On Wed, Feb 23, 2011 at 01:22:36AM +0100, Julien Cristau wrote: > On Wed, Feb 23, 2011 at 09:36:06 +1000, Peter Hutterer wrote: > > > Miscalculation of length caused Data() to memcpy too many bytes. > > > > ==2865== Invalid read of size 1 > > ==2865== at 0x4A07480: memcpy (mc_replace_strmem.c:602) > > ==2865== by 0x544271E: XIGrabDevice (XIGrabDevice.c:69) > > ==2865== by 0x400B0A: main (gnome642481.c:56) > > ==2865== Address 0x642f614 is 0 bytes after a block of size 20 alloc'd > > ==2865== at 0x4A04896: calloc (vg_replace_malloc.c:418) > > ==2865== by 0x54425D3: XIGrabDevice (XIGrabDevice.c:65) > > ==2865== by 0x400B0A: main (gnome642481.c:56) > > > > SetReqLen() expects 4-byte units. > > Data() expects bytes. > > > > Gnome Bug 642481 <https://bugzilla.gnome.org/show_bug.cgi?id=642481> > > Signed-off-by: Peter Hutterer <[email protected]> > > --- > > > > src/XIGrabDevice.c | 4 ++-- > > 1 files changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/src/XIGrabDevice.c b/src/XIGrabDevice.c > > index 985d3f1..97ab971 100644 > > --- a/src/XIGrabDevice.c > > +++ b/src/XIGrabDevice.c > > @@ -61,8 +61,8 @@ XIGrabDevice(Display* dpy, int deviceid, Window > > grab_window, Time time, > > > > /* masks.mask_len is in bytes, but we need 4-byte units on the wire, > > typo here (masks → mask)
thanks, I've pushed this as separate patch. Cheers, Peter > > > * and they need to be padded with 0 */ > > - len = req->mask_len * 4; > > - buff = calloc(1, len); > > + len = req->mask_len; > > + buff = calloc(1, len * 4); > > memcpy(buff, mask->mask, mask->mask_len); > > > > SetReqLen(req, len, len); > > Reviewed-by: Julien Cristau <[email protected]> > > Cheers, > Julien _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
