[PATCH 1/2] xfree86: Fix drivers matching array overflow

[Karol Kosik]

matches and deviceList arrays use NULL entries as stop condition in
loops. That's why at least last element shouldn't be touched.

Signed-off-by: Karol Kosik <kkosik at nvidia.com>
---
 hw/xfree86/common/xf86AutoConfig.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/hw/xfree86/common/xf86AutoConfig.c b/hw/xfree86/common/xf86AutoConfig.c
index af2b7f8..84c9c01 100644
--- a/hw/xfree86/common/xf86AutoConfig.c
+++ b/hw/xfree86/common/xf86AutoConfig.c
@@ -86,6 +86,7 @@
 #define BUILTIN_LAYOUT_SECTION_POST \
 	"EndSection\n\n"
 
+static const int MAX_DRIVERS = 50;
 static const char **builtinConfig = NULL;
 static int builtinLines = 0;
 
@@ -143,13 +144,13 @@ AppendToConfig(const char *s)
 Bool
 xf86AutoConfig(void)
 {
-    char *deviceList[20];
+    char *deviceList[MAX_DRIVERS];
     char **p;
     const char **cp;
     char buf[1024];
     ConfigStatus ret;
 
-    listPossibleVideoDrivers(deviceList, 20);
+    listPossibleVideoDrivers(deviceList, MAX_DRIVERS);
 
     for (p = deviceList; *p; p++) {
         snprintf(buf, sizeof(buf), BUILTIN_DEVICE_SECTION, *p, 0, *p);
@@ -200,7 +201,7 @@ listPossibleVideoDrivers(char *matches[], int nmatches)
     i = 0;
 
 #ifdef XSERVER_PLATFORM_BUS
-    i = xf86PlatformMatchDriver(matches, nmatches);
+    i = xf86PlatformMatchDriver(matches, (nmatches - 1));
 #endif
 #ifdef sun
     /* Check for driver type based on /dev/fb type and if valid, use
@@ -265,11 +266,12 @@ listPossibleVideoDrivers(char *matches[], int nmatches)
 #endif
 #ifdef XSERVER_LIBPCIACCESS
     if (i < (nmatches - 1))
-        i = xf86PciMatchDriver(matches, nmatches);
+        i = xf86PciMatchDriver(matches, (nmatches - 1));
 #endif
 
 #if defined(__linux__)
-    matches[i++] = xnfstrdup("modesetting");
+    if (i < (nmatches - 1))
+        matches[i++] = xnfstrdup("modesetting");
 #endif
 
 #if !defined(sun)
@@ -334,7 +336,7 @@ GDevPtr
 autoConfigDevice(GDevPtr preconf_device)
 {
     GDevPtr ptr = NULL;
-    char *matches[20];          /* If we have more than 20 drivers we're in trouble */
+    char *matches[MAX_DRIVERS];          /* If we have more than MAX_DRIVERS-1 drivers we're in trouble */
     int num_matches = 0, num_screens = 0, i;
     screenLayoutPtr slp;
 
@@ -362,7 +364,7 @@ autoConfigDevice(GDevPtr preconf_device)
     }
     if (!ptr->driver) {
         /* get all possible video drivers and count them */
-        listPossibleVideoDrivers(matches, 20);
+        listPossibleVideoDrivers(matches, MAX_DRIVERS);
         for (; matches[num_matches]; num_matches++) {
             xf86Msg(X_DEFAULT, "Matched %s as autoconfigured driver %d\n",
                     matches[num_matches], num_matches);
-- 
2.4.6