[PATCH libdrm] xf86drm: Bound strstr() to the allocated data

Damien Lespiau Fri, 22 Jan 2016 12:51:23 +0000

We are reading at most sizeof(data) bytes, but then data may not contain
a terminating '\0', at least in theory, so strstr() may overflow the
stack allocated array.


Make sure that data always contains at least one '\0'.

Signed-off-by: Damien Lespiau <damien.lespiau at intel.com>
---
 xf86drm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xf86drm.c b/xf86drm.c
index 7e28b4f..5f587d9 100644
--- a/xf86drm.c
+++ b/xf86drm.c
@@ -2863,7 +2863,7 @@ static int drmParsePciBusInfo(int maj, int min, 
drmPciBusInfoPtr info)
 {
 #ifdef __linux__
     char path[PATH_MAX + 1];
-    char data[128];
+    char data[128 + 1];
     char *str;
     int domain, bus, dev, func;
     int fd, ret;
@@ -2874,6 +2874,7 @@ static int drmParsePciBusInfo(int maj, int min, 
drmPciBusInfoPtr info)
         return -errno;

     ret = read(fd, data, sizeof(data));
+    data[128] = '\0';
     close(fd);
     if (ret < 0)
         return -errno;
-- 
2.4.3

[PATCH libdrm] xf86drm: Bound strstr() to the allocated data

Reply via email to