SwallowOS/xserver_xsdl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Xext: dynamically allocate the PanoramiXDepths[j].vids array

Browse Source 
Control flow is:
   PanoramiXMaybeAddDepth() allocates an array size 240 (pDepth->numVisuals)
   PanoramiXMaybeAddVisual() finds up to 270 matches (pScreen->numVisuals)
   and writes those into the previously allocated array.

This caused invalid reads/writes followed by eventually a double-free abort.

Reproduced with xorg-integration-tests server test
XineramaTest.ScreenCrossing/* (and a bunch of others).

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 93cafb0828d2e24bd14616df1aa9883fb843dd6c)
This commit is contained in:
Peter Hutterer
2018-07-18 13:22:43 +10:00
committed by Adam Jackson
parent cbf1ca2dba
commit 9347326d28
1 changed files with 4 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
Xext/panoramiX.c
View File

@@ -751,11 +751,7 @@ PanoramiXMaybeAddDepth(DepthPtr pDepth)
PanoramiXNumDepths, sizeof(DepthRec));
PanoramiXDepths[j].depth = pDepth->depth;
PanoramiXDepths[j].numVids = 0;
/* XXX suboptimal, should grow these dynamically */
if (pDepth->numVids)
PanoramiXDepths[j].vids = xallocarray(pDepth->numVids, sizeof(VisualID));
else
PanoramiXDepths[j].vids = NULL;
PanoramiXDepths[j].vids = NULL;
}
static void
@@ -796,6 +792,9 @@ PanoramiXMaybeAddVisual(VisualPtr pVisual)
for (k = 0; k < PanoramiXNumDepths; k++) {
if (PanoramiXDepths[k].depth == pVisual->nplanes) {
PanoramiXDepths[k].vids = reallocarray(PanoramiXDepths[k].vids,
PanoramiXDepths[k].numVids + 1,
sizeof(VisualID));
PanoramiXDepths[k].vids[PanoramiXDepths[k].numVids] = pVisual->vid;
PanoramiXDepths[k].numVids++;
break;