[PATCH xserver 1/4] modesetting: Fix potential buffer overflow

Eric Engestrom eric.engestrom at imgtec.com
Mon Oct 30 09:51:02 UTC 2017


On Friday, 2017-10-27 16:11:53 +0200, Daniel Martin wrote:
> If one misconfigures a ZaphodHeads value (more than 20 characters
> without a delimiter), we get an overflow of our buffer.
> Use xstrtokenize() instead of writing/fixing our own tokenizer.
> 
> Signed-off-by: Daniel Martin <consume.noise at gmail.com>

Patches 1-3 are
Reviewed-by: Eric Engestrom <eric.engestrom at imgtec.com>

Patch 4 is
Acked-by: Eric Engestrom <eric.engestrom at imgtec.com>

> ---
>  hw/xfree86/drivers/modesetting/drmmode_display.c | 38 ++++++++----------------
>  1 file changed, 13 insertions(+), 25 deletions(-)
> 
> diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
> index 5bfae0b03..e14833dee 100644
> --- a/hw/xfree86/drivers/modesetting/drmmode_display.c
> +++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
> @@ -57,34 +57,22 @@ static PixmapPtr drmmode_create_pixmap_header(ScreenPtr pScreen, int width, int
>  static Bool
>  drmmode_zaphod_string_matches(ScrnInfoPtr scrn, const char *s, char *output_name)
>  {
> -    int i = 0;
> -    char s1[20];
> +    char **token = xstrtokenize(s, ", \t\n\r");
> +    Bool ret = FALSE;
>  
> -    do {
> -        switch(*s) {
> -        case ',':
> -            s1[i] = '\0';
> -            i = 0;
> -            if (strcmp(s1, output_name) == 0)
> -                return TRUE;
> -            break;
> -        case ' ':
> -        case '\t':
> -        case '\n':
> -        case '\r':
> -            break;
> -        default:
> -            s1[i] = *s;
> -            i++;
> -            break;
> -        }
> -    } while(*s++);
> +    if (!token)
> +        return FALSE;
>  
> -    s1[i] = '\0';
> -    if (strcmp(s1, output_name) == 0)
> -        return TRUE;
> +    for (int i = 0; token[i]; i++) {
> +        if (strcmp(token[i], output_name) == 0)
> +            ret = TRUE;
>  
> -    return FALSE;
> +        free(token[i]);
> +    }
> +
> +    free(token);
> +
> +    return ret;
>  }
>  
>  int
> -- 
> 2.13.6
> 


More information about the xorg-devel mailing list