[PATCH:libXrandr] XRRGetProviderInfo returned bad associated_capability list in 64-bit

Dave Airlie airlied at gmail.com
Sun Jun 30 20:37:05 PDT 2013 

On Mon, Jul 1, 2013 at 10:03 AM, Alan Coopersmith
<alan.coopersmith at oracle.com> wrote:
> Unlike most of the values returned by this function, which are arrays
> of XIDs (long int), associated_capability is defined as an array of
> unsigned int.   _XRead32 reads 32-bit values from the wire protocol
> and writes them to the provided buffer as an array of long ints, even
> if that means expanding them from 32-bit to 64-bit.   Doing that for
> associated_capability resulted in a garbage value between each actual
> value, and overflowing the provided buffer into the space for the
> provider name (which is written later and would overwrite the overflowed
> data).
>
> Created xhiv libXrandr/XRRGetProviderInfo test case to test & confirm.

Reviewed-by: Dave Airlie <airlied at redhat.com>

Protocol handling is just all a trap waiting to screw you.

Dave.

>
> Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
> ---
>  src/XrrProvider.c |   11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/src/XrrProvider.c b/src/XrrProvider.c
> index 309e321..014ddd9 100644
> --- a/src/XrrProvider.c
> +++ b/src/XrrProvider.c
> @@ -156,7 +156,16 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
>      _XRead32(dpy, xpi->outputs, rep.nOutputs << 2);
>
>      _XRead32(dpy, xpi->associated_providers, rep.nAssociatedProviders << 2);
> -    _XRead32(dpy, xpi->associated_capability, rep.nAssociatedProviders << 2);
> +
> +    /*
> +     * _XRead32 reads a series of 32-bit values from the protocol and writes
> +     * them out as a series of "long int" values, but associated_capability
> +     * is defined as unsigned int *, so that won't work for this array.
> +     * Instead we assume for now that "unsigned int" is also 32-bits, so
> +     * the values can be read without any conversion.
> +     */
> +    _XRead(dpy, (char *) xpi->associated_capability,
> +           rep.nAssociatedProviders << 2);
>
>      _XReadPad(dpy, xpi->name, rep.nameLength);
>      xpi->name[rep.nameLength] = '\0';
> --
> 1.7.9.2
>
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel

More information about the xorg-devel mailing list