Fri Oct 7 15:55:36 2016 UTC ()
CID 1373518: Memory corruption (off-by-one)


(christos)
diff -r1.2 -r1.3 xsrc/external/mit/xorg-server/dist/hw/xfree86/drivers/modesetting/drmmode_display.c
cvs diff -r1.2 -r1.3 xsrc/external/mit/xorg-server/dist/hw/xfree86/drivers/modesetting/drmmode_display.c (expand / switch to unified diff)

--- xsrc/external/mit/xorg-server/dist/hw/xfree86/drivers/modesetting/drmmode_display.c 2016/10/07 15:43:38 1.2
+++ xsrc/external/mit/xorg-server/dist/hw/xfree86/drivers/modesetting/drmmode_display.c 2016/10/07 15:55:36 1.3
@@ -1360,27 +1360,27 @@ static int parse_path_blob(drmModeProper @@ -1360,27 +1360,27 @@ static int parse_path_blob(drmModeProper
1360 1360
1361 if (!path_blob) 1361 if (!path_blob)
1362 return -1; 1362 return -1;
1363 1363
1364 blob_data = path_blob->data; 1364 blob_data = path_blob->data;
1365 /* we only handle MST paths for now */ 1365 /* we only handle MST paths for now */
1366 if (strncmp(blob_data, "mst:", 4)) 1366 if (strncmp(blob_data, "mst:", 4))
1367 return -1; 1367 return -1;
1368 1368
1369 conn = strchr(blob_data + 4, '-'); 1369 conn = strchr(blob_data + 4, '-');
1370 if (!conn) 1370 if (!conn)
1371 return -1; 1371 return -1;
1372 len = conn - (blob_data + 4); 1372 len = conn - (blob_data + 4);
1373 if (len + 1> 5) 1373 if (len + 1 >= sizeof(conn_id))
1374 return -1; 1374 return -1;
1375 memcpy(conn_id, blob_data + 4, len); 1375 memcpy(conn_id, blob_data + 4, len);
1376 conn_id[len + 1] = '\0'; 1376 conn_id[len + 1] = '\0';
1377 id = strtoul(conn_id, NULL, 10); 1377 id = strtoul(conn_id, NULL, 10);
1378 1378
1379 *conn_base_id = id; 1379 *conn_base_id = id;
1380 1380
1381 *path = conn + 1; 1381 *path = conn + 1;
1382 return 0; 1382 return 0;
1383} 1383}
1384 1384
1385static void 1385static void
1386drmmode_create_name(ScrnInfoPtr pScrn, drmModeConnectorPtr koutput, char *name, 1386drmmode_create_name(ScrnInfoPtr pScrn, drmModeConnectorPtr koutput, char *name,