Bug 9221 - Size overflow for memcmp() in xserver/render/glyph.c FindGlyphRef
Summary: Size overflow for memcmp() in xserver/render/glyph.c FindGlyphRef
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: git
Hardware: x86 (IA32) Linux (All)
: high trivial
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: xorg-7.4
  Show dependency treegraph
 
Reported: 2006-12-01 17:27 UTC by xorg
Modified: 2008-02-29 13:22 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description xorg 2006-12-01 17:27:54 UTC
If compare->size is greater than glyph->size in FindGlyphRef at render/glyph.c:444, it could theoretically happen that memcmp reads beyond the end of glyph. This is by no means critical, but it always aborts X when compiled with a bounds-checking-patched gcc with -fbounds-checking.
Trivial fix:
-                 memcmp (&compare->info, &glyph->info, compare->size) == 0))
+                 memcmp (&compare->info, &glyph->info, glyph->size < compare->size ? glyph->size : compare->size) == 0))
Comment 1 Daniel Stone 2007-02-27 01:34:57 UTC
Sorry about the phenomenal bug spam, guys.  Adding xorg-team@ to the QA contact so bugs don't get lost in future.
Comment 2 Adam Jackson 2008-02-29 13:22:28 UTC
This is moot now.  We use sha1 hashes of glyph contents to check for equality rather than comparing the bits directly, so the memcmp() is constant-sized now.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.