summaryrefslogtreecommitdiff
path: root/src/lib/ecore_x/xcb/ecore_xcb_randr.c
diff options
context:
space:
mode:
authorDaniel Willmann <d.willmann@samsung.com>2012-12-12 17:23:09 +0000
committerDaniel Willmann <daniel@totalueberwachung.de>2012-12-12 17:23:09 +0000
commit9772e3b5dc69bfda334a73b1d370d1743e3565bb (patch)
tree54c1ea9e46c14474ef29a301ca36d9e03514a1d4 /src/lib/ecore_x/xcb/ecore_xcb_randr.c
parent0258402fe8f489b6a39934d668af97e1477728bf (diff)
efl: Fix possible memory corruption in ecore xrandr EDID functions
Report from Klocwork. I checked that the actual max size of the name is 13 bytes. Now we allocate one more to hold the terminating NULL byte and not write into unallocated memory. Signed-off-by: Daniel Willmann <d.willmann@samsung.com> SVN revision: 80773
Diffstat (limited to 'src/lib/ecore_x/xcb/ecore_xcb_randr.c')
-rw-r--r--src/lib/ecore_x/xcb/ecore_xcb_randr.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/src/lib/ecore_x/xcb/ecore_xcb_randr.c b/src/lib/ecore_x/xcb/ecore_xcb_randr.c
index a2a4e6271f..f3ae9b5f28 100644
--- a/src/lib/ecore_x/xcb/ecore_xcb_randr.c
+++ b/src/lib/ecore_x/xcb/ecore_xcb_randr.c
@@ -2761,12 +2761,11 @@ ecore_x_randr_edid_display_name_get(unsigned char *edid, unsigned long edid_leng
2761 edid_name = (const char *)block + 2761 edid_name = (const char *)block +
2762 _ECORE_X_RANDR_EDID_OFFSET_DESCRIPTOR_BLOCK_CONTENT; 2762 _ECORE_X_RANDR_EDID_OFFSET_DESCRIPTOR_BLOCK_CONTENT;
2763 name = 2763 name =
2764 malloc(sizeof(char) * 2764 malloc(_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX + 1);
2765 _ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX);
2766 if (!name) return NULL; 2765 if (!name) return NULL;
2767 2766
2768 strncpy(name, edid_name, 2767 strncpy(name, edid_name,
2769 (_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX - 1)); 2768 _ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX);
2770 name[_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX] = 0; 2769 name[_ECORE_X_RANDR_EDID_DISPLAY_DESCRIPTOR_BLOCK_CONTENT_LENGTH_MAX] = 0;
2771 for (p = name; *p; p++) 2770 for (p = name; *p; p++)
2772 if ((*p < ' ') || (*p > '~')) *p = 0; 2771 if ((*p < ' ') || (*p > '~')) *p = 0;