[PATCH:xrdb] Ensure we don't read out of ClassName array bounds for unknown visual type

Alan Coopersmith alan.coopersmith at oracle.com
Sat Jul 6 12:06:06 PDT 2013


Should never happen, but has been reported as happening at least once:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488535

Instead prints warning messages to stderr to help diagnose where the
bad visual information is coming from.

(Tested by temporarily commenting out names in the ClassName array.)

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
 xrdb.c |   28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/xrdb.c b/xrdb.c
index b7c9fa3..d42a519 100644
--- a/xrdb.c
+++ b/xrdb.c
@@ -605,6 +605,8 @@ static char *ClassNames[] = {
     "DirectColor"
 };
 
+#define NUM_CLASS_NAMES (int)(sizeof(ClassNames) / sizeof(ClassNames[0]))
+
 static void
 DoScreenDefines(Display *display, int scrno, String *defs)
 {
@@ -625,9 +627,16 @@ DoScreenDefines(Display *display, int scrno, String *defs)
     AddNum(defs, "Y_RESOLUTION", Resolution(screen->height,screen->mheight));
     AddNum(defs, "PLANES", DisplayPlanes(display, scrno));
     AddNum(defs, "BITS_PER_RGB", visual->bits_per_rgb);
-    AddDefQ(defs, "CLASS", ClassNames[visual->class]);
-    snprintf(name, sizeof(name), "CLASS_%s", ClassNames[visual->class]);
-    AddNum(defs, name, (int)visual->visualid);
+    if (visual->class >= 0 && visual->class < NUM_CLASS_NAMES) {
+	AddDefQ(defs, "CLASS", ClassNames[visual->class]);
+	snprintf(name, sizeof(name), "CLASS_%s", ClassNames[visual->class]);
+	AddNum(defs, name, (int)visual->visualid);
+    }
+    else {
+	fprintf(stderr,
+		"%s: unknown visual type %d for default visual id 0x%lx\n",
+		ProgramName, visual->class, visual->visualid);
+    }
     switch(visual->class) {
 	case StaticColor:
 	case PseudoColor:
@@ -643,9 +652,16 @@ DoScreenDefines(Display *display, int scrno, String *defs)
 		break;
 	}
 	if (j < 0) {
-	    snprintf(name, sizeof(name), "CLASS_%s_%d",
-		    ClassNames[vinfos[i].class], vinfos[i].depth);
-	    AddNum(defs, name, (int)vinfos[i].visualid);
+	    if (vinfos[i].class >= 0 && vinfos[i].class < NUM_CLASS_NAMES) {
+		snprintf(name, sizeof(name), "CLASS_%s_%d",
+			 ClassNames[vinfos[i].class], vinfos[i].depth);
+		AddNum(defs, name, (int)vinfos[i].visualid);
+	    }
+	    else {
+		fprintf(stderr,
+			"%s: unknown visual type %d for visual id 0x%lx\n",
+			ProgramName, vinfos[i].class, vinfos[i].visualid);
+	    }
 	}
     }
     XFree((char *)vinfos);
-- 
1.7.9.2



More information about the xorg-devel mailing list