[PATCH xorg-server] Fix xf86EdidModes.c: array subscript is above array bounds

[Torsten Kaiser]

Using gcc with -O3 failes to compile the current version of
hw/xfree86/modes/xf86EdidModes.c.

With this optimization level gcc notices, that the loop in function
DDCModesFromEstIII() would go until i=5 and j=1 which would result in
m = (5 * 8) + (7 - 1) = 46, but the array EstIIIModes[] only contains
44 elements.

The following patch fixes this by adding 4 dummy elements to the array
so that for each 6 * 8 bits from the est_iii field a mode is defined.

Additionally the patch fixes the loop for (j = 7; j > 0; j--) to run
until 0, otherwise the last mode of each byte will always be skipped.

I had opened Bug https://bugs.freedesktop.org/show_bug.cgi?id=45623
for this and you can find the patch there too.

Signed-off-by: Torsten Kaiser <just.for.lkml at googlemail.com>

--- a/hw/xfree86/modes/xf86EdidModes.c.orig	2012-02-08 22:00:45.805914457 +0100
+++ b/hw/xfree86/modes/xf86EdidModes.c	2012-02-08 22:02:49.615915120 +0100
@@ -731,6 +731,11 @@
     { 1920, 1200, 85, 0 },
     { 1920, 1440, 60, 0 },
     { 1920, 1440, 75, 0 },
+    /* fill up last byte */
+    { 0,0,0,0 },
+    { 0,0,0,0 },
+    { 0,0,0,0 },
+    { 0,0,0,0 },
 };

 static DisplayModePtr
@@ -740,10 +745,11 @@
     int i, j, m;

     for (i = 0; i < 6; i++) {
-	for (j = 7; j > 0; j--) {
+	for (j = 7; j >= 0; j--) {
 	    if (est[i] & (1 << j)) {
 		m = (i * 8) + (7 - j);
-		modes = xf86ModesAdd(modes,
+		if (EstIIIModes[m].w)
+		    modes = xf86ModesAdd(modes,
 				     FindDMTMode(EstIIIModes[m].w,
 						 EstIIIModes[m].h,
 						 EstIIIModes[m].r,