[PATCH 1/2] Allocate enough room for both reset & flags attributes

Alan Coopersmith alan.coopersmith at oracle.com
Thu Oct 9 05:42:08 PDT 2014


ctx_attribs had room for 3 pairs of attributes, but if both flags & reset
attributes were being returned it was storing 4 pairs in the array.

Found by Coverity #53442:  Out-of-bounds write
This could cause an immediate crash or incorrect computations.
In create_driver_context: Out-of-bounds write to a buffer (CWE-119)

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---
 glx/glxdri2.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/glx/glxdri2.c b/glx/glxdri2.c
index c756bf5..5a8966f 100644
--- a/glx/glxdri2.c
+++ b/glx/glxdri2.c
@@ -475,7 +475,7 @@ create_driver_context(__GLXDRIcontext * context,
     context->driContext = NULL;
 
     if (screen->dri2->base.version >= 3) {
-        uint32_t ctx_attribs[3 * 2];
+        uint32_t ctx_attribs[4 * 2];
         unsigned num_ctx_attribs = 0;
         unsigned dri_err = 0;
         unsigned major_ver;
@@ -510,6 +510,8 @@ create_driver_context(__GLXDRIcontext * context,
                     __DRI_CTX_ATTRIB_RESET_STRATEGY;
                 ctx_attribs[num_ctx_attribs++] = reset;
             }
+
+            assert(num_ctx_attribs <= ARRAY_SIZE(ctx_attribs));
         }
 
         context->driContext =
-- 
1.7.9.2



More information about the xorg-devel mailing list