[PATCH xserver] Xext: dynamically allocate the PanoramiXDepths[j].vids array
Peter Hutterer
peter.hutterer at who-t.net
Thu Jul 19 01:54:20 UTC 2018
On Tue, Jul 17, 2018 at 10:12:55PM -0700, Keith Packard wrote:
> Peter Hutterer <peter.hutterer at who-t.net> writes:
>
> > Control flow is:
> > PanoramiXMaybeAddDepth() allocates an array size 240 (pDepth->numVisuals)
> > PanoramiXMaybeAddVisual() finds up to 270 matches (pScreen->numVisuals)
> > and writes those into the previously allocated array.
> >
> > This caused invalid reads/writes followed by eventually a double-free abort.
> >
> > Reproduced with xorg-integration-tests server test
> > XineramaTest.ScreenCrossing/* (and a bunch of others).
> >
> > Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
>
> Reviewed-by: Keith Packard <keithp at keithp.com>
>
> (I'd complain about the lack of NULL check, but the original code didn't
> bother either)
I suspect our overall behaviour where malloc fails is somewhere between
unpredictable and undefined. I don't think any of that code has ever been
tested and right now it probably just means we fall over somewhere else than
where it actually happened.
Thanks for the quick review, much appreciated.
To gitlab.freedesktop.org:xorg/xserver.git
1c7f34e99..93cafb082 master -> master
Cheers,
Peter
More information about the xorg-devel
mailing list