public inbox for intel-gfx@lists.freedesktop.org
 help / color / mirror / Atom feed
* [BUG] Intel xorg driver 2.20.2 overlay off-by-one bug
@ 2012-08-12  9:01 Russell King - ARM Linux
  2012-08-13 18:27 ` Chris Wilson
  0 siblings, 1 reply; 2+ messages in thread
From: Russell King - ARM Linux @ 2012-08-12  9:01 UTC (permalink / raw)
  To: intel-gfx, dri-devel

While reading through the Intel driver code, I spotted this in
I830SetPortAttributeOverlay:

        } else if (attribute == xvPipe) {
                xf86CrtcConfigPtr xf86_config = XF86_CRTC_CONFIG_PTR(scrn);
                if ((value < -1) || (value > xf86_config->num_crtc))
                        return BadValue;
                if (value < 0)
                        adaptor_priv->desired_crtc = NULL;
                else
                        adaptor_priv->desired_crtc = xf86_config->crtc[value];

This allows value == xf86_config->num_crtc to be valid, which would be
the CRTC number _after_ the last one in the array.  Presumably this is
not desired, and the test should be ">=".

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [BUG] Intel xorg driver 2.20.2 overlay off-by-one bug
  2012-08-12  9:01 [BUG] Intel xorg driver 2.20.2 overlay off-by-one bug Russell King - ARM Linux
@ 2012-08-13 18:27 ` Chris Wilson
  0 siblings, 0 replies; 2+ messages in thread
From: Chris Wilson @ 2012-08-13 18:27 UTC (permalink / raw)
  To: Russell King - ARM Linux, intel-gfx, dri-devel

On Sun, 12 Aug 2012 10:01:44 +0100, Russell King - ARM Linux <linux@arm.linux.org.uk> wrote:
> While reading through the Intel driver code, I spotted this in
> I830SetPortAttributeOverlay:
> 
>         } else if (attribute == xvPipe) {
>                 xf86CrtcConfigPtr xf86_config = XF86_CRTC_CONFIG_PTR(scrn);
>                 if ((value < -1) || (value > xf86_config->num_crtc))
>                         return BadValue;
>                 if (value < 0)
>                         adaptor_priv->desired_crtc = NULL;
>                 else
>                         adaptor_priv->desired_crtc = xf86_config->crtc[value];
> 
> This allows value == xf86_config->num_crtc to be valid, which would be
> the CRTC number _after_ the last one in the array.  Presumably this is
> not desired, and the test should be ">=".

Thanks for bringing this to our attention and poking Dave, who promptly
pushed a patch to fix the bug.
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-08-13 18:27 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-12  9:01 [BUG] Intel xorg driver 2.20.2 overlay off-by-one bug Russell King - ARM Linux
2012-08-13 18:27 ` Chris Wilson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox