zmike pushed a commit to branch master.
http://git.enlightenment.org/core/efl.git/commit/?id=351072711cbdea756421f22abc2382bc98e95e57
commit 351072711cbdea756421f22abc2382bc98e95e57
Author: Stefan Schmidt <s.schm...@samsung.com>
Date: Tue Sep 24 16:56:48 2019 -0400
efl_ui_selection_manager: fix potential out of bounce access
Summary:
We have been casting the selection to unsigned char * for the address of
sel and not for the value. Coverity pointed this out:
Overrunning buffer pointed to by (unsigned char *)&sel of 8 bytes by
passing it to a function which accesses it at byte offset 167 using
argument 168
It seems this has been working by memory layout and luck if I understand
it all correctly.
Coverity ID: 1402666
Reviewers: thiepha, raster, zmike
Reviewed By: zmike
Subscribers: cedric, #reviewers, #committers
Tags: #efl
Differential Revision: https://phab.enlightenment.org/D10107
---
src/lib/elementary/efl_ui_selection_manager.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/elementary/efl_ui_selection_manager.c
b/src/lib/elementary/efl_ui_selection_manager.c
index 38b1766b9c..3d8e311580 100644
--- a/src/lib/elementary/efl_ui_selection_manager.c
+++ b/src/lib/elementary/efl_ui_selection_manager.c
@@ -1483,7 +1483,7 @@ _x11_efl_sel_manager_drag_start(Eo *obj EINA_UNUSED,
Efl_Ui_Selection_Manager_Da
/* TODO BUG: should increase dnd-awareness, in case it's drop target as
well. See _x11_drag_mouse_up() */
ecore_x_dnd_aware_set(xwin, EINA_TRUE);
ecore_x_dnd_callback_pos_update_set(_x11_drag_move, seat_sel);
- ecore_x_dnd_self_begin(xwin, (unsigned char *)&sel,
sizeof(Sel_Manager_Selection));
+ ecore_x_dnd_self_begin(xwin, (unsigned char *)sel,
sizeof(Sel_Manager_Selection));
actx = _x11_dnd_action_rev_map(seat_sel->drag_action);
ecore_x_dnd_source_action_set(actx);
ecore_x_pointer_grab(xwin);
--
