[PATCH] vbe: Fix malloc size bug
v2: Slightly more obvious sizing math. ==14882== Invalid write of size 2 ==14882==at 0x6750267: VBEGetVBEInfo (vbe.c:400) ==14882==by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) ==14882==by 0x471895: InitOutput (xf86Init.c:519) ==14882==by 0x422778: main (main.c:205) ==14882== Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd ==14882==at 0x4A0640D: malloc (vg_replace_malloc.c:236) ==14882==by 0x675024B: VBEGetVBEInfo (vbe.c:398) ==14882==by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) ==14882==by 0x471895: InitOutput (xf86Init.c:519) ==14882==by 0x422778: main (main.c:205) Signed-off-by: Adam Jackson a...@redhat.com --- hw/xfree86/vbe/vbe.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c index bcda5ec..04132d9 100644 --- a/hw/xfree86/vbe/vbe.c +++ b/hw/xfree86/vbe/vbe.c @@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe) i = 0; while (modes[i] != 0x) i++; -block-VideoModePtr = malloc(sizeof(CARD16) * i + 1); +block-VideoModePtr = malloc(sizeof(CARD16) * (i + 1)); memcpy(block-VideoModePtr, modes, sizeof(CARD16) * i); block-VideoModePtr[i] = 0x; -- 1.7.3.5 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
Re: [PATCH] vbe: Fix malloc size bug
On Fri, Feb 25, 2011 at 13:08:59 -0500, Adam Jackson wrote: v2: Slightly more obvious sizing math. ==14882== Invalid write of size 2 ==14882==at 0x6750267: VBEGetVBEInfo (vbe.c:400) ==14882==by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) ==14882==by 0x471895: InitOutput (xf86Init.c:519) ==14882==by 0x422778: main (main.c:205) ==14882== Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd ==14882==at 0x4A0640D: malloc (vg_replace_malloc.c:236) ==14882==by 0x675024B: VBEGetVBEInfo (vbe.c:398) ==14882==by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) ==14882==by 0x471895: InitOutput (xf86Init.c:519) ==14882==by 0x422778: main (main.c:205) Signed-off-by: Adam Jackson a...@redhat.com --- hw/xfree86/vbe/vbe.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c index bcda5ec..04132d9 100644 --- a/hw/xfree86/vbe/vbe.c +++ b/hw/xfree86/vbe/vbe.c @@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe) i = 0; while (modes[i] != 0x) i++; -block-VideoModePtr = malloc(sizeof(CARD16) * i + 1); +block-VideoModePtr = malloc(sizeof(CARD16) * (i + 1)); memcpy(block-VideoModePtr, modes, sizeof(CARD16) * i); block-VideoModePtr[i] = 0x; Reviewed-by: Julien Cristau jcris...@debian.org Cheers, Julien ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
Re: [PATCH] vbe: Fix malloc size bug
From: Adam Jackson a...@redhat.com Date: Fri, 25 Feb 2011 13:08:59 -0500 v2: Slightly more obvious sizing math. ==14882== Invalid write of size 2 ==14882==at 0x6750267: VBEGetVBEInfo (vbe.c:400) ==14882==by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) ==14882==by 0x471895: InitOutput (xf86Init.c:519) ==14882==by 0x422778: main (main.c:205) ==14882== Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd ==14882==at 0x4A0640D: malloc (vg_replace_malloc.c:236) ==14882==by 0x675024B: VBEGetVBEInfo (vbe.c:398) ==14882==by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) ==14882==by 0x471895: InitOutput (xf86Init.c:519) ==14882==by 0x422778: main (main.c:205) Signed-off-by: Adam Jackson a...@redhat.com --- hw/xfree86/vbe/vbe.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c index bcda5ec..04132d9 100644 --- a/hw/xfree86/vbe/vbe.c +++ b/hw/xfree86/vbe/vbe.c @@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe) i = 0; while (modes[i] != 0x) i++; -block-VideoModePtr = malloc(sizeof(CARD16) * i + 1); +block-VideoModePtr = malloc(sizeof(CARD16) * (i + 1)); memcpy(block-VideoModePtr, modes, sizeof(CARD16) * i); block-VideoModePtr[i] = 0x; I agree that this looks better. Reviewed-by: Mark Kettenis kette...@openbsd.org ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
Re: [PATCH] vbe: Fix malloc size bug
