[PATCH:libXxf86vm] Discard correct length for old-format replies in XF86VidModeGetGamma

[Alan Coopersmith]

Ignore this - this version isn't quite right either, since it doesn't switch
between the two reply sizes.

	-alan-

On 01/ 5/15 11:42 PM, Alan Coopersmith wrote:
> Regression introduced in libXxf86vm 1.1.3 / commit 284a88e21fc05a63466
> Unlikely to be hit in practice since it requires out-of-range privsize
> or malloc failure while talking to a server using the XFree86 3.x version
> of the protocol.
>
> Found by Oracle Parfait 1.5.1:
>
> Error: Uninitialised memory (CWE 456)
>     Possible access to uninitialised memory '&rep.length'
>          at line 279 of open-src/lib/libXxf86vm/unpacked-src/src/XF86VMode.c in function 'XF86VidModeGetModeLine'.
>            &rep.length allocated at line 218.
>            &rep.length uninitialised when majorVersion < 2 at line 233.
>
> Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
> ---
>   src/XF86VMode.c |    3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/XF86VMode.c b/src/XF86VMode.c
> index c7169c7..7762c2b 100644
> --- a/src/XF86VMode.c
> +++ b/src/XF86VMode.c
> @@ -265,7 +265,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
>   	else
>   	    modeline->private = NULL;
>   	if (modeline->private == NULL) {
> -	    _XEatDataWords(dpy, rep.length -
> +	    CARD32 len = (majorVersion < 2) ? oldrep.length : rep.length;
> +	    _XEatDataWords(dpy, len -
>   		((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));



-- 
	-Alan Coopersmith-              alan.coopersmith at oracle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc