From 04a305121fbc08ecc2ef345ee7155d6087a43fd1 Mon Sep 17 00:00:00 2001
From: Daniel Martin <consume.noise@gmail.com>
Date: Fri, 27 Oct 2017 16:11:53 +0200
Subject: [PATCH] modesetting: Fix potential buffer overflow

If one misconfigures a ZaphodHeads value (more than 20 characters
without a delimiter), we get an overflow of our buffer.  Use
xstrtokenize() instead of writing/fixing our own tokenizer.

Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
---
 .../drivers/modesetting/drmmode_display.c     | 38 +++++++------------
 include/misc.h                                |  2 +-
 2 files changed, 14 insertions(+), 26 deletions(-)

diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
index 5bfae0b03..e14833dee 100644
--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
@@ -57,34 +57,22 @@ static PixmapPtr drmmode_create_pixmap_header(ScreenPtr pScreen, int width, int
 static Bool
 drmmode_zaphod_string_matches(ScrnInfoPtr scrn, const char *s, char *output_name)
 {
-    int i = 0;
-    char s1[20];
+    char **token = xstrtokenize(s, ", \t\n\r");
+    Bool ret = FALSE;
 
-    do {
-        switch(*s) {
-        case ',':
-            s1[i] = '\0';
-            i = 0;
-            if (strcmp(s1, output_name) == 0)
-                return TRUE;
-            break;
-        case ' ':
-        case '\t':
-        case '\n':
-        case '\r':
-            break;
-        default:
-            s1[i] = *s;
-            i++;
-            break;
-        }
-    } while(*s++);
+    if (!token)
+        return FALSE;
 
-    s1[i] = '\0';
-    if (strcmp(s1, output_name) == 0)
-        return TRUE;
+    for (int i = 0; token[i]; i++) {
+        if (strcmp(token[i], output_name) == 0)
+            ret = TRUE;
 
-    return FALSE;
+        free(token[i]);
+    }
+
+    free(token);
+
+    return ret;
 }
 
 int
diff --git a/include/misc.h b/include/misc.h
index 9d0e422e3..14920c3c3 100644
--- a/include/misc.h
+++ b/include/misc.h
@@ -233,7 +233,7 @@ padding_for_int32(const int bytes)
 }
 
 
-extern char **xstrtokenize(const char *str, const char *separators);
+extern _X_EXPORT char **xstrtokenize(const char *str, const char *separators);
 extern void FormatInt64(int64_t num, char *string);
 extern void FormatUInt64(uint64_t num, char *string);
 extern void FormatUInt64Hex(uint64_t num, char *string);