[PATCH V2] Do not assume 64x64 cursor, added support for other sizes (like in AMD Kaveri, 128x128).
Hardening
rdp.effort at gmail.com
Wed Jul 2 02:45:57 PDT 2014
Le 25/06/2014 16:09, Alvaro Fernando García a écrit :
> Init cursor size to 64x64 if drmGetCap() fails.
>
> Use Mesa GBM_BO_USE_CURSOR define (which removes 64x64 restriction)
>
> Signed-off-by: Alvaro Fernando García <alvarofernandogarcia at gmail.com>
> ---
> src/compositor-drm.c | 43 ++++++++++++++++++++++++++++++++++++-------
> 1 file changed, 36 insertions(+), 7 deletions(-)
>
> diff --git a/src/compositor-drm.c b/src/compositor-drm.c
> index 7d514e4..61ddea1 100644
> --- a/src/compositor-drm.c
> +++ b/src/compositor-drm.c
> @@ -55,6 +55,14 @@
> #define DRM_CAP_TIMESTAMP_MONOTONIC 0x6
> #endif
>
> +#ifndef DRM_CAP_CURSOR_WIDTH
> +#define DRM_CAP_CURSOR_WIDTH 0x8
> +#endif
> +
> +#ifndef DRM_CAP_CURSOR_HEIGHT
> +#define DRM_CAP_CURSOR_HEIGHT 0x9
> +#endif
> +
> static int option_current_mode = 0;
>
> enum output_config {
> @@ -108,6 +116,9 @@ struct drm_compositor {
>
> clockid_t clock;
> struct udev_input input;
> +
> + uint32_t cursor_width;
> + uint32_t cursor_height;
> };
>
> struct drm_mode {
> @@ -987,7 +998,7 @@ drm_output_set_cursor(struct drm_output *output)
> (struct drm_compositor *) output->base.compositor;
> EGLint handle, stride;
> struct gbm_bo *bo;
> - uint32_t buf[64 * 64];
> + uint32_t buf[c->cursor_width * c->cursor_height];
I didn't check, just asking:
are we sure that cursor_width and cursor_height are controlled values ?
Because if they're coming from the user without checks, we could have a
nice stack or int overflow here.
Regards
--
David FORT
website: http://www.hardening-consulting.com/
More information about the wayland-devel
mailing list