diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2015-01-05 22:52:39 -0800 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2015-01-09 22:00:04 -0800 |
| commit | 723f4a1430dad0d495e3c83c7c95edb94e9f4304 (patch) | |
| tree | f7134cd5226ad87f076a53086b87c3479c007527 | |
| parent | f3cdbabadd4626a030e3ac139a333450a462e055 (diff) | |
Discard correct length for old-format replies in XF86VidModeGetGamma
Regression introduced in libXxf86vm 1.1.3 / commit 284a88e21fc05a63466
Unlikely to be hit in practice since it requires out-of-range privsize
or malloc failure while talking to a server using the XFree86 3.x version
of the protocol.
Found by Oracle Parfait 1.5.1:
Error: Uninitialised memory (CWE 456)
Possible access to uninitialised memory '&rep.length'
at line 279 of open-src/lib/libXxf86vm/unpacked-src/src/XF86VMode.c in function 'XF86VidModeGetModeLine'.
&rep.length allocated at line 218.
&rep.length uninitialised when majorVersion < 2 at line 233.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
| -rw-r--r-- | src/XF86VMode.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/src/XF86VMode.c b/src/XF86VMode.c index c7169c7..d13da14 100644 --- a/src/XF86VMode.c +++ b/src/XF86VMode.c @@ -204,10 +204,9 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, XF86VidModeModeLine* modeline) { XExtDisplayInfo *info = find_display (dpy); - xXF86VidModeGetModeLineReply rep; - xXF86OldVidModeGetModeLineReply oldrep; xXF86VidModeGetModeLineReq *req; int majorVersion, minorVersion; + CARD32 remaining_len; Bool result = True; XF86VidModeCheckExtension (dpy, info, False); @@ -220,12 +219,16 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, req->screen = screen; if (majorVersion < 2) { + xXF86OldVidModeGetModeLineReply oldrep; + if (!_XReply(dpy, (xReply *)&oldrep, (SIZEOF(xXF86OldVidModeGetModeLineReply) - SIZEOF(xReply)) >> 2, xFalse)) { UnlockDisplay(dpy); SyncHandle(); return False; } + remaining_len = oldrep.length - + ((SIZEOF(xXF86OldVidModeGetModeLineReply) - SIZEOF(xReply)) >> 2); *dotclock = oldrep.dotclock; modeline->hdisplay = oldrep.hdisplay; modeline->hsyncstart = oldrep.hsyncstart; @@ -239,12 +242,16 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, modeline->flags = oldrep.flags; modeline->privsize = oldrep.privsize; } else { + xXF86VidModeGetModeLineReply rep; + if (!_XReply(dpy, (xReply *)&rep, (SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2, xFalse)) { UnlockDisplay(dpy); SyncHandle(); return False; } + remaining_len = rep.length - + ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2); *dotclock = rep.dotclock; modeline->hdisplay = rep.hdisplay; modeline->hsyncstart = rep.hsyncstart; @@ -265,8 +272,7 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, else modeline->private = NULL; if (modeline->private == NULL) { - _XEatDataWords(dpy, rep.length - - ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2)); + _XEatDataWords(dpy, remaining_len); result = False; } else _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32)); |