patch: libXt-1.0.8 fix possible array overflow

Barry Scott barry.scott at onelan.co.uk
Thu Sep 23 07:58:48 PDT 2010


On Wednesday 22 September 2010 08:18:21 walter harms wrote:
> hi List,
> the code checks the upperlimit to 10 while the upperlimit is actualy 9.

You could use "(sizeof( par )/sizeof( String ))-1" to make the code robust aginst
a change to the size of par.

Barry

> 
> re,
>  wh
> 
> 
> --- libXt-1.0.8/src/Error.c.org 2010-09-21 23:23:00.000000000 +0200
> +++ libXt-1.0.8/src/Error.c     2010-09-21 23:24:03.000000000 +0200
> @@ -257,7 +257,7 @@
>              */
>             Cardinal i = *num_params;
>             String par[10];
> -           if (i > 10) i = 10;
> +           if (i > 9) i = 9;
>             (void) memmove((char*)par, (char*)params, i * sizeof(String) );
>             bzero( &par[i], (10-i) * sizeof(String) );
>             (void) fprintf (stderr, "%s%s",
> @@ -292,7 +292,7 @@
>          */
>         Cardinal i = *num_params;
>         String par[10];
> -       if (i > 10) i = 10;
> +       if (i > 9) i = 9;
>         (void) memmove((char*)par, (char*)params, i * sizeof(String) );
>         bzero( &par[i], (10-i) * sizeof(String) );
>         if (i != *num_params)
> _______________________________________________
> xorg at lists.freedesktop.org: X.Org support
> Archives: http://lists.freedesktop.org/archives/xorg
> Info: http://lists.freedesktop.org/mailman/listinfo/xorg
> Your subscription address: barry.scott at onelan.co.uk
> 
> 



More information about the xorg mailing list