summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Hutterer <peter.hutterer@who-t.net>2018-07-18 13:22:43 +1000
committerAdam Jackson <ajax@redhat.com>2018-08-02 10:04:10 -0400
commit9347326d28fffc7534cad0b084539e936aacfd45 (patch)
treefa75aeea5f2865402ccfd711881e7408eafdfcae
parentcbf1ca2dba7bc3561cf1a8023e5e18706adbdba6 (diff)
Xext: dynamically allocate the PanoramiXDepths[j].vids array
Control flow is: PanoramiXMaybeAddDepth() allocates an array size 240 (pDepth->numVisuals) PanoramiXMaybeAddVisual() finds up to 270 matches (pScreen->numVisuals) and writes those into the previously allocated array. This caused invalid reads/writes followed by eventually a double-free abort. Reproduced with xorg-integration-tests server test XineramaTest.ScreenCrossing/* (and a bunch of others). Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Keith Packard <keithp@keithp.com> (cherry picked from commit 93cafb0828d2e24bd14616df1aa9883fb843dd6c)
-rw-r--r--Xext/panoramiX.c9
1 files changed, 4 insertions, 5 deletions
diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
index 844ea49ce..bd9c45b03 100644
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@@ -751,11 +751,7 @@ PanoramiXMaybeAddDepth(DepthPtr pDepth)
PanoramiXNumDepths, sizeof(DepthRec));
PanoramiXDepths[j].depth = pDepth->depth;
PanoramiXDepths[j].numVids = 0;
- /* XXX suboptimal, should grow these dynamically */
- if (pDepth->numVids)
- PanoramiXDepths[j].vids = xallocarray(pDepth->numVids, sizeof(VisualID));
- else
- PanoramiXDepths[j].vids = NULL;
+ PanoramiXDepths[j].vids = NULL;
}
static void
@@ -796,6 +792,9 @@ PanoramiXMaybeAddVisual(VisualPtr pVisual)
for (k = 0; k < PanoramiXNumDepths; k++) {
if (PanoramiXDepths[k].depth == pVisual->nplanes) {
+ PanoramiXDepths[k].vids = reallocarray(PanoramiXDepths[k].vids,
+ PanoramiXDepths[k].numVids + 1,
+ sizeof(VisualID));
PanoramiXDepths[k].vids[PanoramiXDepths[k].numVids] = pVisual->vid;
PanoramiXDepths[k].numVids++;
break;