[Spice-devel] [PATCH win-qxl] miniport: fix invalid memory access from previous patch

Wed Aug 8 11:13:29 PDT 2012

The patch 253b781773190afef313390542f2d68995e302d7 implementing custom
display resolution is accessing unowned memory regions.

Interestingly, the driver worked fine on Windows XP but BSOD on Win7.
---
 miniport/qxl.c |   18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/miniport/qxl.c b/miniport/qxl.c
index 44c2a40..003669b 100644
--- a/miniport/qxl.c
+++ b/miniport/qxl.c
@@ -600,6 +600,7 @@ VP_STATUS InitModes(QXLExtension *dev)
         return ERROR_INVALID_DATA;
     }
 
+    n_modes += 2;
 #if (WINVER < 0x0501) //Win2K
     error = VideoPortAllocateBuffer(dev, n_modes * sizeof(VIDEO_MODE_INFORMATION), &modes_info);
 
@@ -614,8 +615,8 @@ VP_STATUS InitModes(QXLExtension *dev)
         return ERROR_NOT_ENOUGH_MEMORY;
     }
 #endif
-    VideoPortZeroMemory(modes_info, sizeof(VIDEO_MODE_INFORMATION) * n_modes + 2);
-    for (i = 0; i < n_modes; i++) {
+    VideoPortZeroMemory(modes_info, sizeof(VIDEO_MODE_INFORMATION) * n_modes);
+    for (i = 0; i < modes->n_modes; i++) {
         error = SetVideoModeInfo(dev, &modes_info[i], &modes->modes[i]);
         if (error != NO_ERROR) {
             VideoPortFreePool(dev, modes_info);
@@ -627,13 +628,14 @@ VP_STATUS InitModes(QXLExtension *dev)
     /* 2 dummy modes for custom display resolution */
     /* This is necessary to bypass Windows mode index check, that
        would prevent reusing the same index */
-    dev->custom_mode = n_modes;
-    memcpy(&modes_info[n_modes], &modes_info[0], sizeof(VIDEO_MODE_INFORMATION));
-    modes_info[n_modes].ModeIndex = n_modes;
-    memcpy(&modes_info[n_modes + 1], &modes_info[0], sizeof(VIDEO_MODE_INFORMATION));
-    modes_info[n_modes + 1].ModeIndex = n_modes + 1;
+    dev->custom_mode = modes->n_modes;
 
-    dev->n_modes = n_modes + 2;
+    for (i = dev->custom_mode; i <= dev->custom_mode + 1; ++i) {
+        memcpy(&modes_info[i], &modes_info[0], sizeof(VIDEO_MODE_INFORMATION));
+        modes_info[i].ModeIndex = i;
+    }
+
+    dev->n_modes = n_modes;
     dev->modes = modes_info;
     DEBUG_PRINT((dev, 0, "%s OK\n", __FUNCTION__));
     return NO_ERROR;
-- 
1.7.10.4

