summaryrefslogtreecommitdiff
authorJeremy Huddleston <jeremyhu@freedesktop.org>2009-05-09 18:42:17 (GMT)
committer Jeremy Huddleston <jeremyhu@freedesktop.org>2009-05-09 18:42:17 (GMT)
commit04c9e80f083659e63cffec8969fb3a0cfc551a97 (patch) (side-by-side diff)
tree6ef08f1b62c9141d2b0d12f8ee960cb0ddaf4f76
parent71a4dcb1d8cb2962d99e34262886930fc30429c8 (diff)
downloadxserver-04c9e80f083659e63cffec8969fb3a0cfc551a97.zip
xserver-04c9e80f083659e63cffec8969fb3a0cfc551a97.tar.gz
Fix a couple off-by-one array boundary checks.
Error: Write outside array bounds at Xext/geext.c:406 in function 'GEWindowSetMask' [Symbolic analysis] In array dereference of cli->nextSib[extension] with index 'extension' Array size is 128 elements (of 4 bytes each), index <= 128 Error: Buffer overflow at dix/events.c:592 in function 'SetMaskForEvent' [Symbolic analysis] In array dereference of filters[deviceid] with index 'deviceid' Array size is 20 elements (of 512 bytes each), index >= 0 and index <= 20 Error: Read buffer overflow at hw/xfree86/loader/loader.c:226 in function 'LoaderOpen' [Symbolic analysis] In array dereference of refCount[new_handle] with index 'new_handle' Array size is 256 elements (of 4 bytes each), index >= 1 and index <= 256 These bugs were found using the Parfait source code analysis tool. For more information see http://research.sun.com/projects/parfait Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Acked-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit b680bda34da130ce408783f04214771471e41e8d)
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--Xext/geext.c2
-rw-r--r--dix/events.c2
-rw-r--r--hw/xfree86/loader/loader.c2
3 files changed, 3 insertions, 3 deletions
diff --git a/Xext/geext.c b/Xext/geext.c
index a58db03..7ab9951 100644
--- a/Xext/geext.c
+++ b/Xext/geext.c
@@ -364,7 +364,7 @@ GEWindowSetMask(ClientPtr pClient, DeviceIntPtr pDev,
extension = (extension & 0x7F);
- if (extension > MAXEXTENSIONS)
+ if (extension >= MAXEXTENSIONS)
{
ErrorF("Invalid extension number.\n");
return;
diff --git a/dix/events.c b/dix/events.c
index 6743cae..a605e8f 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -761,7 +761,7 @@ void
SetMaskForEvent(int deviceid, Mask mask, int event)
{
int coretype;
- if (deviceid < 0 || deviceid > MAXDEVICES)
+ if (deviceid < 0 || deviceid >= MAXDEVICES)
FatalError("SetMaskForEvent: bogus device id");
if ((event < LASTEvent) || (event >= 128))
FatalError("SetMaskForEvent: bogus event number");
diff --git a/hw/xfree86/loader/loader.c b/hw/xfree86/loader/loader.c
index a5e8912..fc0db28 100644
--- a/hw/xfree86/loader/loader.c
+++ b/hw/xfree86/loader/loader.c
@@ -249,7 +249,7 @@ LoaderOpen(const char *module, const char *cname, int handle,
* Find a free handle.
*/
new_handle = 1;
- while (freeHandles[new_handle] && new_handle < MAX_HANDLE)
+ while (new_handle < MAX_HANDLE && freeHandles[new_handle])
new_handle++;
if (new_handle == MAX_HANDLE) {