modesetting: Fix potential buffer overflow

If one misconfigures a ZaphodHeads value (more than 20 characters
without a delimiter), we get an overflow of our buffer.  Use
xstrtokenize() instead of writing/fixing our own tokenizer.

Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
(cherry picked from commit 04a305121fbc08ecc2ef345ee7155d6087a43fd1)

1 files changed, 14 insertions, 26 deletions

diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
index 53e1cf545..45d5e9091 100644
--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
@@ -57,34 +57,22 @@ static PixmapPtr drmmode_create_pixmap_header(ScreenPtr pScreen, int width, int
 static Bool
 drmmode_zaphod_string_matches(ScrnInfoPtr scrn, const char *s, char *output_name)
 {
-    int i = 0;
-    char s1[20];
-
-    do {
-        switch(*s) {
-        case ',':
-            s1[i] = '\0';
-            i = 0;
-            if (strcmp(s1, output_name) == 0)
-                return TRUE;
-            break;
-        case ' ':
-        case '\t':
-        case '\n':
-        case '\r':
-            break;
-        default:
-            s1[i] = *s;
-            i++;
-            break;
-        }
-    } while(*s++);
+    char **token = xstrtokenize(s, ", \t\n\r");
+    Bool ret = FALSE;
 
-    s1[i] = '\0';
-    if (strcmp(s1, output_name) == 0)
-        return TRUE;
+    if (!token)
+        return FALSE;
 
-    return FALSE;
+    for (int i = 0; token[i]; i++) {
+        if (strcmp(token[i], output_name) == 0)
+            ret = TRUE;
+
+        free(token[i]);
+    }
+
+    free(token);
+
+    return ret;
 }
 
 int