Xext: dynamically allocate the PanoramiXDepths[j].vids array

Control flow is: PanoramiXMaybeAddDepth() allocates an array size 240 (pDepth->numVisuals) PanoramiXMaybeAddVisual() finds up to 270 matches (pScreen->numVisuals) and writes those into the previously allocated array. This caused invalid reads/writes followed by eventually a double-free abort. Reproduced with xorg-integration-tests server test XineramaTest.ScreenCrossing/* (and a bunch of others). Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Keith Packard <keithp@keithp.com> (cherry picked from commit 93cafb0828)
2018-07-18 13:22:43 +10:00 · 2018-07-18 13:22:43 +10:00 · 9347326d28
parent cbf1ca2dba
commit 9347326d28
1 changed files with 4 additions and 5 deletions
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@ -751,11 +751,7 @@ PanoramiXMaybeAddDepth(DepthPtr pDepth)
                                   PanoramiXNumDepths, sizeof(DepthRec));
    PanoramiXDepths[j].depth = pDepth->depth;
    PanoramiXDepths[j].numVids = 0;
-    /* XXX suboptimal, should grow these dynamically */
-    if (pDepth->numVids)
-        PanoramiXDepths[j].vids = xallocarray(pDepth->numVids, sizeof(VisualID));
-    else
-        PanoramiXDepths[j].vids = NULL;
+    PanoramiXDepths[j].vids = NULL;
 }

 static void
@ -796,6 +792,9 @@ PanoramiXMaybeAddVisual(VisualPtr pVisual)

    for (k = 0; k < PanoramiXNumDepths; k++) {
        if (PanoramiXDepths[k].depth == pVisual->nplanes) {
+            PanoramiXDepths[k].vids = reallocarray(PanoramiXDepths[k].vids,
+                                                   PanoramiXDepths[k].numVids + 1,
+                                                   sizeof(VisualID));
            PanoramiXDepths[k].vids[PanoramiXDepths[k].numVids] = pVisual->vid;
            PanoramiXDepths[k].numVids++;
            break;