From: Dave Airlie <[email protected]> This code had an off-by-one and would allow writing one past the end of the callbacks array.
Pointed out by coverity. Signed-off-by: Dave Airlie <[email protected]> --- Xi/extinit.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Xi/extinit.c b/Xi/extinit.c index 7724f5f..1fbe0a2 100644 --- a/Xi/extinit.c +++ b/Xi/extinit.c @@ -409,7 +409,7 @@ static int ProcIDispatch(ClientPtr client) { REQUEST(xReq); - if (stuff->data > ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data]) + if (stuff->data >= ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data]) return BadRequest; return (*ProcIVector[stuff->data])(client); @@ -428,7 +428,7 @@ static int SProcIDispatch(ClientPtr client) { REQUEST(xReq); - if (stuff->data > ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data]) + if (stuff->data >= ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data]) return BadRequest; return (*SProcIVector[stuff->data])(client); -- 1.7.6.4 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
