diff options
Diffstat (limited to 'extra/xorg-server/vbe-fix-malloc-size-bug.patch')
-rw-r--r-- | extra/xorg-server/vbe-fix-malloc-size-bug.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/extra/xorg-server/vbe-fix-malloc-size-bug.patch b/extra/xorg-server/vbe-fix-malloc-size-bug.patch new file mode 100644 index 000000000..01ed040d4 --- /dev/null +++ b/extra/xorg-server/vbe-fix-malloc-size-bug.patch @@ -0,0 +1,39 @@ +From 8ffaef2ebd2611e2eed4ef97350c3a34508f5252 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Thu, 24 Feb 2011 21:06:34 +0000 +Subject: vbe: Fix malloc size bug + +v2: Slightly more obvious sizing math. + +==14882== Invalid write of size 2 +==14882== at 0x6750267: VBEGetVBEInfo (vbe.c:400) +==14882== by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) +==14882== by 0x471895: InitOutput (xf86Init.c:519) +==14882== by 0x422778: main (main.c:205) +==14882== Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd +==14882== at 0x4A0640D: malloc (vg_replace_malloc.c:236) +==14882== by 0x675024B: VBEGetVBEInfo (vbe.c:398) +==14882== by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so) +==14882== by 0x471895: InitOutput (xf86Init.c:519) +==14882== by 0x422778: main (main.c:205) + +Reviewed-by: Mark Kettenis <kettenis@openbsd.org> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Adam Jackson <ajax@redhat.com> +(cherry picked from commit d8caa782009abf4dc17b945e325e83fda299a534) +--- +diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c +index 7a64a4a..1d3775b 100644 +--- a/hw/xfree86/vbe/vbe.c ++++ b/hw/xfree86/vbe/vbe.c +@@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe) + i = 0; + while (modes[i] != 0xffff) + i++; +- block->VideoModePtr = malloc(sizeof(CARD16) * i + 1); ++ block->VideoModePtr = malloc(sizeof(CARD16) * (i + 1)); + memcpy(block->VideoModePtr, modes, sizeof(CARD16) * i); + block->VideoModePtr[i] = 0xffff; + +-- +cgit v0.8.3-6-g21f6 |