xserver: Branch 'master' - 2 commits
Adam Jackson
ajax at kemper.freedesktop.org
Wed Sep 13 15:05:10 UTC 2017
glamor/glamor_largepixmap.c | 11 ++++++-----
glamor/glamor_render.c | 5 +++--
2 files changed, 9 insertions(+), 7 deletions(-)
New commits:
commit 9869dcb349b49f6d4cc2fab5d927cd8b1d1f463c
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Wed Jul 26 16:00:38 2017 +0200
glamor: Avoid overflow between box32 and box16 box
glamor_compute_transform_clipped_regions() uses a temporary box32
internally which is copied back to a box16 to init the regions16,
thus causing a potential overflow.
If an overflow occurs, the given region is invalid and the pixmap
init region will fail.
Simply check that the coordinates won't overflow when copying back to
the box16, avoiding a crash later down the line in glamor.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
Tested-by: Fabrice Bellet <fabrice at bellet.info>
Reviewed-by: Adam Jackson <ajax at redhat.com>
diff --git a/glamor/glamor_largepixmap.c b/glamor/glamor_largepixmap.c
index ebfdc9537..f9adb93bc 100644
--- a/glamor/glamor_largepixmap.c
+++ b/glamor/glamor_largepixmap.c
@@ -1,4 +1,5 @@
#include <stdlib.h>
+#include <stdint.h> /* For INT16_MAX */
#include "glamor_priv.h"
@@ -722,11 +723,11 @@ glamor_compute_transform_clipped_regions(PixmapPtr pixmap,
temp_box.x2 = MIN(temp_box.x2, pixmap->drawable.width);
temp_box.y2 = MIN(temp_box.y2, pixmap->drawable.height);
}
- /* Now copy back the box32 to a box16 box. */
- short_box.x1 = temp_box.x1;
- short_box.y1 = temp_box.y1;
- short_box.x2 = temp_box.x2;
- short_box.y2 = temp_box.y2;
+ /* Now copy back the box32 to a box16 box, avoiding overflow. */
+ short_box.x1 = MIN(temp_box.x1, INT16_MAX);
+ short_box.y1 = MIN(temp_box.y1, INT16_MAX);
+ short_box.x2 = MIN(temp_box.x2, INT16_MAX);
+ short_box.y2 = MIN(temp_box.y2, INT16_MAX);
RegionInitBoxes(temp_region, &short_box, 1);
DEBUGF("copy to temp source region \n");
DEBUGRegionPrint(temp_region);
commit bd353e9b84e013fc34ed730319d5b63d20977903
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Wed Jul 26 16:00:37 2017 +0200
glamor: handle NULL source picture
COMPOSITE_REGION() can pass NULL as a source picture, make sure we
handle that nicely in both glamor_composite_clipped_region() and
glamor_composite_choose_shader().
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
diff --git a/glamor/glamor_render.c b/glamor/glamor_render.c
index 3f982a2d2..3e126f0f2 100644
--- a/glamor/glamor_render.c
+++ b/glamor/glamor_render.c
@@ -992,7 +992,7 @@ glamor_composite_choose_shader(CARD8 op,
goto fail;
}
} else {
- if (!glamor_render_format_is_supported(source->format)) {
+ if (source && !glamor_render_format_is_supported(source->format)) {
glamor_fallback("Unsupported source picture format.\n");
goto fail;
}
@@ -1436,7 +1436,8 @@ glamor_composite_clipped_region(CARD8 op,
x_source, y_source, x_mask, y_mask, x_dest, y_dest, width, height);
/* Is the composite operation equivalent to a copy? */
- if (!mask && !source->alphaMap && !dest->alphaMap
+ if (source &&
+ !mask && !source->alphaMap && !dest->alphaMap
&& source->pDrawable && !source->transform
/* CopyArea is only defined with matching depths. */
&& dest->pDrawable->depth == source->pDrawable->depth
More information about the xorg-commit
mailing list