Bug 1989

Summary: Invalid write in DMXAddScreen in libdmx
Product: xorg Reporter: Mark McLoughlin <mark>
Component: Server/DDX/dmxAssignee: dmx-bugs
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: high CC: roland.mainz
Version: git   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
[FIXED_X11R68x] patch
roland.mainz: 6.8-branch+
[FIXED_X11R68x] patch for DMXAddInput() too roland.mainz: 6.8-branch+

Description Mark McLoughlin 2004-12-02 04:21:13 UTC
This sequence of code in DMXAddScreen():

  length = displayName ? strlen(displayName) : 0;
  paddedLength = (length + 3) & ~3;

  if (length) {
    char *buffer = Xmalloc(paddedLength);

    memset(buffer, 0, paddedLength);
    strcpy(buffer, displayName);
  }

if displayName is a multiple of 4 the nul byte gets written past the end of the
allocated buffer. This can cause crashes if it overwrites some heap memchunk
accounting details.

Attaching trivial patch
Comment 1 Mark McLoughlin 2004-12-02 04:22:00 UTC
Created attachment 1441 [details] [review]
[FIXED_X11R68x] patch
Comment 2 Mark McLoughlin 2004-12-02 07:23:46 UTC
Created attachment 1442 [details] [review]
[FIXED_X11R68x] patch for DMXAddInput() too

Just noticed that DMXAddInput() has the same issue
Comment 3 Kevin E. Martin 2004-12-02 09:51:18 UTC
Mark, good find.  Thanks for the patch.  I will take care of committing it to CVS.

Roland, it is not necessary to add me to DMX bugs as I'm on the dmx-bugs alias.
Comment 4 Kevin E. Martin 2004-12-06 12:10:53 UTC
Comment on attachment 1441 [details] [review]
[FIXED_X11R68x] patch

Trivial fix
Patch tested and applied to HEAD
Comment 5 Kevin E. Martin 2004-12-06 12:12:16 UTC
Comment on attachment 1442 [details] [review]
[FIXED_X11R68x] patch for DMXAddInput() too

Trivial fix
Patch tested and applied to HEAD
Comment 6 Kevin E. Martin 2004-12-06 12:13:45 UTC
Patches have been checked into HEAD and nominated for inclusion in 6.8.2
Mark, thanks again for the patches.
Closing.
Comment 7 Roland Mainz 2004-12-11 19:28:31 UTC
Comment on attachment 1441 [details] [review]
[FIXED_X11R68x] patch

Approval for X11R6.8.x stable branch granted in the 2004-12-08
release-wranglers phone call.
Please don't commit, I'll do that myself...
Comment 8 Roland Mainz 2004-12-11 19:28:51 UTC
Comment on attachment 1442 [details] [review]
[FIXED_X11R68x] patch for DMXAddInput() too

Approval for X11R6.8.x stable branch granted in the 2004-12-08
release-wranglers phone call.
Please don't commit, I'll do that myself...
Comment 9 Roland Mainz 2004-12-12 17:04:41 UTC
Comment on attachment 1441 [details] [review]
[FIXED_X11R68x] patch

Patch checked-in into X11R6.8.x stable branch...

/cvs/xorg/xc/ChangeLog,v  <--  ChangeLog
new revision: 1.365.2.19; previous revision: 1.365.2.18
cvs commit: Using deprecated info format strings.  Convert your scripts to use
the new argument format and remove '1's from your info file format strings.
/cvs/xorg/xc/lib/dmx/dmx.c,v  <--  dmx.c
new revision: 1.1.4.1; previous revision: 1.1
cvs commit: Using deprecated info format strings.  Convert your scripts to use
the new argument format and remove '1's from your info file format strings.
Mailing the commit message to xorg-commit@lists.freedesktop.org...
Comment 10 Roland Mainz 2004-12-12 17:09:36 UTC
Comment on attachment 1442 [details] [review]
[FIXED_X11R68x] patch for DMXAddInput() too

Patch checked-in into the X11R6.8.x stable branch:

/cvs/xorg/xc/ChangeLog,v  <--  ChangeLog
new revision: 1.365.2.20; previous revision: 1.365.2.19
cvs commit: Using deprecated info format strings.  Convert your scripts to use
the new argument format and remove '1's from your info file format strings.
/cvs/xorg/xc/lib/dmx/dmx.c,v  <--  dmx.c
new revision: 1.1.4.2; previous revision: 1.1.4.1
cvs commit: Using deprecated info format strings.  Convert your scripts to use
the new argument format and remove '1's from your info file format strings.
Mailing the commit message to xorg-commit@lists.freedesktop.org...

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.