From 08a655a883aa837cf1de05fdaf0d371c4af8e404 Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Thu, 17 Feb 2022 17:28:44 +0100 Subject: EGLWLInputEventExample: Repair array out of bounds access The problem is in the `fprintf(..., left_ptrs[j])`, where if this code is ever triggered, the variable `j=4` always, while the `left_ptrs` array only has four entries instead of five, so the code would access one entry past the array. In case this code is triggered, it does cause segmentation fault. Signed-off-by: Marek Vasut --- .../EGLWLInputEventExample/src/WLContext.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ivi-layermanagement-examples/EGLWLInputEventExample/src/WLContext.cpp b/ivi-layermanagement-examples/EGLWLInputEventExample/src/WLContext.cpp index ade58f0..dedb5a8 100644 --- a/ivi-layermanagement-examples/EGLWLInputEventExample/src/WLContext.cpp +++ b/ivi-layermanagement-examples/EGLWLInputEventExample/src/WLContext.cpp @@ -64,6 +64,7 @@ WLContext::~WLContext() * The following correspondences between file names and cursors was copied * from: https://bugs.kde.org/attachment.cgi?id=67313 */ +#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) static const char *left_ptrs[] = { "left_ptr", @@ -86,12 +87,12 @@ create_cursors(WLContext* wlContext) } wlContext->SetWLCursor((wl_cursor*) malloc(sizeof(wl_cursor))); - for (j = 0; !cursor && j < 4; ++j) + for (j = 0; !cursor && j < ARRAY_SIZE(left_ptrs); ++j) cursor = wl_cursor_theme_get_cursor(wlContext->GetWLCursorTheme(), left_ptrs[j]); if (!cursor) - fprintf(stderr, "could not load cursor '%s'\n", left_ptrs[j]); + fprintf(stderr, "could not load any cursor\n"); wlContext->SetWLCursor(cursor); } -- cgit v1.2.1