On Wed, Mar 20, 2019 at 03:57:46PM +, Frediano Ziglio wrote:
> From: Christophe Fergeau
>
> If worker->qxl->id is bigger than 0x7ff (in other words, it's a
> negative signed int) then
> printf(worker_str, "display[%d]", worker->qxl->id);
> will need:
>
> "display[]" -> 9 bytes
> %d -> 11 bytes
>
> The trailing \0 will thus overflow our 20 bytes destination.
> As QXLInstance::id should be an unsigned int, this commit changes the
> format string to use %u. This also switches to snprintf.
> ---
> server/red-worker.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/server/red-worker.c b/server/red-worker.c
> index 8051d1e4..50612aca 100644
> --- a/server/red-worker.c
> +++ b/server/red-worker.c
> @@ -1291,7 +1291,7 @@ RedWorker* red_worker_new(QXLInstance *qxl,
> worker->zlib_glz_state = reds_get_zlib_glz_state(reds);
> worker->driver_cap_monitors_config = 0;
> char worker_str[SPICE_STAT_NODE_NAME_MAX];
> -sprintf(worker_str, "display[%d]", worker->qxl->id);
> +snprintf(worker_str, sizeof(worker_str), "display[%u]", (unsigned
> int)worker->qxl->id);
I'd still add a &0xff at the end to make it explicit that we expect a
uint8_t. It's a patch I wrote, so no further comments ;)
Christophe
> stat_init_node(>stat, reds, NULL, worker_str, TRUE);
> stat_init_counter(>wakeup_counter, reds, >stat,
> "wakeups", TRUE);
> stat_init_counter(>command_counter, reds, >stat,
> "commands", TRUE);
> --
> 2.20.1
>
> ___
> Spice-devel mailing list
> Spice-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
signature.asc
Description: PGP signature
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/spice-devel
