diff options
author | Jeremy Huddleston <jeremyhu@freedesktop.org> | 2009-05-09 11:42:17 -0700 |
---|---|---|
committer | Jeremy Huddleston <jeremyhu@freedesktop.org> | 2009-05-09 11:42:17 -0700 |
commit | 04c9e80f083659e63cffec8969fb3a0cfc551a97 (patch) | |
tree | 6ef08f1b62c9141d2b0d12f8ee960cb0ddaf4f76 | |
parent | 71a4dcb1d8cb2962d99e34262886930fc30429c8 (diff) |
Fix a couple off-by-one array boundary checks.
Error: Write outside array bounds at Xext/geext.c:406
in function 'GEWindowSetMask' [Symbolic analysis]
In array dereference of cli->nextSib[extension] with index 'extension'
Array size is 128 elements (of 4 bytes each), index <= 128
Error: Buffer overflow at dix/events.c:592
in function 'SetMaskForEvent' [Symbolic analysis]
In array dereference of filters[deviceid] with index 'deviceid'
Array size is 20 elements (of 512 bytes each), index >= 0 and index <= 20
Error: Read buffer overflow at hw/xfree86/loader/loader.c:226
in function 'LoaderOpen' [Symbolic analysis]
In array dereference of refCount[new_handle] with index 'new_handle'
Array size is 256 elements (of 4 bytes each), index >= 1 and index <= 256
These bugs were found using the Parfait source code analysis tool.
For more information see http://research.sun.com/projects/parfait
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit b680bda34da130ce408783f04214771471e41e8d)
-rw-r--r-- | Xext/geext.c | 2 | ||||
-rw-r--r-- | dix/events.c | 2 | ||||
-rw-r--r-- | hw/xfree86/loader/loader.c | 2 |
3 files changed, 3 insertions, 3 deletions
diff --git a/Xext/geext.c b/Xext/geext.c index a58db038e..7ab99517d 100644 --- a/Xext/geext.c +++ b/Xext/geext.c | |||
@@ -364,7 +364,7 @@ GEWindowSetMask(ClientPtr pClient, DeviceIntPtr pDev, | |||
364 | 364 | ||
365 | extension = (extension & 0x7F); | 365 | extension = (extension & 0x7F); |
366 | 366 | ||
367 | if (extension > MAXEXTENSIONS) | 367 | if (extension >= MAXEXTENSIONS) |
368 | { | 368 | { |
369 | ErrorF("Invalid extension number.\n"); | 369 | ErrorF("Invalid extension number.\n"); |
370 | return; | 370 | return; |
diff --git a/dix/events.c b/dix/events.c index 6743caed9..a605e8f66 100644 --- a/dix/events.c +++ b/dix/events.c | |||
@@ -761,7 +761,7 @@ void | |||
761 | SetMaskForEvent(int deviceid, Mask mask, int event) | 761 | SetMaskForEvent(int deviceid, Mask mask, int event) |
762 | { | 762 | { |
763 | int coretype; | 763 | int coretype; |
764 | if (deviceid < 0 || deviceid > MAXDEVICES) | 764 | if (deviceid < 0 || deviceid >= MAXDEVICES) |
765 | FatalError("SetMaskForEvent: bogus device id"); | 765 | FatalError("SetMaskForEvent: bogus device id"); |
766 | if ((event < LASTEvent) || (event >= 128)) | 766 | if ((event < LASTEvent) || (event >= 128)) |
767 | FatalError("SetMaskForEvent: bogus event number"); | 767 | FatalError("SetMaskForEvent: bogus event number"); |
diff --git a/hw/xfree86/loader/loader.c b/hw/xfree86/loader/loader.c index a5e89127f..fc0db2886 100644 --- a/hw/xfree86/loader/loader.c +++ b/hw/xfree86/loader/loader.c | |||
@@ -249,7 +249,7 @@ LoaderOpen(const char *module, const char *cname, int handle, | |||
249 | * Find a free handle. | 249 | * Find a free handle. |
250 | */ | 250 | */ |
251 | new_handle = 1; | 251 | new_handle = 1; |
252 | while (freeHandles[new_handle] && new_handle < MAX_HANDLE) | 252 | while (new_handle < MAX_HANDLE && freeHandles[new_handle]) |
253 | new_handle++; | 253 | new_handle++; |
254 | 254 | ||
255 | if (new_handle == MAX_HANDLE) { | 255 | if (new_handle == MAX_HANDLE) { |