xfree86: fix potential buffer overflow
authorServaas Vandenberghe <vdb@picaros.org>
Wed, 31 Aug 2011 05:06:49 +0000 (07:06 +0200)
committerPeter Hutterer <peter.hutterer@who-t.net>
Sun, 30 Oct 2011 23:39:04 +0000 (09:39 +1000)
commit820d9040f50a8440741b3aefbc069a3ad81e824e
tree2ee7a91f1bd55b6b163f76b61ee2fe526357585d
parent63e87b8639eb8e0b4e32e5d3a09099d31a03bbcd
xfree86: fix potential buffer overflow

The patch below fixes a potential buffer overflow in xf86addComment().
This occurs if  curlen > 0 && eol_seen == 0 && iscomment == 0 , as
follows from the code:

char *xf86addComment(char *cur, char *add)

<...>

        len = strlen(add);
        endnewline = add[len - 1] == '\n';
        len +=  1 + iscomment + (!hasnewline) + (!endnewline) + eol_seen;

        if ((str = realloc(cur, len + curlen)) == NULL)
                return cur;

        cur = str;

        if (eol_seen || (curlen && !hasnewline))
                cur[curlen++] = '\n';
        if (!iscomment)
                cur[curlen++] = '#';
        strcpy(cur + curlen, add);
        if (!endnewline)
                strcat(cur, "\n");

Signed-off-by: Servaas Vandenberghe <vdb@picaros.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
[whot: added buffer overflow test case]

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
hw/xfree86/parser/scan.c
test/xfree86.c