[xorg-bugzilla-noise] [Bug 385] New: glGetString(GL_VERSION)
corrupts malloc heap
bugzilla-daemon at pdx.freedesktop.org
bugzilla-daemon at pdx.freedesktop.org
Mon Mar 29 14:36:24 PST 2004
http://pdx.freedesktop.org/cgi-bin/bugzilla/show_bug.cgi?id=385
Summary: glGetString(GL_VERSION) corrupts malloc heap
Product: xorg
Version: unspecified
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: server
AssignedTo: xorg-bugzilla-noise at freedesktop.org
ReportedBy: jdennis at redhat.com
The following code snippet reformats the version string appending "
(GLLibraryVersion)" via a sprintf format that adds " (%s)". The code originally
added 3 to the length to account for the space, open paren, and close paren. But
it forgot to add 1 more character to account for the terminating null character
that sprintf adds at the end of the string. This meant that the __glXSprintf was
writing 1 character beyond the malloc block and was corrupting the malloc heap.
The fix is to add 4 to the malloc size rather than 3, patch will be attached.
else if ( name == GL_VERSION ) {
if ( atof( string ) > atof( GLServerVersion ) ) {
buf = __glXMalloc( __glXStrlen( string )
+ __glXStrlen( GLServerVersion )
+ 3 );
if ( buf == NULL ) {
string = GLServerVersion;
}
else {
__glXSprintf( buf, "%s (%s)", GLServerVersion, string );
string = buf;
}
}
}
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the xorg-bugzilla-noise
mailing list