diff options
| author | Peter Hutterer <peter.hutterer@who-t.net> | 2010-06-11 10:12:52 +1000 |
|---|---|---|
| committer | Peter Hutterer <peter.hutterer@who-t.net> | 2010-06-11 11:09:46 +1000 |
| commit | f85552aa452d5f575fee9f6031a33ca79bdc3cc8 (patch) | |
| tree | 065ca23d1a18a42df0702594d0b667b030ad36ed | |
| parent | 83460a94985faafcf7cd09456e833f381f0e13bc (diff) | |
xkb: fix invalid memory writes in _XkbCopyGeom.
Classic strlen/strcpy mistake of
foo = malloc(strlen(bar));
strcpy(foo, bar);
Testcase: valgrind Xephyr :1
==8591== Invalid write of size 1
==8591== at 0x4A0638F: strcpy (mc_replace_strmem.c:311)
==8591== by 0x605593: _XkbCopyGeom (xkbUtils.c:1994)
==8591== by 0x605973: XkbCopyKeymap (xkbUtils.c:2118)
==8591== by 0x6122B3: InitKeyboardDeviceStruct (xkbInit.c:560)
==8591== by 0x4472E2: CoreKeyboardProc (devices.c:577)
==8591== by 0x447162: ActivateDevice (devices.c:530)
==8591== by 0x4475D6: InitCoreDevices (devices.c:672)
==8591== by 0x4449EE: main (main.c:254)
==8591== Address 0x6f96505 is 0 bytes after a block of size 53 alloc'd
==8591== at 0x4A0515D: malloc (vg_replace_malloc.c:195)
==8591== by 0x6054B7: _XkbCopyGeom (xkbUtils.c:1980)
==8591== by 0x605973: XkbCopyKeymap (xkbUtils.c:2118)
==8591== by 0x6122B3: InitKeyboardDeviceStruct (xkbInit.c:560)
==8591== by 0x4472E2: CoreKeyboardProc (devices.c:577)
==8591== by 0x447162: ActivateDevice (devices.c:530)
==8591== by 0x4475D6: InitCoreDevices (devices.c:672)
==8591== by 0x4449EE: main (main.c:254)
Reported-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by-and-apologised-for: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 7f19a7a6e90a4fd7b7ec0256974f62e575218541)
Conflicts:
xkb/xkbUtils.c
| -rw-r--r-- | xkb/xkbUtils.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c index 6d0901a36..b1e0e552c 100644 --- a/xkb/xkbUtils.c +++ b/xkb/xkbUtils.c @@ -1977,7 +1977,7 @@ _XkbCopyGeom(XkbDescPtr src, XkbDescPtr dst) /* font */ if (src->geom->label_font) { if (!dst->geom->label_font) { - tmp = xalloc(strlen(src->geom->label_font)); + tmp = xalloc(strlen(src->geom->label_font) + 1); if (!tmp) return FALSE; dst->geom->label_font = tmp; @@ -1985,7 +1985,7 @@ _XkbCopyGeom(XkbDescPtr src, XkbDescPtr dst) else if (strlen(src->geom->label_font) != strlen(dst->geom->label_font)) { tmp = xrealloc(dst->geom->label_font, - strlen(src->geom->label_font)); + strlen(src->geom->label_font) + 1); if (!tmp) return FALSE; dst->geom->label_font = tmp; |