[PATCH xserver] Xext: dynamically allocate the PanoramiXDepths[j].vids array
Keith Packard
keithp at keithp.com
Wed Jul 18 05:12:55 UTC 2018
Peter Hutterer <peter.hutterer at who-t.net> writes:
> Control flow is:
> PanoramiXMaybeAddDepth() allocates an array size 240 (pDepth->numVisuals)
> PanoramiXMaybeAddVisual() finds up to 270 matches (pScreen->numVisuals)
> and writes those into the previously allocated array.
>
> This caused invalid reads/writes followed by eventually a double-free abort.
>
> Reproduced with xorg-integration-tests server test
> XineramaTest.ScreenCrossing/* (and a bunch of others).
>
> Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
Reviewed-by: Keith Packard <keithp at keithp.com>
(I'd complain about the lack of NULL check, but the original code didn't
bother either)
--
-keith
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg-devel/attachments/20180717/98d5b688/attachment.sig>
More information about the xorg-devel
mailing list