diff options
author | Servaas Vandenberghe <vdb@picaros.org> | 2011-08-31 07:06:49 +0200 |
---|---|---|
committer | Peter Hutterer <peter.hutterer@who-t.net> | 2011-10-31 09:39:04 +1000 |
commit | 820d9040f50a8440741b3aefbc069a3ad81e824e (patch) | |
tree | 2ee7a91f1bd55b6b163f76b61ee2fe526357585d /test/xfree86.c | |
parent | 63e87b8639eb8e0b4e32e5d3a09099d31a03bbcd (diff) |
xfree86: fix potential buffer overflow
The patch below fixes a potential buffer overflow in xf86addComment().
This occurs if curlen > 0 && eol_seen == 0 && iscomment == 0 , as
follows from the code:
char *xf86addComment(char *cur, char *add)
<...>
len = strlen(add);
endnewline = add[len - 1] == '\n';
len += 1 + iscomment + (!hasnewline) + (!endnewline) + eol_seen;
if ((str = realloc(cur, len + curlen)) == NULL)
return cur;
cur = str;
if (eol_seen || (curlen && !hasnewline))
cur[curlen++] = '\n';
if (!iscomment)
cur[curlen++] = '#';
strcpy(cur + curlen, add);
if (!endnewline)
strcat(cur, "\n");
Signed-off-by: Servaas Vandenberghe <vdb@picaros.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
[whot: added buffer overflow test case]
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Diffstat (limited to 'test/xfree86.c')
-rw-r--r-- | test/xfree86.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/test/xfree86.c b/test/xfree86.c index 7012e90c3..448aa915e 100644 --- a/test/xfree86.c +++ b/test/xfree86.c @@ -29,6 +29,7 @@ #include "xf86.h" +#include "xf86Parser.h" static void xfree86_option_list_duplicate(void) @@ -73,9 +74,34 @@ xfree86_option_list_duplicate(void) assert(a && b); } +static void +xfree86_add_comment(void) +{ + char *current = NULL, *comment; + char compare[1024] = {0}; + + comment = "# foo"; + current = xf86addComment(current, comment); + strcpy(compare, comment); + strcat(compare, "\n"); + + assert(!strcmp(current, compare)); + + /* this used to overflow */ + strcpy(current, "\n"); + comment = "foobar\n"; + current = xf86addComment(current, comment); + strcpy(compare, "\n#"); + strcat(compare, comment); + assert(!strcmp(current, compare)); + + free(current); +} + int main(int argc, char** argv) { xfree86_option_list_duplicate(); + xfree86_add_comment(); return 0; } |