summaryrefslogtreecommitdiff
path: root/test/xfree86.c
diff options
context:
space:
mode:
authorServaas Vandenberghe <vdb@picaros.org>2011-08-31 07:06:49 +0200
committerPeter Hutterer <peter.hutterer@who-t.net>2011-10-31 09:39:04 +1000
commit820d9040f50a8440741b3aefbc069a3ad81e824e (patch)
tree2ee7a91f1bd55b6b163f76b61ee2fe526357585d /test/xfree86.c
parent63e87b8639eb8e0b4e32e5d3a09099d31a03bbcd (diff)
xfree86: fix potential buffer overflow
The patch below fixes a potential buffer overflow in xf86addComment(). This occurs if curlen > 0 && eol_seen == 0 && iscomment == 0 , as follows from the code: char *xf86addComment(char *cur, char *add) <...> len = strlen(add); endnewline = add[len - 1] == '\n'; len += 1 + iscomment + (!hasnewline) + (!endnewline) + eol_seen; if ((str = realloc(cur, len + curlen)) == NULL) return cur; cur = str; if (eol_seen || (curlen && !hasnewline)) cur[curlen++] = '\n'; if (!iscomment) cur[curlen++] = '#'; strcpy(cur + curlen, add); if (!endnewline) strcat(cur, "\n"); Signed-off-by: Servaas Vandenberghe <vdb@picaros.org> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> [whot: added buffer overflow test case] Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Diffstat (limited to 'test/xfree86.c')
-rw-r--r--test/xfree86.c26
1 files changed, 26 insertions, 0 deletions
diff --git a/test/xfree86.c b/test/xfree86.c
index 7012e90c3..448aa915e 100644
--- a/test/xfree86.c
+++ b/test/xfree86.c
@@ -29,6 +29,7 @@
#include "xf86.h"
+#include "xf86Parser.h"
static void
xfree86_option_list_duplicate(void)
@@ -73,9 +74,34 @@ xfree86_option_list_duplicate(void)
assert(a && b);
}
+static void
+xfree86_add_comment(void)
+{
+ char *current = NULL, *comment;
+ char compare[1024] = {0};
+
+ comment = "# foo";
+ current = xf86addComment(current, comment);
+ strcpy(compare, comment);
+ strcat(compare, "\n");
+
+ assert(!strcmp(current, compare));
+
+ /* this used to overflow */
+ strcpy(current, "\n");
+ comment = "foobar\n";
+ current = xf86addComment(current, comment);
+ strcpy(compare, "\n#");
+ strcat(compare, comment);
+ assert(!strcmp(current, compare));
+
+ free(current);
+}
+
int main(int argc, char** argv)
{
xfree86_option_list_duplicate();
+ xfree86_add_comment();
return 0;
}