[PATCH xserver 0/2] glamor: avoid overflow and crash with largepixmap

Olivier Fourdan ofourdan at redhat.com
Tue Jul 25 07:48:38 UTC 2017


Hi all,

There are a few (rare) occurence of a crash in glamor with largepixmap(), and
I traced it back to an overflow in glamor_compute_transform_clipped_regions()
when copying the box32 back into a box16.

The following two (trivial) patches do two things:

 1. Make sure the values do not overflow when copying back to box16.
    Another possibility would be to use a pixman_region32_t but I suspect
    this would be a more intrusive change, a decision that I would rather
    leave to glamor maintainers. Meanwhile this patch is enough to avoid
    the crash in the Xserver.

 2. COMPOSITE_REGION() is a macro that can pass NULL as the source pixmap,
    but the glamor_composite_clipped_region() won't handle that well at all,
    simply check that source is not NULL in glamor_composite_clipped_region()
    That one is not required if we have the overflow check in place, but
    logically in the macro can substitute an argument with NULL to the 
    function being called, I reckon it makes sense to check that the given
    argument is not NULL in the callee.

Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894

Cheers,
Olivier

Olivier Fourdan (2):
  glamor: handle NULL source pixmap
  glamor: Avoid overflow between box32 and box16 box

 glamor/glamor_largepixmap.c | 11 ++++++-----
 glamor/glamor_render.c      |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

-- 
2.13.3



More information about the xorg-devel mailing list