From dd4fceee0ef5e01e0b777a1b09de81d094ddae8b Mon Sep 17 00:00:00 2001 From: Daphne Pfister Date: Sat, 1 Jun 2013 22:27:23 -0400 Subject: [PATCH] Bug 65252: Ensure final name is nil-terminated and that none of the returned names point to uninitialized memory. --- src/Xv.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/Xv.c b/src/Xv.c index f268f8e..a0c580b 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -854,8 +854,8 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) unsigned long size; /* limit each part to no more than one half the max size */ if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) && - (rep.text_size < (INT_MAX / 2))) { - size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; + (rep.text_size < (INT_MAX / 2)-1)) { + size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size + 1; ret = Xmalloc(size); } @@ -880,6 +880,9 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) } (*num)++; } + + /* ensure final string is nil-terminated to avoid exposure of uninitialized memory */ + *marker = '\0'; } else _XEatDataWords(dpy, rep.length); } -- 1.7.9.6 (Apple Git-31.1)