summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaphne Pfister <daphnediane@mac.com>2013-06-01 22:27:23 -0400
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-06-01 20:03:43 -0700
commit22cc0c897a28a41d49fe68277bb3c002f54bbb48 (patch)
tree455f0f78149be3933b1f853715cc27bf0f635bb7
parentedfb6fc397686c1892603d0f86a9aadf14dbc12e (diff)
Bug 65252: Ensure final name is nil-terminated & none point to uninitialized memory.
This patch attempts to fix this bug by ensuring that there is at least one nil byte at the end of all the name strings. This should prevent reading past the end of the allocation as well as exposing uninitialized memory. Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--src/Xv.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/src/Xv.c b/src/Xv.c
index 15c0bfd..8c45401 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -865,8 +865,8 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
unsigned long size;
/* limit each part to no more than one half the max size */
if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
- (rep.text_size < (INT_MAX / 2))) {
- size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+ (rep.text_size < (INT_MAX / 2)-1)) {
+ size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size + 1;
ret = Xmalloc(size);
}
@@ -891,6 +891,10 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
}
(*num)++;
}
+
+ /* ensure final string is nil-terminated to avoid exposure of
+ uninitialized memory */
+ *marker = '\0';
} else
_XEatDataWords(dpy, rep.length);
}