[PATCH:libXxf86vm] Discard correct length for old-format replies in XF86VidModeGetGamma

Mon Jan 5 23:42:34 PST 2015

Regression introduced in libXxf86vm 1.1.3 / commit 284a88e21fc05a63466
Unlikely to be hit in practice since it requires out-of-range privsize
or malloc failure while talking to a server using the XFree86 3.x version
of the protocol.

Found by Oracle Parfait 1.5.1:

Error: Uninitialised memory (CWE 456)
   Possible access to uninitialised memory '&rep.length'
        at line 279 of open-src/lib/libXxf86vm/unpacked-src/src/XF86VMode.c in function 'XF86VidModeGetModeLine'.
          &rep.length allocated at line 218.
          &rep.length uninitialised when majorVersion < 2 at line 233.

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
 src/XF86VMode.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index c7169c7..7762c2b 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -265,7 +265,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
 	else
 	    modeline->private = NULL;
 	if (modeline->private == NULL) {
-	    _XEatDataWords(dpy, rep.length -
+	    CARD32 len = (majorVersion < 2) ? oldrep.length : rep.length;
+	    _XEatDataWords(dpy, len -
 		((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
 	    result = False;
 	} else
-- 
1.7.9.2

