<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - glxextensions.c: buffer overflow and incorrect zeroing"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=88880">88880</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>glxextensions.c: buffer overflow and incorrect zeroing
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Mesa
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>git
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>GLX
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>mesa-dev@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>xypron.glpk@gmx.de
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>mesa-dev@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>In
src/glx/x11/glxextensions.c
a bit field server_support is used for a bitfield. Unfortunately length of the
bitfield is not correctly considered when accessing the field.

In the following code fragment the length of the zeroed memory is the length of
the pointer (4 bytes in case of a 32bit system) not the length of the data the
pointer points to (__GL_EXT_BYTES bytes).

static void
__glXProcessServerString( const struct extension_info * ext,
              const char * server_string,
              unsigned char * server_support )
{
   unsigned  base;
   unsigned  len;

   (void) memset( server_support, 0, sizeof( server_support ) );

Furthermore the length of the memory area pointed to by server_support
is defined in varying ways in the coding:

#define __GL_EXT_BYTES   ((__NUM_GL_EXTS + 7) / 8)

unsigned char server_support[ __GL_EXT_BYTES ];
unsigned char server_support[8];

Currently __NUM_GL_EXTS = 132, so __GL_EXT_BYTES = 9.

So where server_support[8] is used a buffer overflow by setting a bit may
occur.

__GL_EXT_BYTES should always be used to refer to the length of the bitfield.

This problem was identified with cppcheck.
<a href="http://cppcheck.sourceforge.net/">http://cppcheck.sourceforge.net/</a>

Best regards

Heinrich Schuchardt</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>