From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Wilson Subject: Re: [BUG] Intel xorg driver 2.20.2 overlay off-by-one bug Date: Mon, 13 Aug 2012 19:27:23 +0100 Message-ID: <1344882450_87175@CP5-2952> References: <20120812090144.GC18957@n2100.arm.linux.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20120812090144.GC18957@n2100.arm.linux.org.uk> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org Errors-To: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org To: Russell King - ARM Linux , intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org List-Id: intel-gfx@lists.freedesktop.org On Sun, 12 Aug 2012 10:01:44 +0100, Russell King - ARM Linux wrote: > While reading through the Intel driver code, I spotted this in > I830SetPortAttributeOverlay: > > } else if (attribute == xvPipe) { > xf86CrtcConfigPtr xf86_config = XF86_CRTC_CONFIG_PTR(scrn); > if ((value < -1) || (value > xf86_config->num_crtc)) > return BadValue; > if (value < 0) > adaptor_priv->desired_crtc = NULL; > else > adaptor_priv->desired_crtc = xf86_config->crtc[value]; > > This allows value == xf86_config->num_crtc to be valid, which would be > the CRTC number _after_ the last one in the array. Presumably this is > not desired, and the test should be ">=". Thanks for bringing this to our attention and poking Dave, who promptly pushed a patch to fix the bug. -Chris -- Chris Wilson, Intel Open Source Technology Centre