From: Daphne Pfister <[email protected]> This patch attempts to fix this bug by ensuring that there is at least one nil byte at the end of all the name strings. This should prevent reading past the end of the allocation as well as exposing uninitialized memory.
Reviewed-by: Alan Coopersmith <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> --- src/Xv.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/Xv.c b/src/Xv.c index 15c0bfd..8c45401 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -865,8 +865,8 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) unsigned long size; /* limit each part to no more than one half the max size */ if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) && - (rep.text_size < (INT_MAX / 2))) { - size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; + (rep.text_size < (INT_MAX / 2)-1)) { + size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size + 1; ret = Xmalloc(size); } @@ -891,6 +891,10 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) } (*num)++; } + + /* ensure final string is nil-terminated to avoid exposure of + uninitialized memory */ + *marker = '\0'; } else _XEatDataWords(dpy, rep.length); } -- 1.7.9.2 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
