integer overflow check
jes at posteo.de
jes at posteo.de
Mon Dec 15 10:28:18 PST 2014
> Again, I've got no better answer than no one noticed during our reviews
> since
> we were focusing on making sure the malloc calls didn't overflow, not
> on
> fighting the optimizer deciding to work against us.
What do you mean with 'fighting the optimizer deciding to work against
us'?
>
>> diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
>> index 221ec53..63191dc 100644
>> --- a/hw/xfree86/dri2/dri2ext.c
>> +++ b/hw/xfree86/dri2/dri2ext.c
>> @@ -269,10 +269,11 @@ ProcDRI2GetBuffers(ClientPtr client)
>> int status, width, height, count;
>> unsigned int *attachments;
>>
>> - REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
>> if (stuff->count > (INT_MAX / 4))
>> return BadLength;
>>
>> + REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
>> +
>> if (!validDrawable(client, stuff->drawable, DixReadAccess |
>> DixWriteAccess,
>> &pDrawable, &status))
>> return status;
>> @@ -297,6 +298,9 @@ ProcDRI2GetBuffersWithFormat(ClientPtr client)
>> int status, width, height, count;
>> unsigned int *attachments;
>>
>> + if (stuff->count > (INT_MAX / (2 * 4)))
>> + return BadLength;
>> +
>> REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * (2 * 4));
>> if (!validDrawable(client, stuff->drawable, DixReadAccess |
>> DixWriteAccess,
>> &pDrawable, &status))
>
> Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-devel
mailing list