Bug 65252: Ensure final name is nil-terminated & none point to uninitialized memory.

This patch attempts to fix this bug by ensuring that there is at least one nil byte at the end of all the name strings. This should prevent reading past the end of the allocation as well as exposing uninitialized memory. Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Daphne Pfister <daphnediane@mac.com> 2013-06-01 22:27:23 -0400
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-06-01 20:03:43 -0700
commit: 22cc0c897a28a41d49fe68277bb3c002f54bbb48 (patch)
tree: 455f0f78149be3933b1f853715cc27bf0f635bb7
parent: edfb6fc397686c1892603d0f86a9aadf14dbc12e (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/src/Xv.c b/src/Xv.c
index 15c0bfd..8c45401 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -865,8 +865,8 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
       unsigned long size;
       /* limit each part to no more than one half the max size */
       if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
-	  (rep.text_size < (INT_MAX / 2))) {
-	  size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+	  (rep.text_size < (INT_MAX / 2)-1)) {
+	  size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size + 1;
 	  ret = Xmalloc(size);
       }
 
@@ -891,6 +891,10 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
 	      }
 	      (*num)++;
 	  }
+
+	  /* ensure final string is nil-terminated to avoid exposure of
+             uninitialized memory */
+	  *marker = '\0';
       } else
 	  _XEatDataWords(dpy, rep.length);
   }
author	Daphne Pfister <daphnediane@mac.com>	2013-06-01 22:27:23 -0400
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-06-01 20:03:43 -0700
commit	22cc0c897a28a41d49fe68277bb3c002f54bbb48 (patch)
tree	455f0f78149be3933b1f853715cc27bf0f635bb7
parent	edfb6fc397686c1892603d0f86a9aadf14dbc12e (diff)