From mboxrd@z Thu Jan  1 00:00:00 1970
From: Russell King - ARM Linux <linux@arm.linux.org.uk>
Subject: [BUG] Intel xorg driver 2.20.2 overlay off-by-one bug
Date: Sun, 12 Aug 2012 10:01:44 +0100
Message-ID: <20120812090144.GC18957@n2100.arm.linux.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org>
Content-Disposition: inline
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Sender: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
Errors-To: dri-devel-bounces+sf-dri-devel=m.gmane.org@lists.freedesktop.org
To: intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
List-Id: intel-gfx@lists.freedesktop.org

While reading through the Intel driver code, I spotted this in
I830SetPortAttributeOverlay:

        } else if (attribute == xvPipe) {
                xf86CrtcConfigPtr xf86_config = XF86_CRTC_CONFIG_PTR(scrn);
                if ((value < -1) || (value > xf86_config->num_crtc))
                        return BadValue;
                if (value < 0)
                        adaptor_priv->desired_crtc = NULL;
                else
                        adaptor_priv->desired_crtc = xf86_config->crtc[value];

This allows value == xf86_config->num_crtc to be valid, which would be
the CRTC number _after_ the last one in the array.  Presumably this is
not desired, and the test should be ">=".