diff options
author | Daniel Martin <consume.noise@gmail.com> | 2017-10-27 16:11:53 +0200 |
---|---|---|
committer | Adam Jackson <ajax@redhat.com> | 2017-10-30 13:44:34 -0400 |
commit | 04a305121fbc08ecc2ef345ee7155d6087a43fd1 (patch) | |
tree | e23bde86e256442192acbb30683c8ce2c4c88d1b | |
parent | 2230e6c8af92b041821eee0ea6210eda82c74106 (diff) |
modesetting: Fix potential buffer overflow
If one misconfigures a ZaphodHeads value (more than 20 characters
without a delimiter), we get an overflow of our buffer. Use
xstrtokenize() instead of writing/fixing our own tokenizer.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
-rw-r--r-- | hw/xfree86/drivers/modesetting/drmmode_display.c | 40 | ||||
-rw-r--r-- | include/misc.h | 2 |
2 files changed, 15 insertions, 27 deletions
diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c index 5bfae0b03..e14833dee 100644 --- a/hw/xfree86/drivers/modesetting/drmmode_display.c +++ b/hw/xfree86/drivers/modesetting/drmmode_display.c @@ -57,34 +57,22 @@ static PixmapPtr drmmode_create_pixmap_header(ScreenPtr pScreen, int width, int static Bool drmmode_zaphod_string_matches(ScrnInfoPtr scrn, const char *s, char *output_name) { - int i = 0; - char s1[20]; - - do { - switch(*s) { - case ',': - s1[i] = '\0'; - i = 0; - if (strcmp(s1, output_name) == 0) - return TRUE; - break; - case ' ': - case '\t': - case '\n': - case '\r': - break; - default: - s1[i] = *s; - i++; - break; - } - } while(*s++); + char **token = xstrtokenize(s, ", \t\n\r"); + Bool ret = FALSE; - s1[i] = '\0'; - if (strcmp(s1, output_name) == 0) - return TRUE; + if (!token) + return FALSE; - return FALSE; + for (int i = 0; token[i]; i++) { + if (strcmp(token[i], output_name) == 0) + ret = TRUE; + + free(token[i]); + } + + free(token); + + return ret; } int diff --git a/include/misc.h b/include/misc.h index 9d0e422e3..14920c3c3 100644 --- a/include/misc.h +++ b/include/misc.h @@ -233,7 +233,7 @@ padding_for_int32(const int bytes) } -extern char **xstrtokenize(const char *str, const char *separators); +extern _X_EXPORT char **xstrtokenize(const char *str, const char *separators); extern void FormatInt64(int64_t num, char *string); extern void FormatUInt64(uint64_t num, char *string); extern void FormatUInt64Hex(uint64_t num, char *string); |