On Wed, Mar 20, 2019 at 03:57:46PM +0000, Frediano Ziglio wrote: > From: Christophe Fergeau <cfergeau@xxxxxxxxxx> > > If worker->qxl->id is bigger than 0x7ffffff (in other words, it's a > negative signed int) then > printf(worker_str, "display[%d]", worker->qxl->id); > will need: > > "display[]" -> 9 bytes > %d -> 11 bytes > > The trailing \0 will thus overflow our 20 bytes destination. > As QXLInstance::id should be an unsigned int, this commit changes the > format string to use %u. This also switches to snprintf. > --- > server/red-worker.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/server/red-worker.c b/server/red-worker.c > index 8051d1e4..50612aca 100644 > --- a/server/red-worker.c > +++ b/server/red-worker.c > @@ -1291,7 +1291,7 @@ RedWorker* red_worker_new(QXLInstance *qxl, > worker->zlib_glz_state = reds_get_zlib_glz_state(reds); > worker->driver_cap_monitors_config = 0; > char worker_str[SPICE_STAT_NODE_NAME_MAX]; > - sprintf(worker_str, "display[%d]", worker->qxl->id); > + snprintf(worker_str, sizeof(worker_str), "display[%u]", (unsigned int)worker->qxl->id); I'd still add a &0xff at the end to make it explicit that we expect a uint8_t. It's a patch I wrote, so no further comments ;) Christophe > stat_init_node(&worker->stat, reds, NULL, worker_str, TRUE); > stat_init_counter(&worker->wakeup_counter, reds, &worker->stat, "wakeups", TRUE); > stat_init_counter(&worker->command_counter, reds, &worker->stat, "commands", TRUE); > -- > 2.20.1 > > _______________________________________________ > Spice-devel mailing list > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > https://lists.freedesktop.org/mailman/listinfo/spice-devel
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel