diff options
author | Peter Hutterer <peter.hutterer@who-t.net> | 2018-07-18 13:22:43 +1000 |
---|---|---|
committer | Adam Jackson <ajax@redhat.com> | 2018-08-02 10:04:10 -0400 |
commit | 9347326d28fffc7534cad0b084539e936aacfd45 (patch) | |
tree | fa75aeea5f2865402ccfd711881e7408eafdfcae | |
parent | cbf1ca2dba7bc3561cf1a8023e5e18706adbdba6 (diff) |
Xext: dynamically allocate the PanoramiXDepths[j].vids array
Control flow is:
PanoramiXMaybeAddDepth() allocates an array size 240 (pDepth->numVisuals)
PanoramiXMaybeAddVisual() finds up to 270 matches (pScreen->numVisuals)
and writes those into the previously allocated array.
This caused invalid reads/writes followed by eventually a double-free abort.
Reproduced with xorg-integration-tests server test
XineramaTest.ScreenCrossing/* (and a bunch of others).
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 93cafb0828d2e24bd14616df1aa9883fb843dd6c)
-rw-r--r-- | Xext/panoramiX.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c index 844ea49ce..bd9c45b03 100644 --- a/Xext/panoramiX.c +++ b/Xext/panoramiX.c @@ -751,11 +751,7 @@ PanoramiXMaybeAddDepth(DepthPtr pDepth) PanoramiXNumDepths, sizeof(DepthRec)); PanoramiXDepths[j].depth = pDepth->depth; PanoramiXDepths[j].numVids = 0; - /* XXX suboptimal, should grow these dynamically */ - if (pDepth->numVids) - PanoramiXDepths[j].vids = xallocarray(pDepth->numVids, sizeof(VisualID)); - else - PanoramiXDepths[j].vids = NULL; + PanoramiXDepths[j].vids = NULL; } static void @@ -796,6 +792,9 @@ PanoramiXMaybeAddVisual(VisualPtr pVisual) for (k = 0; k < PanoramiXNumDepths; k++) { if (PanoramiXDepths[k].depth == pVisual->nplanes) { + PanoramiXDepths[k].vids = reallocarray(PanoramiXDepths[k].vids, + PanoramiXDepths[k].numVids + 1, + sizeof(VisualID)); PanoramiXDepths[k].vids[PanoramiXDepths[k].numVids] = pVisual->vid; PanoramiXDepths[k].numVids++; break; |