[Nouveau] [Bug 63263] X server crash in nouveau_xv.c:NVPutImage (NVCopyNV12ColorPlanes)
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Apr 10 17:00:26 PDT 2013
https://bugs.freedesktop.org/show_bug.cgi?id=63263
--- Comment #2 from Ilia Mirkin <imirkin at alum.mit.edu> ---
A little more info:
I added code to call NVQueryImageAttributes inside of NVPutImage, compute an
end pointer (buf + size), and then check inside of NVCopyNV12ColorPlanes at the
end of every loop iteration whether either us or vs have gone off the end.
And it seems like they do! When I move the mplayer window s.t. part of it is
off-screen (on the left), the code ends up accessing 2 bytes further than the
end of the array! There happens to be another mapping afterwards which means
that there's no segfault, but if that mapping isn't there, a segfault would
have occurred.
Now, it only ever goes over by 1-3 bytes, never more. One thing that I noticed
is that we pass in line_len to NVCopyNV12ColorPlanes as the width (which is
rounded up to 8 on NV_50 and up) rather than npixels (which is rounded up to
4). I also wonder if there's some issue in how left is computed (and then
applied to the s2/3 offsets)...
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/nouveau/attachments/20130411/a68db3b2/attachment.html>
More information about the Nouveau
mailing list