From 0ab680f08208afe51ad6ddc1018b7d6f8b851840 Mon Sep 17 00:00:00 2001

From: Adam Jackson <ajax@redhat.com>

Date: Thu, 24 Feb 2011 16:06:34 -0500

Subject: [PATCH] vbe: Fix malloc size bug

v2: Slightly more obvious sizing math.

==14882== Invalid write of size 2

==14882==    at 0x6750267: VBEGetVBEInfo (vbe.c:400)

==14882==    by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)

==14882==    by 0x471895: InitOutput (xf86Init.c:519)

==14882==    by 0x422778: main (main.c:205)

==14882==  Address 0x4f32fa8 is 72 bytes inside a block of size 73 alloc'd

==14882==    at 0x4A0640D: malloc (vg_replace_malloc.c:236)

==14882==    by 0x675024B: VBEGetVBEInfo (vbe.c:398)

==14882==    by 0x6142064: ??? (in /usr/lib64/xorg/modules/drivers/vesa_drv.so)

==14882==    by 0x471895: InitOutput (xf86Init.c:519)

==14882==    by 0x422778: main (main.c:205)

Reviewed-by: Mark Kettenis <kettenis@openbsd.org>

Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Signed-off-by: Adam Jackson <ajax@redhat.com>

(cherry picked from commit d8caa782009abf4dc17b945e325e83fda299a534)

---

 hw/xfree86/vbe/vbe.c |    2 +-

 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c

index bcda5ec..04132d9 100644

--- a/hw/xfree86/vbe/vbe.c

+++ b/hw/xfree86/vbe/vbe.c

@@ -395,7 +395,7 @@ VBEGetVBEInfo(vbeInfoPtr pVbe)

     i = 0;

     while (modes[i] != 0xffff)

 	i++;

-    block->VideoModePtr = malloc(sizeof(CARD16) * i + 1);

+    block->VideoModePtr = malloc(sizeof(CARD16) * (i + 1));

     memcpy(block->VideoModePtr, modes, sizeof(CARD16) * i);

     block->VideoModePtr[i] = 0xffff;

-- 

1.7.4