efl: Fix possible memory corruption in ecore xrandr EDID functions

Report from Klocwork. I checked that the actual max size of the name is
13 bytes. Now we allocate one more to hold the terminating NULL byte and
not write into unallocated memory.

Signed-off-by: Daniel Willmann <d.willmann@samsung.com>
git-svn-id: svn+ssh://svn.enlightenment.org/var/svn/e/branches/ecore-1.7@80773 7cbeb6ba-43b4-40fd-8cce-4c39aea84d33

diff --git a/ChangeLog b/ChangeLog
index 7050fcd..45f159e 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1011,3 +1011,6 @@
 
        * Fix build without IPv6.
 
+2012-12-12  Daniel Willmann
+
+       * Fix possible memory corruption in xrandr EDID functions.

diff --git a/NEWS b/NEWS
index 35a0a46..c174671 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ Changes since Ecore 1.7.3:
 
 Fixes:
     * Fix build without IPv6.
+    * Fix possible memory corruption in xrandr EDID functions.
+
 
 Ecore 1.7.3
 

diff --git a/src/lib/ecore_x/xcb/ecore_xcb_randr.c b/src/lib/ecore_x/xcb/ecore_xcb_randr.c
index a96b047..cc7d6a4 100644 (file)
--- a/src/lib/ecore_x/xcb/ecore_xcb_randr.c
+++ b/src/lib/ecore_x/xcb/ecore_xcb_randr.c
@@ -2761,12 +2761,11 @@ ecore_x_randr_edid_display_name_get(unsigned char *edid, unsigned long edid_leng
              edid_name = (const char *)block + 
                _ECORE_X_RANDR_EDID_OFFSET_DESCRIPTOR_BLOCK_CONTENT;
              name = 
-               malloc(sizeof(char) * 
-                      _ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX);
+               malloc(_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX + 1);
              if (!name) return NULL;
 
              strncpy(name, edid_name, 
-                     (_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX - 1));
+                     _ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX);
              name[_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX] = 0;
              for (p = name; *p; p++)
                if ((*p < ' ') || (*p > '~')) *p = 0;

diff --git a/src/lib/ecore_x/xlib/ecore_x_randr_12_edid.c b/src/lib/ecore_x/xlib/ecore_x_randr_12_edid.c
index 5bda332..4c37a2c 100644 (file)
--- a/src/lib/ecore_x/xlib/ecore_x_randr_12_edid.c
+++ b/src/lib/ecore_x/xlib/ecore_x_randr_12_edid.c
@@ -184,9 +184,9 @@ ecore_x_randr_edid_display_name_get(unsigned char *edid,
            const char *edid_name;
 
            edid_name = (const char *)block + _ECORE_X_RANDR_EDID_OFFSET_DESCRIPTOR_BLOCK_CONTENT;
-           name = malloc(sizeof(char) * _ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX);
+           name = malloc(_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX + 1);
            if (!name) return NULL;
-           strncpy(name, edid_name, (_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX - 1));
+           strncpy(name, edid_name, _ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX);
            name[_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX] = 0;
            for (p = name; *p; p++)
              {
@@ -288,9 +288,9 @@ ecore_x_randr_edid_display_ascii_get(unsigned char *edid,
             * TODO: Two of these in a row, in the third and fourth slots,
             * seems to be specified by SPWG: http://www.spwg.org/
             */
-           ascii = malloc(sizeof(char) * _ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX);
+           ascii = malloc(_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX + 1);
            if (!ascii) return NULL;
-           strncpy(ascii, edid_ascii, (_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX - 1));
+           strncpy(ascii, edid_ascii, _ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX);
            ascii[_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX] = 0;
            for (p = ascii; *p; p++)
              {
@@ -321,9 +321,9 @@ ecore_x_randr_edid_display_serial_get(unsigned char *edid,
             * TODO: Two of these in a row, in the third and fourth slots,
             * seems to be specified by SPWG: http://www.spwg.org/
             */
-           serial = malloc(sizeof(char) * _ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX);
+           serial = malloc(_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX + 1);
            if (!serial) return NULL;
-           strncpy(serial, edid_serial, (_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX - 1));
+           strncpy(serial, edid_serial, _ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX);
            serial[_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX] = 0;
            for (p = serial; *p; p++)
              {