patch: libXt-1.0.8 fix possible array overflow
Jeremy Huddleston
jeremyhu at freedesktop.org
Wed Sep 22 09:10:14 PDT 2010
I think it's right as it is (assuming *num_params is always >= 1). This zeroes out the remaining, unused entries in par.
A problem comes in if i < 1. Where do we enforce the bounds on *num_params?
On Sep 22, 2010, at 00:18, walter harms wrote:
> hi List,
> the code checks the upperlimit to 10 while the upperlimit is actualy 9.
>
> re,
> wh
>
>
> --- libXt-1.0.8/src/Error.c.org 2010-09-21 23:23:00.000000000 +0200
> +++ libXt-1.0.8/src/Error.c 2010-09-21 23:24:03.000000000 +0200
> @@ -257,7 +257,7 @@
> */
> Cardinal i = *num_params;
> String par[10];
> - if (i > 10) i = 10;
> + if (i > 9) i = 9;
> (void) memmove((char*)par, (char*)params, i * sizeof(String) );
> bzero( &par[i], (10-i) * sizeof(String) );
> (void) fprintf (stderr, "%s%s",
> @@ -292,7 +292,7 @@
> */
> Cardinal i = *num_params;
> String par[10];
> - if (i > 10) i = 10;
> + if (i > 9) i = 9;
> (void) memmove((char*)par, (char*)params, i * sizeof(String) );
> bzero( &par[i], (10-i) * sizeof(String) );
> if (i != *num_params)
> _______________________________________________
> xorg at lists.freedesktop.org: X.Org support
> Archives: http://lists.freedesktop.org/archives/xorg
> Info: http://lists.freedesktop.org/mailman/listinfo/xorg
> Your subscription address: jeremyhu at freedesktop.org
More information about the xorg-devel
mailing list