[PATCH 3/5] Xi: avoid overrun of callback array.
Jeremy Huddleston
jeremyhu at apple.com
Wed Oct 19 10:40:51 PDT 2011
Reviewed-by: Jeremy Huddleston <jeremyhu at apple.com>
On Oct 19, 2011, at 9:01 AM, Dave Airlie wrote:
> From: Dave Airlie <airlied at redhat.com>
>
> This code had an off-by-one and would allow writing one past the end of
> the callbacks array.
>
> Pointed out by coverity.
>
> Signed-off-by: Dave Airlie <airlied at redhat.com>
> ---
> Xi/extinit.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/Xi/extinit.c b/Xi/extinit.c
> index 7724f5f..1fbe0a2 100644
> --- a/Xi/extinit.c
> +++ b/Xi/extinit.c
> @@ -409,7 +409,7 @@ static int
> ProcIDispatch(ClientPtr client)
> {
> REQUEST(xReq);
> - if (stuff->data > ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data])
> + if (stuff->data >= ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data])
> return BadRequest;
>
> return (*ProcIVector[stuff->data])(client);
> @@ -428,7 +428,7 @@ static int
> SProcIDispatch(ClientPtr client)
> {
> REQUEST(xReq);
> - if (stuff->data > ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data])
> + if (stuff->data >= ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data])
> return BadRequest;
>
> return (*SProcIVector[stuff->data])(client);
> --
> 1.7.6.4
>
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
>
More information about the xorg-devel
mailing list