[xorg-bugzilla-noise] [Bug 758] New: buffer overrun in getretmips.c
bugzilla-daemon at pdx.freedesktop.org
bugzilla-daemon at pdx.freedesktop.org
Wed Jun 16 04:17:21 PDT 2004
Please do not reply to this email: if you want to comment on the bug, go to
the URL shown below and enter your comments there.
http://freedesktop.org/bugzilla/show_bug.cgi?id=758
Summary: buffer overrun in getretmips.c
Product: xorg
Version: unspecified
Platform: Other
OS/Version: All
Status: NEW
Severity: normal
Priority: P3
Component: Lib/other
AssignedTo: xorg-bugzilla-noise at freedesktop.org
ReportedBy: Stephen.Kennedy at havok.com
A buffer overrun is possible when the size of the stack buffer is exactly the
same as the actual stack size.
You can see that it is possible to write two results in this case. Patch attached.
--- getretmips.c.orig 2004-06-16 12:01:25.000000000 +0100
+++ getretmips.c 2004-06-16 12:03:54.000000000 +0100
@@ -180,12 +180,15 @@
}
ra = (unsigned long *) sp[rc->raOffset>>2];
sp += rc->spAdjust >> 2;
- *results++ = ((unsigned long) ra) - 8;
if (ra[-2] == mainCall)
{
*results++ = 0;
break;
}
+ else
+ {
+ *results++ = ((unsigned long) ra) - 8;
+ }
max--;
}
}
--
Configure bugmail: http://freedesktop.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the xorg-bugzilla-noise
mailing list