[PATCH:libXt] Bug 40577 - Missing bound checking in FreeSelectionProperty()
Alan Coopersmith
alan.coopersmith at oracle.com
Tue Sep 20 16:49:00 PDT 2011
From: Olivier Fourdan <fourdan at xfce.org>
https://bugs.freedesktop.org/show_bug.cgi?id=40577
FreeSelectionProperty() did not check for the count of items in array
and relied on a NULL terminated list, which can cause libXt to crash if
FreeSelectionProperty() follows a call to GetSelectionProperty() which
reallocates the array.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
Oliver, can we assume your Signed-off-by as well?
http://www.x.org/wiki/Development/Documentation/SubmittingPatches#Signingoffandreviewing
src/Selection.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/src/Selection.c b/src/Selection.c
index 101ea6a..f35cb44 100644
--- a/src/Selection.c
+++ b/src/Selection.c
@@ -237,6 +237,7 @@ static void FreeSelectionProperty(
Atom prop)
{
SelectionProp p;
+ int propCount;
PropList sarray;
if (prop == None) return;
LOCK_PROCESS;
@@ -247,7 +248,9 @@ static void FreeSelectionProperty(
"internal error: no selection property context for display",
(String *)NULL, (Cardinal *)NULL );
UNLOCK_PROCESS;
- for (p = sarray->list; p; p++)
+ for (p = sarray->list, propCount=sarray->propCount;
+ propCount;
+ p++, propCount--)
if (p->prop == prop) {
p->avail = TRUE;
return;
--
1.7.3.2
More information about the xorg-devel
mailing list