[Xcb] [Bug 79808] xcb_xv_query_adaptors accesses invalid memory due to xcb_xv_adaptor_info_sizeof returning non-aligned value
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Sun Jun 8 16:00:55 PDT 2014
https://bugs.freedesktop.org/show_bug.cgi?id=79808
--- Comment #2 from Robert Ancell <robert.ancell at gmail.com> ---
Debugging shows it's the the padding after the name that's not being taken into
account:
<struct name="AdaptorInfo">
<field type="PORT" name="base_id" />
<field type="CARD16" name="name_size" />
<field type="CARD16" name="num_ports" />
<field type="CARD16" name="num_formats" />
<field type="CARD8" name="type" mask="Type" />
<pad bytes="1" />
<list type="char" name="name">
<fieldref>name_size</fieldref>
</list>
<list type="Format" name="formats">
<fieldref>num_formats</fieldref>
</list>
</struct>
In xcb_xv_adaptor_info_sizeof () the logic is:
/* name */
xcb_block_len += _aux->name_size * sizeof(char);
xcb_tmp += xcb_block_len;
xcb_align_to = ALIGNOF(char);
/* insert padding */
xcb_pad = -xcb_block_len & (xcb_align_to - 1);
xcb_buffer_len += xcb_block_len + xcb_pad;
if (0 != xcb_pad) {
xcb_tmp += xcb_pad;
xcb_pad = 0;
}
xcb_block_len = 0;
But ALIGNOF(char) returns 1 so no padding is added.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/xcb/attachments/20140608/e55547f9/attachment.html>
More information about the Xcb
mailing list