vbe: Fix malloc size bug

v2: Slightly more obvious sizing math.

==14882== Invalid write of size 2
==14882==    at 0x6750267: VBEGetVBEInfo (vbe.c:400)
==14882==    by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)
==14882==    by 0x471895: InitOutput (xf86Init.c:519)
==14882==    by 0x422778: main (main.c:205)
==14882==  Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd
==14882==    at 0x4A0640D: malloc (vg_replace_malloc.c:236)
==14882==    by 0x675024B: VBEGetVBEInfo (vbe.c:398)
==14882==    by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)
==14882==    by 0x471895: InitOutput (xf86Init.c:519)
==14882==    by 0x422778: main (main.c:205)

Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit d8caa782009abf4dc17b945e325e83fda299a534)

1 files changed, 1 insertions, 1 deletions

diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c
index bcda5ec35..04132d956 100644
--- a/hw/xfree86/vbe/vbe.c
+++ b/hw/xfree86/vbe/vbe.c
@@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe)
     i = 0;
     while (modes[i] != 0xffff)
 	i++;
-    block->VideoModePtr = malloc(sizeof(CARD16) * i + 1);
+    block->VideoModePtr = malloc(sizeof(CARD16) * (i + 1));
     memcpy(block->VideoModePtr, modes, sizeof(CARD16) * i);
     block->VideoModePtr[i] = 0xffff;