summaryrefslogtreecommitdiff
path: root/extra/xorg-server/vbe-fix-malloc-size-bug.patch
diff options
context:
space:
mode:
Diffstat (limited to 'extra/xorg-server/vbe-fix-malloc-size-bug.patch')
-rw-r--r--extra/xorg-server/vbe-fix-malloc-size-bug.patch39
1 files changed, 39 insertions, 0 deletions
diff --git a/extra/xorg-server/vbe-fix-malloc-size-bug.patch b/extra/xorg-server/vbe-fix-malloc-size-bug.patch
new file mode 100644
index 000000000..01ed040d4
--- /dev/null
+++ b/extra/xorg-server/vbe-fix-malloc-size-bug.patch
@@ -0,0 +1,39 @@
+From 8ffaef2ebd2611e2eed4ef97350c3a34508f5252 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Thu, 24 Feb 2011 21:06:34 +0000
+Subject: vbe: Fix malloc size bug
+
+v2: Slightly more obvious sizing math.
+
+==14882== Invalid write of size 2
+==14882== at 0x6750267: VBEGetVBEInfo (vbe.c:400)
+==14882== by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)
+==14882== by 0x471895: InitOutput (xf86Init.c:519)
+==14882== by 0x422778: main (main.c:205)
+==14882== Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd
+==14882== at 0x4A0640D: malloc (vg_replace_malloc.c:236)
+==14882== by 0x675024B: VBEGetVBEInfo (vbe.c:398)
+==14882== by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)
+==14882== by 0x471895: InitOutput (xf86Init.c:519)
+==14882== by 0x422778: main (main.c:205)
+
+Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Adam Jackson <ajax@redhat.com>
+(cherry picked from commit d8caa782009abf4dc17b945e325e83fda299a534)
+---
+diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c
+index 7a64a4a..1d3775b 100644
+--- a/hw/xfree86/vbe/vbe.c
++++ b/hw/xfree86/vbe/vbe.c
+@@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe)
+ i = 0;
+ while (modes[i] != 0xffff)
+ i++;
+- block->VideoModePtr = malloc(sizeof(CARD16) * i + 1);
++ block->VideoModePtr = malloc(sizeof(CARD16) * (i + 1));
+ memcpy(block->VideoModePtr, modes, sizeof(CARD16) * i);
+ block->VideoModePtr[i] = 0xffff;
+
+--
+cgit v0.8.3-6-g21f6