[PATCH xserver/hw/xfree86/parser/scan.c] potential buffer overflow The patch below fixes a potential buffer overflow in xf86addComment(). This occurs if curlen > 0 && eol_seen == 0 && iscomment == 0 , as follows from the code:
char *xf86addComment(char *cur, char *add) <...> len = strlen(add); endnewline = add[len - 1] == '\n'; len += 1 + iscomment + (!hasnewline) + (!endnewline) + eol_seen; if ((str = realloc(cur, len + curlen)) == NULL) return cur; cur = str; if (eol_seen || (curlen && !hasnewline)) cur[curlen++] = '\n'; if (!iscomment) cur[curlen++] = '#'; strcpy(cur + curlen, add); if (!endnewline) strcat(cur, "\n"); Signed-off-by: Servaas Vandenberghe diff --git a/hw/xfree86/parser/scan.c b/hw/xfree86/parser/scan.c index 1cff3bc..99b3257 100644 --- a/hw/xfree86/parser/scan.c +++ b/hw/xfree86/parser/scan.c @@ -1093,7 +1093,7 @@ char * xf86addComment(char *cur, char *add) { char *str; - int len, curlen, iscomment, hasnewline = 0, endnewline; + int len, curlen, iscomment, hasnewline = 0, insnewline, endnewline; if (add == NULL || add[0] == '\0') return cur; @@ -1118,14 +1118,23 @@ xf86addComment(char *cur, char *add) len = strlen(add); endnewline = add[len - 1] == '\n'; - len += 1 + iscomment + (!hasnewline) + (!endnewline) + eol_seen; - if ((str = realloc(cur, len + curlen)) == NULL) + insnewline = eol_seen || (curlen && !hasnewline); + if (insnewline) + len++; + if (!iscomment) + len++; + if (!endnewline) + len++; + + /* Allocate + 1 char for '\0' terminator. */ + str = realloc(cur, curlen + len + 1); + if (!str) return cur; cur = str; - if (eol_seen || (curlen && !hasnewline)) + if (insnewline) cur[curlen++] = '\n'; if (!iscomment) cur[curlen++] = '#'; _______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel