[PATCH xserver 0/2] glamor: avoid overflow and crash with largepixmap
Olivier Fourdan
ofourdan at redhat.com
Tue Jul 25 07:48:38 UTC 2017
Hi all,
There are a few (rare) occurence of a crash in glamor with largepixmap(), and
I traced it back to an overflow in glamor_compute_transform_clipped_regions()
when copying the box32 back into a box16.
The following two (trivial) patches do two things:
1. Make sure the values do not overflow when copying back to box16.
Another possibility would be to use a pixman_region32_t but I suspect
this would be a more intrusive change, a decision that I would rather
leave to glamor maintainers. Meanwhile this patch is enough to avoid
the crash in the Xserver.
2. COMPOSITE_REGION() is a macro that can pass NULL as the source pixmap,
but the glamor_composite_clipped_region() won't handle that well at all,
simply check that source is not NULL in glamor_composite_clipped_region()
That one is not required if we have the overflow check in place, but
logically in the macro can substitute an argument with NULL to the
function being called, I reckon it makes sense to check that the given
argument is not NULL in the callee.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
Cheers,
Olivier
Olivier Fourdan (2):
glamor: handle NULL source pixmap
glamor: Avoid overflow between box32 and box16 box
glamor/glamor_largepixmap.c | 11 ++++++-----
glamor/glamor_render.c | 2 +-
2 files changed, 7 insertions(+), 6 deletions(-)
--
2.13.3
More information about the xorg-devel
mailing list