[PATCH libXvMC] avoid overflowing by making nameLen and busIDLen addition overflow
Alan Coopersmith
alan.coopersmith at oracle.com
Sat Jun 1 09:36:53 PDT 2013
On 06/ 1/13 02:26 AM, Julien Cristau wrote:
> Al Viro pointed this out on lwn: if nameLen + busIDLen overflows, we end
> up copying data from outside tmpBuf.
>
> Reported-by: Al Viro <viro at zeniv.linux.org.uk>
> Signed-off-by: Julien Cristau <jcristau at debian.org>
> ---
> src/XvMC.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/XvMC.c b/src/XvMC.c
> index 74c8b85..00ac760 100644
> --- a/src/XvMC.c
> +++ b/src/XvMC.c
> @@ -573,7 +573,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
> unsigned long realSize = 0;
> char *tmpBuf = NULL;
>
> - if (rep.length < (INT_MAX >> 2)) {
> + if ((rep.length < (INT_MAX >> 2)) &&
> + /* protect against overflow in strncpy below */
> + (rep.nameLen + rep.busIDLen > rep.nameLen)) {
> realSize = rep.length << 2;
> if (realSize >= (rep.nameLen + rep.busIDLen)) {
> tmpBuf = Xmalloc(realSize);
>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
More information about the xorg-devel
mailing list