Bug 30585 - Buffer overflow when copying VESA 2.0 information
Summary: Buffer overflow when copying VESA 2.0 information
Status: RESOLVED DUPLICATE of bug 30159
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/DDX/Xorg (show other bugs)
Version: 7.5 (2009.10)
Hardware: Other All
: medium critical
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-10-03 07:48 UTC by Frank Mehnert
Modified: 2010-10-03 09:10 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Frank Mehnert 2010-10-03 07:48:29 UTC 
The following code is wrong:

http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/vbe/vbe.c?h=server-1.9-branch#n589

Here the code tries to copy 206 bytes. In the other case (VESA 3.0 supported), only 188 + 66 - 50 = 204 bytes are copied. VirtualBox supports only VESA 2.0, therefore the crash. The memcpy function is compiled with fortify enabled.

This leads to a crash when fortify is enabled.
Comment 1 Frank Mehnert 2010-10-03 07:52:36 UTC 
Note the the other else case for VESA < 2.0 is wrong as well (216 versus 215 bytes).
Comment 2 Alan Coopersmith 2010-10-03 09:10:02 UTC 

*** This bug has been marked as a duplicate of bug 30159 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.