diff options
author | Alan Coopersmith <alan.coopersmith@sun.com> | 2009-04-30 18:49:06 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@sun.com> | 2009-05-08 12:27:11 -0700 |
commit | b680bda34da130ce408783f04214771471e41e8d (patch) | |
tree | 53a5775815ce6fad580d7e19d89ba4b36368cd4a /hw/xfree86/loader | |
parent | 5cf70183812541b33a6e83c7e1e3bc6198730cbe (diff) |
Fix a couple off-by-one array boundary checks.
Error: Write outside array bounds at Xext/geext.c:406
in function 'GEWindowSetMask' [Symbolic analysis]
In array dereference of cli->nextSib[extension] with index 'extension'
Array size is 128 elements (of 4 bytes each), index <= 128
Error: Buffer overflow at dix/events.c:592
in function 'SetMaskForEvent' [Symbolic analysis]
In array dereference of filters[deviceid] with index 'deviceid'
Array size is 20 elements (of 512 bytes each), index >= 0 and index <= 20
Error: Read buffer overflow at hw/xfree86/loader/loader.c:226
in function 'LoaderOpen' [Symbolic analysis]
In array dereference of refCount[new_handle] with index 'new_handle'
Array size is 256 elements (of 4 bytes each), index >= 1 and index <= 256
These bugs were found using the Parfait source code analysis tool.
For more information see http://research.sun.com/projects/parfait
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Diffstat (limited to 'hw/xfree86/loader')
-rw-r--r-- | hw/xfree86/loader/loader.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/xfree86/loader/loader.c b/hw/xfree86/loader/loader.c index ab7736254..1803d0eb1 100644 --- a/hw/xfree86/loader/loader.c +++ b/hw/xfree86/loader/loader.c @@ -223,7 +223,7 @@ LoaderOpen(const char *module, const char *cname, int handle, * Find a free handle. */ new_handle = 1; - while (refCount[new_handle] && new_handle < MAX_HANDLE) + while (new_handle < MAX_HANDLE && refCount[new_handle]) new_handle++; if (new_handle == MAX_HANDLE) { |