Bug 30585

Summary: Buffer overflow when copying VESA 2.0 information
Product: xorg Reporter: Frank Mehnert <frank.mehnert>
Component: Server/DDX/XorgAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED DUPLICATE QA Contact: Xorg Project Team <xorg-team>
Severity: critical    
Priority: medium CC: robatino
Version: 7.5 (2009.10)   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Frank Mehnert 2010-10-03 07:48:29 UTC 
The following code is wrong:

http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/vbe/vbe.c?h=server-1.9-branch#n589

Here the code tries to copy 206 bytes. In the other case (VESA 3.0 supported), only 188 + 66 - 50 = 204 bytes are copied. VirtualBox supports only VESA 2.0, therefore the crash. The memcpy function is compiled with fortify enabled.

This leads to a crash when fortify is enabled.
Comment 1 Frank Mehnert 2010-10-03 07:52:36 UTC 
Note the the other else case for VESA < 2.0 is wrong as well (216 versus 215 bytes).
Comment 2 Alan Coopersmith 2010-10-03 09:10:02 UTC 

*** This bug has been marked as a duplicate of bug 30159 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.