[Spice-commits] miniport/qxl.c

[Marc-André Lureau]

 miniport/qxl.c |   18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

New commits:
commit 95c72c159db6d7a7ee202447c87feb8420e28408
Author: Marc-André Lureau <marcandre.lureau at gmail.com>
Date:   Wed Aug 8 19:14:05 2012 +0200

    miniport: fix invalid memory access from previous patch
    
    The patch 253b781773190afef313390542f2d68995e302d7 implementing custom
    display resolution is accessing unowned memory regions.
    
    Interestingly, the driver worked fine on Windows XP but BSOD on Win7.

diff --git a/miniport/qxl.c b/miniport/qxl.c
index 44c2a40..003669b 100644
--- a/miniport/qxl.c
+++ b/miniport/qxl.c
@@ -600,6 +600,7 @@ VP_STATUS InitModes(QXLExtension *dev)
         return ERROR_INVALID_DATA;
     }
 
+    n_modes += 2;
 #if (WINVER < 0x0501) //Win2K
     error = VideoPortAllocateBuffer(dev, n_modes * sizeof(VIDEO_MODE_INFORMATION), &modes_info);
 
@@ -614,8 +615,8 @@ VP_STATUS InitModes(QXLExtension *dev)
         return ERROR_NOT_ENOUGH_MEMORY;
     }
 #endif
-    VideoPortZeroMemory(modes_info, sizeof(VIDEO_MODE_INFORMATION) * n_modes + 2);
-    for (i = 0; i < n_modes; i++) {
+    VideoPortZeroMemory(modes_info, sizeof(VIDEO_MODE_INFORMATION) * n_modes);
+    for (i = 0; i < modes->n_modes; i++) {
         error = SetVideoModeInfo(dev, &modes_info[i], &modes->modes[i]);
         if (error != NO_ERROR) {
             VideoPortFreePool(dev, modes_info);
@@ -627,13 +628,14 @@ VP_STATUS InitModes(QXLExtension *dev)
     /* 2 dummy modes for custom display resolution */
     /* This is necessary to bypass Windows mode index check, that
        would prevent reusing the same index */
-    dev->custom_mode = n_modes;
-    memcpy(&modes_info[n_modes], &modes_info[0], sizeof(VIDEO_MODE_INFORMATION));
-    modes_info[n_modes].ModeIndex = n_modes;
-    memcpy(&modes_info[n_modes + 1], &modes_info[0], sizeof(VIDEO_MODE_INFORMATION));
-    modes_info[n_modes + 1].ModeIndex = n_modes + 1;
+    dev->custom_mode = modes->n_modes;
 
-    dev->n_modes = n_modes + 2;
+    for (i = dev->custom_mode; i <= dev->custom_mode + 1; ++i) {
+        memcpy(&modes_info[i], &modes_info[0], sizeof(VIDEO_MODE_INFORMATION));
+        modes_info[i].ModeIndex = i;
+    }
+
+    dev->n_modes = n_modes;
     dev->modes = modes_info;
     DEBUG_PRINT((dev, 0, "%s OK\n", __FUNCTION__));
     return NO_ERROR;