Re: patch: libXt-1.0.8 fix possible array overflow

2010-09-23 Thread Jeremy Huddleston
On Sep 23, 2010, at 11:37, walter harms wrote: > > > Pat Kane schrieb: >> In the original code if 'i' is equal to 10 then the line >> (void) memmove((char*)par, (char*)params, i * sizeof(String) ); >> moves ten things, which is okay. >> >> The next line: >> bzero( &par[i], (10-i) * sizeof(S

Re: patch: libXt-1.0.8 fix possible array overflow

2010-09-23 Thread Pat Kane
> setting the limit to i=9 would fix that. But then the line (void) memmove((char*)par, (char*)params, i * sizeof(String) ); would be wrong since it would move nine instead of ten things. ___ xorg@lists.freedesktop.org: X.Org support Archives: http:

Re: patch: libXt-1.0.8 fix possible array overflow

2010-09-23 Thread walter harms
Pat Kane schrieb: > In the original code if 'i' is equal to 10 then the line >(void) memmove((char*)par, (char*)params, i * sizeof(String) ); > moves ten things, which is okay. > > The next line: >bzero( &par[i], (10-i) * sizeof(String) ); > moves zero things to a bad address, which is p

Re: patch: libXt-1.0.8 fix possible array overflow

2010-09-23 Thread Pat Kane
In the original code if 'i' is equal to 10 then the line (void) memmove((char*)par, (char*)params, i * sizeof(String) ); moves ten things, which is okay. The next line: bzero( &par[i], (10-i) * sizeof(String) ); moves zero things to a bad address, which is probably okay, but I bet some code

Re: patch: libXt-1.0.8 fix possible array overflow

2010-09-23 Thread Jeremy Huddleston
As I had mentioned earlier, there actually is no overflow because the code cannot reach that point if *num_params is 0. On Sep 23, 2010, at 09:26, walter harms wrote: > > > Barry Scott schrieb: >> On Wednesday 22 September 2010 08:18:21 walter harms wrote: >>> hi List, >>> the code checks the

Re: patch: libXt-1.0.8 fix possible array overflow

2010-09-23 Thread walter harms
Barry Scott schrieb: > On Wednesday 22 September 2010 08:18:21 walter harms wrote: >> hi List, >> the code checks the upperlimit to 10 while the upperlimit is actualy 9. > > You could use "(sizeof( par )/sizeof( String ))-1" to make the code robust > aginst > a change to the size of par. > ye

Re: patch: libXt-1.0.8 fix possible array overflow

2010-09-23 Thread Barry Scott
On Wednesday 22 September 2010 08:18:21 walter harms wrote: > hi List, > the code checks the upperlimit to 10 while the upperlimit is actualy 9. You could use "(sizeof( par )/sizeof( String ))-1" to make the code robust aginst a change to the size of par. Barry > > re, > wh > > > --- libXt-

patch: libXt-1.0.8 fix possible array overflow

2010-09-22 Thread walter harms
hi List, the code checks the upperlimit to 10 while the upperlimit is actualy 9. re, wh --- libXt-1.0.8/src/Error.c.org 2010-09-21 23:23:00.0 +0200 +++ libXt-1.0.8/src/Error.c 2010-09-21 23:24:03.0 +0200 @@ -257,7 +257,7 @@ */ Cardinal i = *num_param