = Xmalloc(realSize);
--
1.7.10.4
More information about the xorg-devel
mailing list