Bug 9221

Summary: Size overflow for memcmp() in xserver/render/glyph.c FindGlyphRef
Product: xorg Reporter: xorg
Component: Server/GeneralAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: trivial    
Priority: high CC: esigra
Version: git   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 10101    

Description xorg 2006-12-01 17:27:54 UTC 
If compare->size is greater than glyph->size in FindGlyphRef at render/glyph.c:444, it could theoretically happen that memcmp reads beyond the end of glyph. This is by no means critical, but it always aborts X when compiled with a bounds-checking-patched gcc with -fbounds-checking.
Trivial fix:
-                 memcmp (&compare->info, &glyph->info, compare->size) == 0))
+                 memcmp (&compare->info, &glyph->info, glyph->size < compare->size ? glyph->size : compare->size) == 0))
Comment 1 Daniel Stone 2007-02-27 01:34:57 UTC 
Sorry about the phenomenal bug spam, guys.  Adding xorg-team@ to the QA contact so bugs don't get lost in future.
Comment 2 Adam Jackson 2008-02-29 13:22:28 UTC 
This is moot now.  We use sha1 hashes of glyph contents to check for equality rather than comparing the bits directly, so the memcmp() is constant-sized now.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.