xfree86: fix potential buffer overflow

The patch below fixes a potential buffer overflow in xf86addComment(). This occurs if curlen > 0 && eol_seen == 0 && iscomment == 0 , as follows from the code: char *xf86addComment(char *cur, char *add) <...> len = strlen(add); endnewline = add[len - 1] == '\n'; len += 1 + iscomment + (!hasnewline) + (!endnewline) + eol_seen; if ((str = realloc(cur, len + curlen)) == NULL) return cur; cur = str; if (eol_seen || (curlen && !hasnewline)) cur[curlen++] = '\n'; if (!iscomment) cur[curlen++] = '#'; strcpy(cur + curlen, add); if (!endnewline) strcat(cur, "\n"); Signed-off-by: Servaas Vandenberghe <vdb@picaros.org> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> [whot: added buffer overflow test case] Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
author: Servaas Vandenberghe <vdb@picaros.org> 2011-08-31 07:06:49 +0200
committer: Peter Hutterer <peter.hutterer@who-t.net> 2011-10-31 09:39:04 +1000
commit: 820d9040f50a8440741b3aefbc069a3ad81e824e (patch)
tree: 2ee7a91f1bd55b6b163f76b61ee2fe526357585d /hw/xfree86/parser
parent: 63e87b8639eb8e0b4e32e5d3a09099d31a03bbcd (diff)
1 files changed, 13 insertions, 4 deletions
diff --git a/hw/xfree86/parser/scan.c b/hw/xfree86/parser/scan.c
index 1cff3bc5c..99b325717 100644
--- a/hw/xfree86/parser/scan.c
+++ b/hw/xfree86/parser/scan.c
@@ -1093,7 +1093,7 @@ char *
 xf86addComment(char *cur, char *add)
 {
 	char *str;
-	int len, curlen, iscomment, hasnewline = 0, endnewline;
+	int len, curlen, iscomment, hasnewline = 0, insnewline, endnewline;
 
 	if (add == NULL || add[0] == '\0')
 		return cur;
@@ -1118,14 +1118,23 @@ xf86addComment(char *cur, char *add)
 
 	len = strlen(add);
 	endnewline = add[len - 1] == '\n';
-	len +=  1 + iscomment + (!hasnewline) + (!endnewline) + eol_seen;
 
-	if ((str = realloc(cur, len + curlen)) == NULL)
+	insnewline = eol_seen || (curlen && !hasnewline);
+	if (insnewline)
+		len++;
+	if (!iscomment)
+		len++;
+	if (!endnewline)
+		len++;
+
+	/* Allocate + 1 char for '\0' terminator. */
+	str = realloc(cur, curlen + len + 1);
+	if (!str)
 		return cur;
 
 	cur = str;
 
-	if (eol_seen || (curlen && !hasnewline))
+	if (insnewline)
 		cur[curlen++] = '\n';
 	if (!iscomment)
 		cur[curlen++] = '#';
author	Servaas Vandenberghe <vdb@picaros.org>	2011-08-31 07:06:49 +0200
committer	Peter Hutterer <peter.hutterer@who-t.net>	2011-10-31 09:39:04 +1000
commit	820d9040f50a8440741b3aefbc069a3ad81e824e (patch)
tree	2ee7a91f1bd55b6b163f76b61ee2fe526357585d /hw/xfree86/parser
parent	63e87b8639eb8e0b4e32e5d3a09099d31a03bbcd (diff)