[PATCH:libXdmcp 2/4] Ensure ARRAY* structs are zero'ed out when oversize values are passed

Alan Coopersmith alan.coopersmith at oracle.com
Fri Sep 27 21:48:01 PDT 2013


Previous fix missed a case in which we returned failure, but didn't
fill in the data pointer & size values.

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
 Array.c |   44 ++++++++++++++++----------------------------
 1 file changed, 16 insertions(+), 28 deletions(-)

diff --git a/Array.c b/Array.c
index f529781..c1456e1 100644
--- a/Array.c
+++ b/Array.c
@@ -55,80 +55,68 @@ xrealloc(void *ptr, size_t size)
 int
 XdmcpAllocARRAY8 (ARRAY8Ptr array, int length)
 {
-    CARD8Ptr	newData;
-
     /* length defined in ARRAY8 struct is a CARD16 (not CARD8 like the rest) */
     if (length > UINT16_MAX)
-	return FALSE;
+        array->data = NULL;
+    else
+        array->data = xmalloc(length * sizeof (CARD8));
 
-    newData = (CARD8Ptr) xmalloc(length * sizeof (CARD8));
-    if (!newData) {
+    if (array->data == NULL) {
 	array->length = 0;
-	array->data = NULL;
 	return FALSE;
     }
     array->length = (CARD16) length;
-    array->data = newData;
     return TRUE;
 }
 
 int
 XdmcpAllocARRAY16 (ARRAY16Ptr array, int length)
 {
-    CARD16Ptr	newData;
-
     /* length defined in ARRAY16 struct is a CARD8 */
     if (length > UINT8_MAX)
-	return FALSE;
+        array->data = NULL;
+    else
+        array->data = xmalloc(length * sizeof (CARD16));
 
-    newData = (CARD16Ptr) xmalloc(length * sizeof (CARD16));
-    if (!newData) {
+    if (array->data == NULL) {
 	array->length = 0;
-	array->data = NULL;
 	return FALSE;
     }
     array->length = (CARD8) length;
-    array->data = newData;
     return TRUE;
 }
 
 int
 XdmcpAllocARRAY32 (ARRAY32Ptr array, int length)
 {
-    CARD32Ptr	newData;
-
     /* length defined in ARRAY32 struct is a CARD8 */
     if (length > UINT8_MAX)
-	return FALSE;
+        array->data = NULL;
+    else
+        array->data = xmalloc(length * sizeof (CARD32));
 
-    newData = (CARD32Ptr) xmalloc(length * sizeof (CARD32));
-    if (!newData) {
+    if (array->data == NULL) {
 	array->length = 0;
-	array->data = NULL;
 	return FALSE;
     }
     array->length = (CARD8) length;
-    array->data = newData;
     return TRUE;
 }
 
 int
 XdmcpAllocARRAYofARRAY8 (ARRAYofARRAY8Ptr array, int length)
 {
-    ARRAY8Ptr	newData;
-
     /* length defined in ARRAYofARRAY8 struct is a CARD8 */
     if (length > UINT8_MAX)
-	return FALSE;
+        array->data = NULL;
+    else
+        array->data = xmalloc(length * sizeof (ARRAY8));
 
-    newData = (ARRAY8Ptr) xmalloc(length * sizeof (ARRAY8));
-    if (!newData) {
+    if (array->data == NULL) {
 	array->length = 0;
-	array->data = NULL;
 	return FALSE;
     }
     array->length = (CARD8) length;
-    array->data = newData;
     return TRUE;
 }
 
-- 
1.7.9.2



More information about the xorg-devel mailing list