[PATCH xserver 1/4] modesetting: Fix potential buffer overflow
Daniel Martin
consume.noise at gmail.com
Fri Oct 27 14:11:53 UTC 2017
If one misconfigures a ZaphodHeads value (more than 20 characters
without a delimiter), we get an overflow of our buffer.
Use xstrtokenize() instead of writing/fixing our own tokenizer.
Signed-off-by: Daniel Martin <consume.noise at gmail.com>
---
hw/xfree86/drivers/modesetting/drmmode_display.c | 38 ++++++++----------------
1 file changed, 13 insertions(+), 25 deletions(-)
diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
index 5bfae0b03..e14833dee 100644
--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
@@ -57,34 +57,22 @@ static PixmapPtr drmmode_create_pixmap_header(ScreenPtr pScreen, int width, int
static Bool
drmmode_zaphod_string_matches(ScrnInfoPtr scrn, const char *s, char *output_name)
{
- int i = 0;
- char s1[20];
+ char **token = xstrtokenize(s, ", \t\n\r");
+ Bool ret = FALSE;
- do {
- switch(*s) {
- case ',':
- s1[i] = '\0';
- i = 0;
- if (strcmp(s1, output_name) == 0)
- return TRUE;
- break;
- case ' ':
- case '\t':
- case '\n':
- case '\r':
- break;
- default:
- s1[i] = *s;
- i++;
- break;
- }
- } while(*s++);
+ if (!token)
+ return FALSE;
- s1[i] = '\0';
- if (strcmp(s1, output_name) == 0)
- return TRUE;
+ for (int i = 0; token[i]; i++) {
+ if (strcmp(token[i], output_name) == 0)
+ ret = TRUE;
- return FALSE;
+ free(token[i]);
+ }
+
+ free(token);
+
+ return ret;
}
int
--
2.13.6
More information about the xorg-devel
mailing list