Re: [PATCH xserver/hw/xfree86/parser/scan.c] potential buffer overflow

Wed, 31 Aug 2011 00:50:42 -0700 


Am 31.08.2011 07:06, schrieb v...@picaros.org:
> [PATCH xserver/hw/xfree86/parser/scan.c] potential buffer overflow
> 
> The patch below fixes a potential buffer overflow in xf86addComment().  
> This occurs if  curlen > 0 && eol_seen == 0 && iscomment == 0 , as 
> follows from the code:
> 
> char *xf86addComment(char *cur, char *add)
> 
> <...>
> 
>         len = strlen(add);
>         endnewline = add[len - 1] == '\n';
>         len +=  1 + iscomment + (!hasnewline) + (!endnewline) + eol_seen;
> 
>         if ((str = realloc(cur, len + curlen)) == NULL)
>                 return cur;
> 
>         cur = str;
> 
>         if (eol_seen || (curlen && !hasnewline))
>                 cur[curlen++] = '\n';
>         if (!iscomment)
>                 cur[curlen++] = '#';
>         strcpy(cur + curlen, add);
>         if (!endnewline)
>                 strcat(cur, "\n");
> 
> Signed-off-by: Servaas Vandenberghe
> diff --git a/hw/xfree86/parser/scan.c b/hw/xfree86/parser/scan.c
> index 1cff3bc..99b3257 100644
> --- a/hw/xfree86/parser/scan.c
> +++ b/hw/xfree86/parser/scan.c
> @@ -1093,7 +1093,7 @@ char *
>  xf86addComment(char *cur, char *add)
>  {
>       char *str;
> -     int len, curlen, iscomment, hasnewline = 0, endnewline;
> +     int len, curlen, iscomment, hasnewline = 0, insnewline, endnewline;
>  
>       if (add == NULL || add[0] == '\0')
>               return cur;
> @@ -1118,14 +1118,23 @@ xf86addComment(char *cur, char *add)
>  
>       len = strlen(add);
>       endnewline = add[len - 1] == '\n';
> -     len +=  1 + iscomment + (!hasnewline) + (!endnewline) + eol_seen;
>  
> -     if ((str = realloc(cur, len + curlen)) == NULL)
> +     insnewline = eol_seen || (curlen && !hasnewline);
> +     if (insnewline)
> +             len++;
> +     if (!iscomment)
> +             len++;
> +     if (!endnewline)
> +             len++;
> +
> +     /* Allocate + 1 char for '\0' terminator. */
> +     str = realloc(cur, curlen + len + 1);
> +     if (!str)
>               return cur;
>  
>       cur = str;
>  
> -     if (eol_seen || (curlen && !hasnewline))
> +     if (insnewline)
>               cur[curlen++] = '\n';
>       if (!iscomment)
>               cur[curlen++] = '#';


So far i understand is the code adding a commentstring ("#fusel") to a string 
("blah")
(stripping \n before .. ).
A more easy way could be using asprintf() like that

result=asprintf(&buf,"%s#%s\n",cur,add);
free(cur); cur=result;

re,
 wh



_______________________________________________
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

Reply via email to