https://bugs.freedesktop.org/show_bug.cgi?id=88880
Bug ID: 88880
Summary: glxextensions.c: buffer overflow and incorrect zeroing
Product: Mesa
Version: git
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: GLX
Assignee: mesa-dev@lists.freedesktop.org
Reporter: xypron.g...@gmx.de
QA Contact: mesa-dev@lists.freedesktop.org
In
src/glx/x11/glxextensions.c
a bit field server_support is used for a bitfield. Unfortunately length of the
bitfield is not correctly considered when accessing the field.
In the following code fragment the length of the zeroed memory is the length of
the pointer (4 bytes in case of a 32bit system) not the length of the data the
pointer points to (__GL_EXT_BYTES bytes).
static void
__glXProcessServerString( const struct extension_info * ext,
const char * server_string,
unsigned char * server_support )
{
unsigned base;
unsigned len;
(void) memset( server_support, 0, sizeof( server_support ) );
Furthermore the length of the memory area pointed to by server_support
is defined in varying ways in the coding:
#define __GL_EXT_BYTES ((__NUM_GL_EXTS + 7) / 8)
unsigned char server_support[ __GL_EXT_BYTES ];
unsigned char server_support[8];
Currently __NUM_GL_EXTS = 132, so __GL_EXT_BYTES = 9.
So where server_support[8] is used a buffer overflow by setting a bit may
occur.
__GL_EXT_BYTES should always be used to refer to the length of the bitfield.
This problem was identified with cppcheck.
http://cppcheck.sourceforge.net/
Best regards
Heinrich Schuchardt
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev
