Re: CVS commit: xsrc/external/mit/xf86-video-r128/dist/src

Christos Zoulas Tue, 07 Jul 2015 07:48:04 -0700

In article <20150707005552.d4a8...@cvs.netbsd.org>,
Michael Lorenz <source-changes-d@NetBSD.org> wrote:
>-=-=-=-=-=-
>
>Modified files:
>
>Index: xsrc/external/mit/xf86-video-r128/dist/src/r128_driver.c
>diff -u xsrc/external/mit/xf86-video-r128/dist/src/r128_driver.c:1.9
>xsrc/external/mit/xf86-video-r128/dist/src/r128_driver.c:1.10
>--- xsrc/external/mit/xf86-video-r128/dist/src/r128_driver.c:1.9       Wed Mar
>19 23:56:47 2014
>+++ xsrc/external/mit/xf86-video-r128/dist/src/r128_driver.c   Tue Jul  7
>00:55:52 2015
>@@ -1625,6 +1625,8 @@ static int R128ValidateFPModes(ScrnInfoP
>         pScrn->display->modes[0] = xnfalloc(16);
>         sprintf(pScrn->display->modes[0], "%dx%d",
>                info->PanelXRes, info->PanelYRes);
>+        /* don't forget to NULL terminate */
>+        pScrn->display->modes[1] = NULL;


Pick up a magic number 16, and then use sprintf instead of snprintf ->
Welcome to the wonderful world of buffer overflow...

If PanelXRes == PanelYRes == 0x7fffffff then we get:

        2147483647x2147483647

that needs 21 chars to print.

christos

Re: CVS commit: xsrc/external/mit/xf86-video-r128/dist/src

Reply via email to