Bug 385 - glGetString(GL_VERSION) corrupts malloc heap
Summary: glGetString(GL_VERSION) corrupts malloc heap
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: unspecified
Hardware: All Linux (All)
: high normal
Assignee: Egbert Eich
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 213
  Show dependency treegraph
 
Reported: 2004-03-29 14:36 UTC by John Dennis
Modified: 2004-03-29 15:35 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
correct size of version string (423 bytes, patch)
2004-03-29 14:39 UTC, John Dennis
no flags Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description John Dennis 2004-03-29 14:36:24 UTC
The following code snippet reformats the version string appending "
(GLLibraryVersion)" via a sprintf format that adds " (%s)". The code originally
added 3 to the length to account for the space, open paren, and close paren. But
it forgot to add 1 more character to account for the terminating null character
that sprintf adds at the end of the string. This meant that the __glXSprintf was
writing 1 character beyond the malloc block and was corrupting the malloc heap.
The fix is to add 4 to the malloc size rather than 3, patch will be attached.

    else if ( name == GL_VERSION ) {
	if ( atof( string ) > atof( GLServerVersion ) ) {
	    buf = __glXMalloc( __glXStrlen( string ) 
			       + __glXStrlen( GLServerVersion )
			       + 3 );
	    if ( buf == NULL ) {
		string = GLServerVersion;
	    }
	    else {
		__glXSprintf( buf, "%s (%s)", GLServerVersion, string );
		string = buf;
	    }
	}
    }
Comment 1 John Dennis 2004-03-29 14:39:17 UTC
Created attachment 169 [details] [review]
correct size of version string
Comment 2 Mike A. Harris 2004-03-30 00:42:31 UTC
Making this bug block bug #213, the Xorg release blocker bug.
Comment 3 Egbert Eich 2004-03-30 09:35:46 UTC
Done.

 68. Fix the GLLibraryVersion string allocation to accomodate for the
     terminating \0 character which would otherwise corrupt the malloc
     heap (Bugzilla 385, John Dennis).


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.