[Mesa-dev] [Bug 93667] Crash in eglCreateImageKHR with huge texture size

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Jan 11 04:26:23 PST 2016 

https://bugs.freedesktop.org/show_bug.cgi?id=93667

            Bug ID: 93667
           Summary: Crash in eglCreateImageKHR with huge texture size
           Product: Mesa
           Version: unspecified
          Hardware: x86-64 (AMD64)
                OS: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: EGL
          Assignee: mesa-dev at lists.freedesktop.org
          Reporter: fabian at ritter-vogt.de
        QA Contact: mesa-dev at lists.freedesktop.org

I couldn't select 11.1 as version, so I used "unspecified".

Originally reported as bug in KWin: https://bugs.kde.org/show_bug.cgi?id=357754

"I accidentially set QT_DEVICE_PIXEL_RATIO=100 when opening a Qt application
that uses OpenGL and kwin_x11 crashes repoducably with the following backtrace
until I kill the application:

#5  <signal handler called>
#6  dri2_create_image_khr_pixmap (ctx=<optimized out>, attr_list=<optimized
out>, buffer=<optimized out>, disp=0x363b480) at
drivers/dri2/platform_x11.c:1051
#7  dri2_x11_create_image_khr (drv=<optimized out>, disp=0x363b480,
ctx=<optimized out>, target=<optimized out>, buffer=<optimized out>,
attr_list=<optimized out>) at drivers/dri2/platform_x11.c:1074
#8  0x00007fcc598c6279 in eglCreateImageKHR (dpy=0x363b480, ctx=0x0,
target=12464, buffer=0x7657a89, attr_list=0x7ffdd25b8db0) at main/eglapi.c:1331
#9  0x00007fcc6738fada in KWin::AbstractEglTexture::loadTexture
(this=0x4d8c670, pix=124091017, size=...) at
/usr/src/debug/kwin-5.5.2/abstract_egl_backend.cpp:312"

xcb_dri2_get_buffers_reply in dri2_create_image_khr_pixmap
(egl/drivers/dri2/platform_x11.c:1000) returns NULL,
but this is not detected and xcb_dri2_get_buffers_buffers (buffers_reply)
returns 0x20.
This passes the check against NULL and it crashes when accessing
buffers_reply->width in :1052.
I found multiple places where xcb_dri2_get_buffers_reply is used this way,
AFAICS they're all affected.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/mesa-dev/attachments/20160111/aa56a252/attachment.html>

More information about the mesa-dev mailing list