On 02/25/11 10:08 AM, Adam Jackson wrote: v2: Slightly more obvious sizing math. ==14882== Invalid write of size 2 ==14882==at 0x6750267: VBEGetVBEInfo (vbe.c:400) ==14882==by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) ==14882==by 0x471895: InitOutput (xf86Init.c:519) ==14882==by 0x422778: main (main.c:205) ==14882== Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd ==14882==at 0x4A0640D: malloc (vg_replace_malloc.c:236) ==14882==by 0x675024B: VBEGetVBEInfo (vbe.c:398) ==14882==by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) ==14882==by 0x471895: InitOutput (xf86Init.c:519) ==14882==by 0x422778: main (main.c:205) Signed-off-by: Adam Jackson a...@redhat.com --- hw/xfree86/vbe/vbe.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c index bcda5ec..04132d9 100644 --- a/hw/xfree86/vbe/vbe.c +++ b/hw/xfree86/vbe/vbe.c @@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe) i = 0; while (modes[i] != 0x) i++; -block-VideoModePtr = malloc(sizeof(CARD16) * i + 1); +block-VideoModePtr = malloc(sizeof(CARD16) * (i + 1)); memcpy(block-VideoModePtr, modes, sizeof(CARD16) * i); block-VideoModePtr[i] = 0x; Thanks Reviewed-by: Alan Coopersmith alan.coopersm...@oracle.com -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
[PATCH] vbe: Fix malloc size bug
==14882== Invalid write of size 2 ==14882==at 0x6750267: VBEGetVBEInfo (vbe.c:400) ==14882==by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) ==14882==by 0x471895: InitOutput (xf86Init.c:519) ==14882==by 0x422778: main (main.c:205) ==14882== Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd ==14882==at 0x4A0640D: malloc (vg_replace_malloc.c:236) ==14882==by 0x675024B: VBEGetVBEInfo (vbe.c:398) ==14882==by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) ==14882==by 0x471895: InitOutput (xf86Init.c:519) ==14882==by 0x422778: main (main.c:205) Signed-off-by: Adam Jackson a...@redhat.com --- hw/xfree86/vbe/vbe.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c index bcda5ec..56e3ec4 100644 --- a/hw/xfree86/vbe/vbe.c +++ b/hw/xfree86/vbe/vbe.c @@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe) i = 0; while (modes[i] != 0x) i++; -block-VideoModePtr = malloc(sizeof(CARD16) * i + 1); +block-VideoModePtr = malloc(sizeof(CARD16) * i + 2); memcpy(block-VideoModePtr, modes, sizeof(CARD16) * i); block-VideoModePtr[i] = 0x; -- 1.7.3.5 ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
Re: [PATCH] vbe: Fix malloc size bug
On 02/24/11 01:11 PM, Adam Jackson wrote: ==14882== Invalid write of size 2 ==14882==at 0x6750267: VBEGetVBEInfo (vbe.c:400) ==14882==by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) ==14882==by 0x471895: InitOutput (xf86Init.c:519) ==14882==by 0x422778: main (main.c:205) ==14882== Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd ==14882==at 0x4A0640D: malloc (vg_replace_malloc.c:236) ==14882==by 0x675024B: VBEGetVBEInfo (vbe.c:398) ==14882==by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) ==14882==by 0x471895: InitOutput (xf86Init.c:519) ==14882==by 0x422778: main (main.c:205) Signed-off-by: Adam Jackson a...@redhat.com --- hw/xfree86/vbe/vbe.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c index bcda5ec..56e3ec4 100644 --- a/hw/xfree86/vbe/vbe.c +++ b/hw/xfree86/vbe/vbe.c @@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe) i = 0; while (modes[i] != 0x) i++; -block-VideoModePtr = malloc(sizeof(CARD16) * i + 1); +block-VideoModePtr = malloc(sizeof(CARD16) * i + 2); Was the original intent malloc(sizeof(CARD16) * (i + 1)) ? That might be a bit clearer than letting the reader wonder why 2? -- -Alan Coopersmith-alan.coopersm...@oracle.com Oracle Solaris Platform Engineering: X Window System ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
Re: [PATCH] vbe: Fix malloc size bug
On Thu, 2011-02-24 at 13:26 -0800, Alan Coopersmith wrote: On 02/24/11 01:11 PM, Adam Jackson wrote: diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c index bcda5ec..56e3ec4 100644 --- a/hw/xfree86/vbe/vbe.c +++ b/hw/xfree86/vbe/vbe.c @@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe) i = 0; while (modes[i] != 0x) i++; -block-VideoModePtr = malloc(sizeof(CARD16) * i + 1); +block-VideoModePtr = malloc(sizeof(CARD16) * i + 2); Was the original intent malloc(sizeof(CARD16) * (i + 1)) ? Almost certainly. That might be a bit clearer than letting the reader wonder why 2? Yeah. Though, any casual reader of the vbe code who doesn't already understand sizeof and malloc is probably already in a pretty bad part of town. - ajax signature.asc Description: This is a digitally signed message part ___ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel