[PATCH:libICE 1/2] Fix reads outside array bounds in error handlers

Jeremy Huddleston jeremyhu at apple.com
Tue Apr 19 19:11:09 PDT 2011 

Reviewed-by: Jeremy Huddleston <jeremyhu at apple.com>

On Apr 19, 2011, at 18:40, Alan Coopersmith wrote:

> Error: Buffer overrun
>   Read outside array bounds (CWE 125): In call to memcpy(<unknown>, &mOp, 8), (size(&mOp) < (unsigned) 8)
>      Array size is 1 bytes
>        at line 296 of src/error.c in function '_IceErrorMajorOpcodeDuplicate'.
> Error: Buffer overrun
>   Read outside array bounds (CWE 125): In call to memcpy(<unknown>, &maj, 8), (size(&maj) < (unsigned) 8)
>      Array size is 1 bytes
>        at line 346 of src/error.c in function '_IceErrorBadMajor'.
> 
> Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
> 
> [ This bug was found by the Parfait 0.3.7 bug checking tool.
>  For more information see http://labs.oracle.com/projects/parfait/ ]
> ---
> src/error.c |    8 ++++----
> 1 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/src/error.c b/src/error.c
> index 5c9aa51..0e7725a 100644
> --- a/src/error.c
> +++ b/src/error.c
> @@ -284,7 +284,7 @@ _IceErrorMajorOpcodeDuplicate (
> 	int	majorOpcode
> )
> {
> -    char mOp = (char) majorOpcode;
> +    char mOp[8] = { (char) majorOpcode };
> 
>     IceErrorHeader (iceConn,
> 	0, ICE_ProtocolSetup,
> @@ -293,7 +293,7 @@ _IceErrorMajorOpcodeDuplicate (
> 	IceMajorOpcodeDuplicate,
> 	1 /* length */);
> 
> -    IceWriteData (iceConn, 8, &mOp);
> +    IceWriteData (iceConn, 8, mOp);
>     IceFlush (iceConn);
> }
> 
> @@ -334,7 +334,7 @@ _IceErrorBadMajor (
> 	int	severity
> )
> {
> -    char maj = (char) offendingMajor;
> +    char maj[8] = { (char) offendingMajor };
> 
>     IceErrorHeader (iceConn,
> 	0, offendingMinor,
> @@ -343,7 +343,7 @@ _IceErrorBadMajor (
> 	IceBadMajor,
> 	1 /* length */);
> 
> -    IceWriteData (iceConn, 8, &maj);
> +    IceWriteData (iceConn, 8, maj);
>     IceFlush (iceConn);
> }
> 
> -- 
> 1.7.3.2
> 
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
>

More information about the xorg-devel mailing list