The following code snippet reformats the version string appending " (GLLibraryVersion)" via a sprintf format that adds " (%s)". The code originally added 3 to the length to account for the space, open paren, and close paren. But it forgot to add 1 more character to account for the terminating null character that sprintf adds at the end of the string. This meant that the __glXSprintf was writing 1 character beyond the malloc block and was corrupting the malloc heap. The fix is to add 4 to the malloc size rather than 3, patch will be attached. else if ( name == GL_VERSION ) { if ( atof( string ) > atof( GLServerVersion ) ) { buf = __glXMalloc( __glXStrlen( string ) + __glXStrlen( GLServerVersion ) + 3 ); if ( buf == NULL ) { string = GLServerVersion; } else { __glXSprintf( buf, "%s (%s)", GLServerVersion, string ); string = buf; } } }
Created attachment 169 [details] [review] correct size of version string
Making this bug block bug #213, the Xorg release blocker bug.
Done. 68. Fix the GLLibraryVersion string allocation to accomodate for the terminating \0 character which would otherwise corrupt the malloc heap (Bugzilla 385, John Dennis).
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.