[PATCH xserver 1/4] modesetting: Fix potential buffer overflow
Eric Engestrom
eric.engestrom at imgtec.com
Mon Oct 30 09:51:02 UTC 2017
On Friday, 2017-10-27 16:11:53 +0200, Daniel Martin wrote:
> If one misconfigures a ZaphodHeads value (more than 20 characters
> without a delimiter), we get an overflow of our buffer.
> Use xstrtokenize() instead of writing/fixing our own tokenizer.
>
> Signed-off-by: Daniel Martin <consume.noise at gmail.com>
Patches 1-3 are
Reviewed-by: Eric Engestrom <eric.engestrom at imgtec.com>
Patch 4 is
Acked-by: Eric Engestrom <eric.engestrom at imgtec.com>
> ---
> hw/xfree86/drivers/modesetting/drmmode_display.c | 38 ++++++++----------------
> 1 file changed, 13 insertions(+), 25 deletions(-)
>
> diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
> index 5bfae0b03..e14833dee 100644
> --- a/hw/xfree86/drivers/modesetting/drmmode_display.c
> +++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
> @@ -57,34 +57,22 @@ static PixmapPtr drmmode_create_pixmap_header(ScreenPtr pScreen, int width, int
> static Bool
> drmmode_zaphod_string_matches(ScrnInfoPtr scrn, const char *s, char *output_name)
> {
> - int i = 0;
> - char s1[20];
> + char **token = xstrtokenize(s, ", \t\n\r");
> + Bool ret = FALSE;
>
> - do {
> - switch(*s) {
> - case ',':
> - s1[i] = '\0';
> - i = 0;
> - if (strcmp(s1, output_name) == 0)
> - return TRUE;
> - break;
> - case ' ':
> - case '\t':
> - case '\n':
> - case '\r':
> - break;
> - default:
> - s1[i] = *s;
> - i++;
> - break;
> - }
> - } while(*s++);
> + if (!token)
> + return FALSE;
>
> - s1[i] = '\0';
> - if (strcmp(s1, output_name) == 0)
> - return TRUE;
> + for (int i = 0; token[i]; i++) {
> + if (strcmp(token[i], output_name) == 0)
> + ret = TRUE;
>
> - return FALSE;
> + free(token[i]);
> + }
> +
> + free(token);
> +
> + return ret;
> }
>
> int
> --
> 2.13.6
>
More information about the xorg-devel
mailing list