Re: CVS commit: xsrc/external/mit/xf86-video-r128/dist/src

To: source-changes-d%NetBSD.org@localhost
Subject: Re: CVS commit: xsrc/external/mit/xf86-video-r128/dist/src
From: christos%astron.com@localhost (Christos Zoulas)
Date: Tue, 7 Jul 2015 14:46:27 +0000 (UTC)

In article <20150707005552.D4A8B48%cvs.netbsd.org@localhost>,
Michael Lorenz <source-changes-d%NetBSD.org@localhost> wrote:
>-=-=-=-=-=-
>
>Modified files:
>
>Index: xsrc/external/mit/xf86-video-r128/dist/src/r128_driver.c
>diff -u xsrc/external/mit/xf86-video-r128/dist/src/r128_driver.c:1.9
>xsrc/external/mit/xf86-video-r128/dist/src/r128_driver.c:1.10
>--- xsrc/external/mit/xf86-video-r128/dist/src/r128_driver.c:1.9	Wed Mar
>19 23:56:47 2014
>+++ xsrc/external/mit/xf86-video-r128/dist/src/r128_driver.c	Tue Jul  7
>00:55:52 2015
>@@ -1625,6 +1625,8 @@ static int R128ValidateFPModes(ScrnInfoP
>         pScrn->display->modes[0] = xnfalloc(16);
>         sprintf(pScrn->display->modes[0], "%dx%d",
>                info->PanelXRes, info->PanelYRes);
>+        /* don't forget to NULL terminate */
>+        pScrn->display->modes[1] = NULL;

Pick up a magic number 16, and then use sprintf instead of snprintf ->
Welcome to the wonderful world of buffer overflow...

If PanelXRes == PanelYRes == 0x7fffffff then we get:

	2147483647x2147483647

that needs 21 chars to print.

christos

Follow-Ups:
- Re: CVS commit: xsrc/external/mit/xf86-video-r128/dist/src
  - From: Michael

Prev by Date: Re: CVS commit: src/usr.sbin/rtadvd
Next by Date: Re: CVS commit: xsrc/external/mit/xf86-video-r128/dist/src
Previous by Thread: Re: CVS commit: src/usr.sbin/rtadvd
Next by Thread: Re: CVS commit: xsrc/external/mit/xf86-video-r128/dist/src
Indexes:

Home | Main Index | Thread Index | Old Index