Ignore this - this version isn't quite right either, since it doesn't switch
between the two reply sizes.
-alan-
On 01/ 5/15 11:42 PM, Alan Coopersmith wrote:
Regression introduced in libXxf86vm 1.1.3 / commit 284a88e21fc05a63466
Unlikely to be hit in practice since it requires out-of-range privsize
or malloc failure while talking to a server using the XFree86 3.x version
of the protocol.
Found by Oracle Parfait 1.5.1:
Error: Uninitialised memory (CWE 456)
Possible access to uninitialised memory '&rep.length'
at line 279 of open-src/lib/libXxf86vm/unpacked-src/src/XF86VMode.c in
function 'XF86VidModeGetModeLine'.
&rep.length allocated at line 218.
&rep.length uninitialised when majorVersion < 2 at line 233.
Signed-off-by: Alan Coopersmith <[email protected]>
---
src/XF86VMode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index c7169c7..7762c2b 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -265,7 +265,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int*
dotclock,
else
modeline->private = NULL;
if (modeline->private == NULL) {
- _XEatDataWords(dpy, rep.length -
+ CARD32 len = (majorVersion < 2) ? oldrep.length : rep.length;
+ _XEatDataWords(dpy, len -
((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel
