[PATCH:libXv 2/2] Bug 65252: Ensure final name is nil-terminated & none point to uninitialized memory.
Alan Coopersmith
alan.coopersmith at oracle.com
Sat Jun 1 20:03:53 PDT 2013
From: Daphne Pfister <daphnediane at mac.com>
This patch attempts to fix this bug by ensuring that there is at least one
nil byte at the end of all the name strings. This should prevent reading
past the end of the allocation as well as exposing uninitialized memory.
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
src/Xv.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/Xv.c b/src/Xv.c
index 15c0bfd..8c45401 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -865,8 +865,8 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
unsigned long size;
/* limit each part to no more than one half the max size */
if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
- (rep.text_size < (INT_MAX / 2))) {
- size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+ (rep.text_size < (INT_MAX / 2)-1)) {
+ size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size + 1;
ret = Xmalloc(size);
}
@@ -891,6 +891,10 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
}
(*num)++;
}
+
+ /* ensure final string is nil-terminated to avoid exposure of
+ uninitialized memory */
+ *marker = '\0';
} else
_XEatDataWords(dpy, rep.length);
}
--
1.7.9.2
More information about the xorg-devel
mailing list