[PATCH] xfree86: fix VbeModeInfoBlock memcpy off-by-one (#30159)

Adam Jackson ajax at nwnk.net
Tue Sep 28 08:16:32 PDT 2010 

On Tue, 2010-09-21 at 23:16 +0200, Rémi Cardona wrote:
> Le 14/09/2010 09:39, Alexandre Rostovtsev a écrit :
> > This patch fixes some old memcpy off-by-one errors in vbe.c that gcc-4.5
> > complains about when compiling with -O1 or higher optimization:
> > 
> > In file included from /usr/include/string.h:642:0,
> >                  from vbe.c:16:
> > In function ‘memcpy’,
> >     inlined from ‘VBEGetModeInfo’ at vbe.c:589:8:
> > /usr/include/bits/string3.h:52:3: warning: call to __builtin___memcpy_chk will always overflow destination buffer
> > In function ‘memcpy’,
> >     inlined from ‘VBEGetModeInfo’ at vbe.c:592:8:
> > /usr/include/bits/string3.h:52:3: warning: call to __builtin___memcpy_chk will always overflow destination buffer
> > 
> > X.Org bug 30159 <https://bugs.freedesktop.org/show_bug.cgi?id=30159>
> 
> I'd put my S-O-B but I have no idea if this is the truly correct solution.
> 
> Could someone else take a look at this?

It's correct but it's exactly as ridiculous as the original.  How's this
instead:

---

diff --git a/hw/xfree86/vbe/vbe.c b/hw/xfree86/vbe/vbe.c
index 0b34648..797fef6 100644
--- a/hw/xfree86/vbe/vbe.c
+++ b/hw/xfree86/vbe/vbe.c
@@ -529,67 +529,7 @@ VBEGetModeInfo(vbeInfoPtr pVbe, int mode)
 
     block = calloc(sizeof(VbeModeInfoBlock), 1);
 
-    block->ModeAttributes = *(CARD16*)pVbe->memory;
-    block->WinAAttributes = ((char*)pVbe->memory)[2];
-    block->WinBAttributes = ((char*)pVbe->memory)[3];
-    block->WinGranularity = *(CARD16*)(((char*)pVbe->memory) + 4);
-    block->WinSize = *(CARD16*)(((char*)pVbe->memory) + 6);
-    block->WinASegment = *(CARD16*)(((char*)pVbe->memory) + 8);
-    block->WinBSegment = *(CARD16*)(((char*)pVbe->memory) + 10);
-    block->WinFuncPtr = *(CARD32*)(((char*)pVbe->memory) + 12);
-    block->BytesPerScanline = *(CARD16*)(((char*)pVbe->memory) + 16);
-
-    /* mandatory information for VBE 1.2 and above */
-    block->XResolution = *(CARD16*)(((char*)pVbe->memory) + 18);
-    block->YResolution = *(CARD16*)(((char*)pVbe->memory) + 20);
-    block->XCharSize = ((char*)pVbe->memory)[22];
-    block->YCharSize = ((char*)pVbe->memory)[23];
-    block->NumberOfPlanes = ((char*)pVbe->memory)[24];
-    block->BitsPerPixel = ((char*)pVbe->memory)[25];
-    block->NumberOfBanks = ((char*)pVbe->memory)[26];
-    block->MemoryModel = ((char*)pVbe->memory)[27];
-    block->BankSize = ((char*)pVbe->memory)[28];
-    block->NumberOfImages = ((char*)pVbe->memory)[29];
-    block->Reserved = ((char*)pVbe->memory)[30];
-
-    /* Direct color fields (required for direct/6 and YUV/7 memory models) */
-    block->RedMaskSize = ((char*)pVbe->memory)[31];
-    block->RedFieldPosition = ((char*)pVbe->memory)[32];
-    block->GreenMaskSize = ((char*)pVbe->memory)[33];
-    block->GreenFieldPosition = ((char*)pVbe->memory)[34];
-    block->BlueMaskSize = ((char*)pVbe->memory)[35];
-    block->BlueFieldPosition = ((char*)pVbe->memory)[36];
-    block->RsvdMaskSize = ((char*)pVbe->memory)[37];
-    block->RsvdFieldPosition = ((char*)pVbe->memory)[38];
-    block->DirectColorModeInfo = ((char*)pVbe->memory)[39];
-
-    /* Mandatory information for VBE 2.0 and above */
-    if (pVbe->version >= 0x200) {
-       block->PhysBasePtr = *(CARD32*)(((char*)pVbe->memory) + 40);
-       block->Reserved32 = *(CARD32*)(((char*)pVbe->memory) + 44);
-       block->Reserved16 = *(CARD16*)(((char*)pVbe->memory) + 48);
-
-       /* Mandatory information for VBE 3.0 and above */
-       if (pVbe->version >= 0x300) {
-           block->LinBytesPerScanLine = *(CARD16*)(((char*)pVbe->memory) + 50);
-           block->BnkNumberOfImagePages = ((char*)pVbe->memory)[52];
-           block->LinNumberOfImagePages = ((char*)pVbe->memory)[53];
-           block->LinRedMaskSize = ((char*)pVbe->memory)[54];
-           block->LinRedFieldPosition = ((char*)pVbe->memory)[55];
-           block->LinGreenMaskSize = ((char*)pVbe->memory)[56];
-           block->LinGreenFieldPosition = ((char*)pVbe->memory)[57];
-           block->LinBlueMaskSize = ((char*)pVbe->memory)[58];
-           block->LinBlueFieldPosition = ((char*)pVbe->memory)[59];
-           block->LinRsvdMaskSize = ((char*)pVbe->memory)[60];
-           block->LinRsvdFieldPosition = ((char*)pVbe->memory)[61];
-           block->MaxPixelClock = *(CARD32*)(((char*)pVbe->memory) + 62);
-           memcpy(&block->Reserved2, ((char*)pVbe->memory) + 66, 188);
-       }
-       else
-       memcpy(&block->LinBytesPerScanLine, ((char*)pVbe->memory) + 50, 206);
-    }
-    else
-       memcpy(&block->PhysBasePtr, ((char*)pVbe->memory) + 40, 216);
+    memcpy(block, pVbe->memory, 256);
 
     return block;
 }

---

- ajax
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.x.org/archives/xorg-devel/attachments/20100928/b8f46f1c/attachment.pgp>

More information about the xorg-devel mailing list