<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 1, 2014 at 8:36 PM,  <span dir="ltr"><<a href="mailto:dbehr@chromium.org" target="_blank">dbehr@chromium.org</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">From: Dominik Behr <<a href="mailto:dbehr@chromium.org">dbehr@chromium.org</a>><br>


<br>
When setting crtc->gamma_size to randr_crtc->gammaSize we should<br>
use randr_crtc->gammaSize to allocate new gamma table in crtc.<br>
Currently, if randr_crtc->gammaSize > crtc->gammaSize the subsequent<br>
memcpy will overwrite memory beyond the end of gamma table.<br>
<br>
Signed-off-by: Dominik Behr <<a href="mailto:dbehr@chromium.org">dbehr@chromium.org</a>><br></blockquote><div>Reviewed-by: Stéphane Marchesin <<a href="mailto:marcheu@chromium.org">marcheu@chromium.org</a>> </div>

<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
---<br>
 hw/xfree86/modes/xf86RandR12.c | 7 ++++---<br>
 1 file changed, 4 insertions(+), 3 deletions(-)<br>
<br>
diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c<br>
index 66139dc..8a04dfc 100644<br>
--- a/hw/xfree86/modes/xf86RandR12.c<br>
+++ b/hw/xfree86/modes/xf86RandR12.c<br>
@@ -1256,12 +1256,13 @@ xf86RandR12CrtcSetGamma(ScreenPtr pScreen, RRCrtcPtr randr_crtc)<br>
         CARD16 *tmp_ptr;<br>
<br>
         tmp_ptr =<br>
-            realloc(crtc->gamma_red, 3 * crtc->gamma_size * sizeof(CARD16));<br>
+            realloc(crtc->gamma_red,<br>
+                    3 * randr_crtc->gammaSize * sizeof(CARD16));<br>
         if (!tmp_ptr)<br>
             return FALSE;<br>
         crtc->gamma_red = tmp_ptr;<br>
-        crtc->gamma_green = crtc->gamma_red + crtc->gamma_size;<br>
-        crtc->gamma_blue = crtc->gamma_green + crtc->gamma_size;<br>
+        crtc->gamma_green = crtc->gamma_red + randr_crtc->gammaSize;<br>
+        crtc->gamma_blue = crtc->gamma_green + randr_crtc->gammaSize;<br>
     }<br>
<br>
     crtc->gamma_size = randr_crtc->gammaSize;<br>
<span class=""><font color="#888888">--<br>
1.9.1.423.g4596e3a<br>
<br>
_______________________________________________<br>
<a href="mailto:xorg-devel@lists.x.org">xorg-devel@lists.x.org</a>: X.Org development<br>
Archives: <a href="http://lists.x.org/archives/xorg-devel" target="_blank">http://lists.x.org/archives/xorg-devel</a><br>
Info: <a href="http://lists.x.org/mailman/listinfo/xorg-devel" target="_blank">http://lists.x.org/mailman/listinfo/xorg-devel</a><br>
</font></span></blockquote></div><br></div></div>