Al Viro pointed this out on lwn: if nameLen + busIDLen overflows, we end up copying data from outside tmpBuf.
Reported-by: Al Viro <[email protected]> Signed-off-by: Julien Cristau <[email protected]> --- src/XvMC.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/XvMC.c b/src/XvMC.c index 74c8b85..00ac760 100644 --- a/src/XvMC.c +++ b/src/XvMC.c @@ -573,7 +573,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, unsigned long realSize = 0; char *tmpBuf = NULL; - if (rep.length < (INT_MAX >> 2)) { + if ((rep.length < (INT_MAX >> 2)) && + /* protect against overflow in strncpy below */ + (rep.nameLen + rep.busIDLen > rep.nameLen)) { realSize = rep.length << 2; if (realSize >= (rep.nameLen + rep.busIDLen)) { tmpBuf = Xmalloc(realSize); -- 1.7.10.4 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
