Bug 30585 - Buffer overflow when copying VESA 2.0 information
Summary: Buffer overflow when copying VESA 2.0 information
Status: RESOLVED DUPLICATE of bug 30159
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/DDX/Xorg (show other bugs)
Version: 7.5 (2009.10)
Hardware: Other All
: medium critical
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-10-03 07:48 UTC by Frank Mehnert
Modified: 2010-10-03 09:10 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Mehnert 2010-10-03 07:48:29 UTC
The following code is wrong:

http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/vbe/vbe.c?h=server-1.9-branch#n589

Here the code tries to copy 206 bytes. In the other case (VESA 3.0 supported), only 188 + 66 - 50 = 204 bytes are copied. VirtualBox supports only VESA 2.0, therefore the crash. The memcpy function is compiled with fortify enabled.

This leads to a crash when fortify is enabled.
Comment 1 Frank Mehnert 2010-10-03 07:52:36 UTC
Note the the other else case for VESA < 2.0 is wrong as well (216 versus 215 bytes).
Comment 2 Alan Coopersmith 2010-10-03 09:10:02 UTC

*** This bug has been marked as a duplicate of bug 30159 ***


bug/show.html.tmpl processed on May 29, 2016 at 09:35:13.
(provided by the Example extension).