From 597747c6551cd67487069415297e5eb441038321 Mon Sep 17 00:00:00 2001 From: Jeremy Huddleston Date: Sat, 9 May 2009 11:42:17 -0700 Subject: Fix a couple off-by-one array boundary checks. Error: Write outside array bounds at Xext/geext.c:406 in function 'GEWindowSetMask' [Symbolic analysis] In array dereference of cli->nextSib[extension] with index 'extension' Array size is 128 elements (of 4 bytes each), index <= 128 Error: Buffer overflow at dix/events.c:592 in function 'SetMaskForEvent' [Symbolic analysis] In array dereference of filters[deviceid] with index 'deviceid' Array size is 20 elements (of 512 bytes each), index >= 0 and index <= 20 Error: Read buffer overflow at hw/xfree86/loader/loader.c:226 in function 'LoaderOpen' [Symbolic analysis] In array dereference of refCount[new_handle] with index 'new_handle' Array size is 256 elements (of 4 bytes each), index >= 1 and index <= 256 These bugs were found using the Parfait source code analysis tool. For more information see http://research.sun.com/projects/parfait Signed-off-by: Alan Coopersmith Signed-off-by: Adam Jackson Acked-by: Peter Hutterer (cherry picked from commit b680bda34da130ce408783f04214771471e41e8d) (cherry picked from commit 04c9e80f083659e63cffec8969fb3a0cfc551a97) Signed-off-by: Keith Packard --- Xext/geext.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Xext') diff --git a/Xext/geext.c b/Xext/geext.c index a58db038e..7ab99517d 100644 --- a/Xext/geext.c +++ b/Xext/geext.c @@ -364,7 +364,7 @@ GEWindowSetMask(ClientPtr pClient, DeviceIntPtr pDev, extension = (extension & 0x7F); - if (extension > MAXEXTENSIONS) + if (extension >= MAXEXTENSIONS) { ErrorF("Invalid extension number.\n"); return; -- cgit v1.2.3