[PATCH] Use temporary buffer for generating Uxxx names to avoid overflow
Alan Coopersmith
alan.coopersmith at sun.com
Mon May 11 09:39:03 PDT 2009
Instead of sprintf()'ing a 4 character string to a char [4] buffer,
and leaving the trailing '\0' to overwrite into the next entry,
snprintf() to a 5 character temp buffer and memcpy the 4 characters
to the right place.
Fixes parfait errors:
Error: Buffer overflow at xkbcomp-1.0.4/misc.c:393
in function 'ComputeKbdDefaults' [Standard C Library pattern matching]
In sprintf related dereference of xkb->names->keys[i].name
with index not less than '4'
Destination array size is 4 bytes, data to be written is 4 bytes
Error: Buffer overflow at xkbcomp-1.0.4/misc.c:402
in function 'ComputeKbdDefaults' [Standard C Library pattern matching]
In sprintf related dereference of xkb->names->keys[i].name
with index not less than '4'
Destination array size is 4 bytes, data to be written is 4 bytes
[This bug was found by the Parfait bug checking tool.
For more information see http://research.sun.com/projects/parfait ]
Signed-off-by: Alan Coopersmith <alan.coopersmith at sun.com>
---
misc.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/misc.c b/misc.c
index 0e4f61d..4990a74 100644
--- a/misc.c
+++ b/misc.c
@@ -383,6 +383,7 @@ ComputeKbdDefaults(XkbDescPtr xkb)
register int i, tmp, nUnknown;
KeyNameDesc *name;
KeySym *syms;
+ char tmpname[XkbKeyNameLength + 1];
if ((xkb->names == NULL) || (xkb->names->keys == NULL))
{
@@ -430,8 +431,10 @@ ComputeKbdDefaults(XkbDescPtr xkb)
ACTION2("Using <U%03d> for key %d\n",
nUnknown, i);
}
- sprintf(xkb->names->keys[i].name, "U%03d",
- nUnknown++);
+ snprintf(tmpname, sizeof(tmpname), "U%03d",
+ nUnknown++);
+ memcpy(xkb->names->keys[i].name, tmpname,
+ XkbKeyNameLength);
}
break;
}
@@ -442,7 +445,9 @@ ComputeKbdDefaults(XkbDescPtr xkb)
{
WARN1("Key %d does not match any defaults\n", i);
ACTION1("Using name <U%03d>\n", nUnknown);
- sprintf(xkb->names->keys[i].name, "U%03d", nUnknown++);
+ snprintf(tmpname, sizeof(tmpname), "U%03d", nUnknown++);
+ memcpy(xkb->names->keys[i].name, tmpname,
+ XkbKeyNameLength);
}
}
}
--
1.5.6.5
More information about the xorg-devel
mailing list