On Fri, Feb 25, 2011 at 13:08:59 -0500, Adam Jackson wrote: > v2: Slightly more obvious sizing math. > > ==14882== Invalid write of size 2 > ==14882== at 0x6750267: VBEGetVBEInfo (vbe.c:400) > ==14882== by 0x6142064: ??? (in > /usr/lib64/xorg/modules/drivers/vesa_drv.so) > ==14882== by 0x471895: InitOutput (xf86Init.c:519) > ==14882== by 0x422778: main (main.c:205) > ==14882== Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd > ==14882== at 0x4A0640D: malloc (vg_replace_malloc.c:236) > ==14882== by 0x675024B: VBEGetVBEInfo (vbe.c:398) > ==14882== by 0x6142064: ??? (in > /usr/lib64/xorg/modules/drivers/vesa_drv.so) > ==14882== by 0x471895: InitOutput (xf86Init.c:519) > ==14882== by 0x422778: main (main.c:205) > > Signed-off-by: Adam Jackson <a...@redhat.com> > --- > hw/xfree86/vbe/vbe.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c > index bcda5ec..04132d9 100644 > --- a/hw/xfree86/vbe/vbe.c > +++ b/hw/xfree86/vbe/vbe.c > @@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe) > i = 0; > while (modes[i] != 0xffff) > i++; > - block->VideoModePtr = malloc(sizeof(CARD16) * i + 1); > + block->VideoModePtr = malloc(sizeof(CARD16) * (i + 1)); > memcpy(block->VideoModePtr, modes, sizeof(CARD16) * i); > block->VideoModePtr[i] = 0xffff; > Reviewed-by: Julien Cristau <jcris...@debian.org>
Cheers, Julien _______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel