[PATCH xserver v2 2/2] glamor: Avoid overflow between box32 and box16 box

Olivier Fourdan ofourdan at redhat.com
Wed Jul 26 07:51:04 UTC 2017


glamor_compute_transform_clipped_regions() uses a temporary box32
internally which is copied back to a box16 to init the regions16,
thus causing a potential overflow.

If an overflow occurs, the given region is invalid and the pixmap
init region will fail.

Simply check that the coordinates won't overflow when copying back to
the box16, avoiding a crash later down the line in glamor.

Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
---
 v2: Make sure we have (x1,y1) < (x2,y2) in case of overflow to avoid an
     empty region.

 glamor/glamor_largepixmap.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/glamor/glamor_largepixmap.c b/glamor/glamor_largepixmap.c
index ebfdc9537..cb876669a 100644
--- a/glamor/glamor_largepixmap.c
+++ b/glamor/glamor_largepixmap.c
@@ -1,4 +1,5 @@
 #include <stdlib.h>
+#include <stdint.h> /* For INT16_MAX */
 
 #include "glamor_priv.h"
 
@@ -722,11 +723,11 @@ glamor_compute_transform_clipped_regions(PixmapPtr pixmap,
         temp_box.x2 = MIN(temp_box.x2, pixmap->drawable.width);
         temp_box.y2 = MIN(temp_box.y2, pixmap->drawable.height);
     }
-    /* Now copy back the box32 to a box16 box. */
-    short_box.x1 = temp_box.x1;
-    short_box.y1 = temp_box.y1;
-    short_box.x2 = temp_box.x2;
-    short_box.y2 = temp_box.y2;
+    /* Now copy back the box32 to a box16 box, avoiding overflow. */
+    short_box.x1 = MIN(temp_box.x1, INT16_MAX - 1);
+    short_box.y1 = MIN(temp_box.y1, INT16_MAX - 1);
+    short_box.x2 = MIN(temp_box.x2, INT16_MAX);
+    short_box.y2 = MIN(temp_box.y2, INT16_MAX);
     RegionInitBoxes(temp_region, &short_box, 1);
     DEBUGF("copy to temp source region \n");
     DEBUGRegionPrint(temp_region);
-- 
2.13.3



More information about the xorg-devel mailing list