[PATCH 1/3] xf86: return NULL for xf86CompatOutput if config->compat_output is -1

walter harms wharms at bfs.de
Sat Jul 20 09:10:28 PDT 2013 


Am 18.07.2013 13:37, schrieb vdb at picaros.org:
> http://bugs.freedesktop.org/show_bug.cgi?id=65210
> 
> Commit 37d956e3ac9513b74078882dff489f9b0a7a5a28 presets 
> config->compat_output = -1 to signal an unset compat_output.  
> 
> Since compat_output is used to index config->output[] during initial 
> screen configuration a bad dereference occurs.  At this point the 
> compatibility output can't be known so a NULL return from 
> xf86CompatOutput(ScrnInfoPtr pScrn) is a logical solution. 
> 
> --------------------------------
> 
> http://lists.x.org/archives/xorg-devel/2013-March/035751.html
> 
> If there is no compat output, config->compat_output is -1 and xf86CompatOutput
> reads before the beginning of the outputs array.
> 
>  Invalid read of size 8
>     at 0x4DB892: xf86CompatOutput (xf86Crtc.h:734)
>     by 0x4E285D: xf86OutputSetEDID (xf86Crtc.c:2986)
>     by 0x862200F: intel_output_attach_edid (intel_display.c:895)
>     by 0x86222A5: intel_output_get_modes (intel_display.c:955)
>     by 0x4DF296: xf86ProbeOutputModes (xf86Crtc.c:1586)
>     by 0x4E1349: xf86InitialConfiguration (xf86Crtc.c:2380)
>     by 0x8623F72: intel_mode_pre_init (intel_display.c:1788)
>     by 0x8626088: I830PreInit (intel_driver.c:625)
>     by 0x49873B: InitOutput (xf86Init.c:606)
>     by 0x4257B8: main (main.c:204)
>   Address 0x7955d88 is 8 bytes before a block of size 16 alloc'd
>     at 0x4C2C25E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
>     by 0x4DCD54: xf86OutputCreate (xf86Crtc.c:621)
>     by 0x862322F: intel_output_init (intel_display.c:1416)
>     by 0x8623F22: intel_mode_pre_init (intel_display.c:1780)
>     by 0x8626088: I830PreInit (intel_driver.c:625)
>     by 0x49873B: InitOutput (xf86Init.c:606)
>     by 0x4257B8: main (main.c:204)
> 
> Signed-off-by: Aaron Plattner <aplattner at nvidia.com>
> ---
>  hw/xfree86/modes/xf86Crtc.h | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/hw/xfree86/modes/xf86Crtc.h b/hw/xfree86/modes/xf86Crtc.h
> index 802303f..1ac8485 100644
> --- a/hw/xfree86/modes/xf86Crtc.h
> +++ b/hw/xfree86/modes/xf86Crtc.h
> @@ -731,6 +731,8 @@ xf86CompatOutput(ScrnInfoPtr pScrn)
>  {
>      xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn);
>  

in patch 3/3 you use

           if (config->compat_output >= 0
	    && config->compat_output < config->num_output) {

maybe your should do the same here. just make it the same.

re,
 wh

> +    if (config->compat_output < 0)
> +        return NULL;
>      return config->output[config->compat_output];
>  }
>

More information about the xorg-devel mailing list