Bug 385

Summary: glGetString(GL_VERSION) corrupts malloc heap
Product: xorg Reporter: John Dennis <jdennis>
Component: Server/GeneralAssignee: Egbert Eich <eich>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: high CC: mharris
Version: unspecified   
Hardware: All   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 213    
Attachments:
Description Flags
correct size of version string none

Description John Dennis 2004-03-29 14:36:24 UTC 
The following code snippet reformats the version string appending "
(GLLibraryVersion)" via a sprintf format that adds " (%s)". The code originally
added 3 to the length to account for the space, open paren, and close paren. But
it forgot to add 1 more character to account for the terminating null character
that sprintf adds at the end of the string. This meant that the __glXSprintf was
writing 1 character beyond the malloc block and was corrupting the malloc heap.
The fix is to add 4 to the malloc size rather than 3, patch will be attached.

    else if ( name == GL_VERSION ) {
	if ( atof( string ) > atof( GLServerVersion ) ) {
	    buf = __glXMalloc( __glXStrlen( string ) 
			       + __glXStrlen( GLServerVersion )
			       + 3 );
	    if ( buf == NULL ) {
		string = GLServerVersion;
	    }
	    else {
		__glXSprintf( buf, "%s (%s)", GLServerVersion, string );
		string = buf;
	    }
	}
    }
Comment 1 John Dennis 2004-03-29 14:39:17 UTC 
Created attachment 169 [details] [review]
correct size of version string
Comment 2 Mike A. Harris 2004-03-30 00:42:31 UTC 
Making this bug block bug #213, the Xorg release blocker bug.
Comment 3 Egbert Eich 2004-03-30 09:35:46 UTC 
Done.

 68. Fix the GLLibraryVersion string allocation to accomodate for the
     terminating \0 character which would otherwise corrupt the malloc
     heap (Bugzilla 385, John Dennis).

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.