Upon receiving a response, _FSReply copies the first 8 bytes into *rep
and then looks at them to determine what type of response. If it's an
error packet, it then converts to an error struct and reads the rest,
but it was copying 16 bytes out of *rep to begin with, due to sloppy
casting. Since we immediately overwrite the second 8 bytes with the
data coming off the wire, this isn't horrible, but it really freaks out
static analysis and memory debugging tools.
Fixes parfait 1.1 warning:
Error: Buffer overrun
Read Outside Array Bounds in STD C function: Read outside array bounds in
call to llvm.memcpy.p0i8.p0i8.i64. Buffer ((char*)((union fsError*)rep)) of
size ??? is read at an offset of 16
size(((char*)((union fsError*)rep))) is 8, 16 is 16
at line 751 of src/FSlibInt.c in function '_FSReply'.
called at line 67 of src/FSSync.c in function 'FSSync' with rep =
((union fsReply*)&rep).
Signed-off-by: Alan Coopersmith <[email protected]>
---
src/FSlibInt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/FSlibInt.c b/src/FSlibInt.c
index 0c24f89..96c5e62 100644
--- a/src/FSlibInt.c
+++ b/src/FSlibInt.c
@@ -748,7 +748,8 @@ _FSReply(
unsigned long serial;
long err_data;
- err = *(fsError *) rep;
+ /* copy in the part we already read off the wire */
+ memcpy(&err, rep, SIZEOF(fsReply));
/* read the rest of the error */
_FSRead(svr, (char *) &err + SIZEOF(fsReply),
(long) (SIZEOF(fsError) - SIZEOF(fsReply)));
--
1.7.9.2
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel
