Some array boundary issues in Xorg server

Alan Coopersmith Alan.Coopersmith at Sun.COM
Fri May 8 12:38:59 PDT 2009


I recently got a chance to run an experimental new code checker
from Sun Labs across the Xorg sources - it doesn't find anywhere
near as much as coverity did, but it does seem to find different
things (though that also may be since I'm running on git master,
while coverity last scanned X11R6.9).

Fortunately, none of these seem exploitable to me or those on
xorg_security I ran this by before making it public.

One issue it found is several places where we have an array of
size N and check for i > N instead of i >= N when checking for
out of bounds accesses.   I've just pushed a patch for those.

The other issues it found that I haven't fixed are:

Error: Read outside array bounds at hw/xfree86/ramdac/IBM.c:200 in function
'IBMramdacRestore' [Symbolic analysis]
       In array dereference of ramdacReg->DAC[i] with index 'i'
       Array size is 768 bytes, i >= 0 and i <= 1023
Error: Write outside array bounds at hw/xfree86/ramdac/IBM.c:222 in function
'IBMramdacSave' [Symbolic analysis]
       In array dereference of ramdacReg->DAC[i] with index 'i'
       Array size is 768 bytes, i >= 0 and i <= 1023

ajax suggested we just need to make that buffer bigger, for the few systems
using that particular ramdac model, though given how long this bug has been
there without complaints, I have to wonder if any of those are in use.

-- 
	-Alan Coopersmith-           alan.coopersmith at sun.com
	 Sun Microsystems, Inc. - X Window System Engineering




More information about the xorg-devel mailing list