Fix a couple off-by-one array boundary checks.

Error: Write outside array bounds at Xext/geext.c:406
        in function 'GEWindowSetMask' [Symbolic analysis]
       In array dereference of cli->nextSib[extension] with index 'extension'
       Array size is 128 elements (of 4 bytes each), index <= 128

Error: Buffer overflow at dix/events.c:592
	in function 'SetMaskForEvent' [Symbolic analysis]
       In array dereference of filters[deviceid] with index 'deviceid'
       Array size is 20 elements (of 512 bytes each), index >= 0 and index <= 20

Error: Read buffer overflow at hw/xfree86/loader/loader.c:226
	in function 'LoaderOpen' [Symbolic analysis]
       In array dereference of refCount[new_handle] with index 'new_handle'
       Array size is 256 elements (of 4 bytes each), index >= 1 and index <= 256

These bugs were found using the Parfait source code analysis tool.
For more information see http://research.sun.com/projects/parfait

Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>

1 files changed, 1 insertions, 1 deletions

diff --git a/Xext/geext.c b/Xext/geext.c
index a58db038e..7ab99517d 100644
--- a/Xext/geext.c
+++ b/Xext/geext.c
@@ -364,7 +364,7 @@ GEWindowSetMask(ClientPtr pClient, DeviceIntPtr pDev,
 
     extension = (extension & 0x7F);
 
-    if (extension > MAXEXTENSIONS)
+    if (extension >= MAXEXTENSIONS)
     {
         ErrorF("Invalid extension number.\n");
         return;