[PATCH xts 1/2] libproto: Fix buffer read overrun
Ian Romanick
idr at freedesktop.org
Wed Jan 21 12:21:29 PST 2015
On 01/20/2015 05:57 PM, Peter Harris wrote:
> Found by -fsanitize=address
>
> Signed-off-by: Peter Harris <pharris at opentext.com>
> ---
> xts5/src/libproto/ShowSup.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/xts5/src/libproto/ShowSup.c b/xts5/src/libproto/ShowSup.c
> index a05ff7d..b8ba796 100644
> --- a/xts5/src/libproto/ShowSup.c
> +++ b/xts5/src/libproto/ShowSup.c
> @@ -581,7 +581,7 @@ int format;
> int i;
>
> if (nval > 0) {
> - valuePtr = (CARD32 *) ((CARD32 *) rp + size);
> + valuePtr = (CARD32 *) ((CARD8 *) rp + size);
The original code seems so bogus that the error must be trivially
observable. How did this remain undetected for so long? It was in the
initial import in February 2005... 10 years ago!
As a side note... I'm impressed that ajax hasn't kill every bit of
pre-C89 code from git.freedesktop.org. :)
> for (i = 0; i < nval; i++) {
> Log_Some("\tfontprop %d, name = 0x%lx, value = 0x%lx\n", i, *valuePtr, *(valuePtr+1));
> valuePtr += 2;
> @@ -598,7 +598,7 @@ int format;
> int i;
>
> if (nval > 0) {
> - valuePtr = (CARD16 *) ((CARD16 *) rp + size);
> + valuePtr = (CARD16 *) ((CARD8 *) rp + size);
> for (i = 0; i < nval; i++) {
> Log_Some("\tcharinfo %d, left-side-bearing = %d, right-side-bearing = %d, character-width = %d, ascent = %d, descent = %d, attributes = 0x%x\n", i, *valuePtr, *(valuePtr+1), *(valuePtr+2), *(valuePtr+3), *(valuePtr+4), *(valuePtr+5));
> valuePtr += 6;
>
More information about the xorg-devel
mailing list