summaryrefslogtreecommitdiff
path: root/extra/xorg-server/vbe-fix-malloc-size-bug.patch
blob: 01ed040d44771ab0185477c7e4b70de4dcec93a2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
From 8ffaef2ebd2611e2eed4ef97350c3a34508f5252 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Thu, 24 Feb 2011 21:06:34 +0000
Subject: vbe: Fix malloc size bug

v2: Slightly more obvious sizing math.

==14882== Invalid write of size 2
==14882==    at 0x6750267: VBEGetVBEInfo (vbe.c:400)
==14882==    by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)
==14882==    by 0x471895: InitOutput (xf86Init.c:519)
==14882==    by 0x422778: main (main.c:205)
==14882==  Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd
==14882==    at 0x4A0640D: malloc (vg_replace_malloc.c:236)
==14882==    by 0x675024B: VBEGetVBEInfo (vbe.c:398)
==14882==    by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)
==14882==    by 0x471895: InitOutput (xf86Init.c:519)
==14882==    by 0x422778: main (main.c:205)

Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit d8caa782009abf4dc17b945e325e83fda299a534)
---
diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c
index 7a64a4a..1d3775b 100644
--- a/hw/xfree86/vbe/vbe.c
+++ b/hw/xfree86/vbe/vbe.c
@@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe)
     i = 0;
     while (modes[i] != 0xffff)
 	i++;
-    block->VideoModePtr = malloc(sizeof(CARD16) * i + 1);
+    block->VideoModePtr = malloc(sizeof(CARD16) * (i + 1));
     memcpy(block->VideoModePtr, modes, sizeof(CARD16) * i);
     block->VideoModePtr[i] = 0xffff;
 
--
cgit v0.8.3-6-g21f6