This is my first time to sending a patch to the mailing list. So, I'm sorry if I did something wrong.
The function drmParsePciBusInfo() in xf86drm.c reads the contents of the file "/sys/dev/char/x:y/device/uevent" into the buffer. The string written to the buffer by read() is not null-terminated, but this function is writing null only at the end of the buffer. As a result, the string passed to sscanf() contains an uninitialized value and sscanf uses it.
For example, The string that should be passed to sscanf(). "The contents of the file\0"
The string actually passed to sscanf(). "The contents of the file and uninitialized value until the end of the buffer\0"
From: Taro Yamada archer_ame@yahoo.co.jp
The string written to the buffer by read() is not null-terminated, but currently drmParsePciBusInfo() places null character only at the end of the buffer, not at the end of the string. As a result, the string passed to sscanf() contains an uninitialized value.
This patch changes to places null character at the end of the string.
Signed-off-by: Taro Yamada archer_ame@yahoo.co.jp --- xf86drm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xf86drm.c b/xf86drm.c index b5eeeb0..a59cfd0 100644 --- a/xf86drm.c +++ b/xf86drm.c @@ -2925,11 +2925,11 @@ static int drmParsePciBusInfo(int maj, int min, drmPciBusInfoPtr info) if (fd < 0) return -errno;
- ret = read(fd, data, sizeof(data)); - data[sizeof(data)-1] = '\0'; + ret = read(fd, data, sizeof(data)-1); close(fd); if (ret < 0) return -errno; + data[ret] = '\0';
#define TAG "PCI_SLOT_NAME=" str = strstr(data, TAG);
dri-devel@lists.freedesktop.org
-
archer_ame@yahoo.co.jp