patch: libXt-1.0.8 fix possible array overflow

Pat Kane pekane52 at gmail.com
Thu Sep 23 10:47:07 PDT 2010


In the original code if 'i' is equal to 10 then the line
   (void) memmove((char*)par, (char*)params, i * sizeof(String) );
moves ten things, which is okay.

The next line:
   bzero( &par[i], (10-i) * sizeof(String) );
moves zero things to a bad address, which is probably okay,
but I bet some code checker would complain.

The code is very ugly.

Pat
---



More information about the xorg mailing list