[PATCH] Fix num_masks/length overflow test for XiSelectEvents
Alan Coopersmith
alan.coopersmith at sun.com
Tue Sep 15 17:53:50 PDT 2009
Have to set windowid to a valid value first, since that check
appears earlier in the code than the masks/length check.
Also have to have data[] set large enough so that reading mask
data for 0xFFFF masks doesn't overflow past the end of the array
into uninitialized data.
Signed-off-by: Alan Coopersmith <alan.coopersmith at sun.com>
---
Improved version of earlier patch that also addresses the root cause of
why Peter & I saw different results for this test - since we had different
uninitialized data for the masks read past the end of the data[] array.
Also changed to leave the setting of req->win for the next test case,
copying it instead of moving it up, to avoid failure due to the swapl()
of the req->win value during testing.
test/xi2/protocol-xiselectevents.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/test/xi2/protocol-xiselectevents.c b/test/xi2/protocol-xiselectevents.c
index f314462..fe1c26d 100644
--- a/test/xi2/protocol-xiselectevents.c
+++ b/test/xi2/protocol-xiselectevents.c
@@ -60,7 +60,7 @@
#include "protocol-common.h"
#include <glib.h>
-static unsigned char *data[4096 * 16]; /* the request data buffer */
+static unsigned char *data[4096 * 20]; /* the request data buffer */
int __wrap_XISetEventMask(DeviceIntPtr dev, WindowPtr win, int len, unsigned char* mask)
{
@@ -284,6 +284,7 @@ static void test_XISelectEvents(void)
request_XISelectEvent(req, BadWindow);
g_test_message("Triggering num_masks/length overflow");
+ req->win = ROOT_WINDOW_ID;
/* Integer overflow - req->length can't hold that much */
req->num_masks = 0xFFFF;
request_XISelectEvent(req, BadLength);
--
1.5.6.5
More information about the xorg-devel
mailing list