On 03/03/2013 08:57 PM, Nickolai Zeldovich wrote:
This patch fixes two bugs in the realloc invocation in setCode(), which
most likely cause memory corruption when realloc is triggered:
1. Pass *enc to realloc (which is the dynamically-allocated buffer),
instead of enc (which stores a pointer to the dynamically-allocated
buffer).
2. Allocate enough memory for (*encsize) shorts, instead of (*encsize)
bytes; see the call to malloc just above the realloc call.
Signed-off-by: Nickolai Zeldovich <[email protected]>
Yikes, that's pretty bad!
Reviewed-by: Aaron Plattner <[email protected]>
Do you need someone to apply this for you?
---
src/encparse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/encparse.c b/src/encparse.c
index cbcac80..ee18b3f 100644
--- a/src/encparse.c
+++ b/src/encparse.c
@@ -426,7 +426,7 @@ setCode(unsigned from, unsigned to, unsigned row_size,
}
} else if(*encsize <= index) {
*encsize = 0x10000;
- if((newenc = realloc(enc, *encsize))==NULL)
+ if((newenc = realloc(*enc, (*encsize) * sizeof(unsigned short)))==NULL)
return 1;
*enc = newenc;
}
--
Aaron
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel
