Bug 30585 - Buffer overflow when copying VESA 2.0 information
Buffer overflow when copying VESA 2.0 information
Status: RESOLVED DUPLICATE of bug 30159
Product: xorg
Classification: Unclassified
Component: Server/DDX/Xorg
7.5 (2009.10)
Other All
: medium critical
Assigned To: Xorg Project Team
Xorg Project Team
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-03 07:48 UTC by Frank Mehnert
Modified: 2010-10-03 09:10 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Mehnert 2010-10-03 07:48:29 UTC
The following code is wrong:

http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/vbe/vbe.c?h=server-1.9-branch#n589

Here the code tries to copy 206 bytes. In the other case (VESA 3.0 supported), only 188 + 66 - 50 = 204 bytes are copied. VirtualBox supports only VESA 2.0, therefore the crash. The memcpy function is compiled with fortify enabled.

This leads to a crash when fortify is enabled.
Comment 1 Frank Mehnert 2010-10-03 07:52:36 UTC
Note the the other else case for VESA < 2.0 is wrong as well (216 versus 215 bytes).
Comment 2 Alan Coopersmith 2010-10-03 09:10:02 UTC

*** This bug has been marked as a duplicate of bug 30159 ***