If one misconfigures a ZaphodHeads value (more than 20 characters without a delimiter), we get an overflow of our buffer. Use xstrtokenize() instead of writing/fixing our own tokenizer.
Signed-off-by: Daniel Martin <[email protected]> --- hw/xfree86/drivers/modesetting/drmmode_display.c | 38 ++++++++---------------- 1 file changed, 13 insertions(+), 25 deletions(-) diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c index 5bfae0b03..e14833dee 100644 --- a/hw/xfree86/drivers/modesetting/drmmode_display.c +++ b/hw/xfree86/drivers/modesetting/drmmode_display.c @@ -57,34 +57,22 @@ static PixmapPtr drmmode_create_pixmap_header(ScreenPtr pScreen, int width, int static Bool drmmode_zaphod_string_matches(ScrnInfoPtr scrn, const char *s, char *output_name) { - int i = 0; - char s1[20]; + char **token = xstrtokenize(s, ", \t\n\r"); + Bool ret = FALSE; - do { - switch(*s) { - case ',': - s1[i] = '\0'; - i = 0; - if (strcmp(s1, output_name) == 0) - return TRUE; - break; - case ' ': - case '\t': - case '\n': - case '\r': - break; - default: - s1[i] = *s; - i++; - break; - } - } while(*s++); + if (!token) + return FALSE; - s1[i] = '\0'; - if (strcmp(s1, output_name) == 0) - return TRUE; + for (int i = 0; token[i]; i++) { + if (strcmp(token[i], output_name) == 0) + ret = TRUE; - return FALSE; + free(token[i]); + } + + free(token); + + return ret; } int -- 2.13.6 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel
