From cfd9a6bdb0a9207a61be240bb2e8405fed533e17 Mon Sep 17 00:00:00 2001 From: Ilia Mirkin Date: Fri, 3 May 2013 09:39:59 -0400 Subject: [PATCH] nouveau_xv: Avoid reading off the end of the source image on NV50+ The 'w' argument to NVCopyNV12ColorPlanes is used to index into the source image. line_len is rounded up to 8 on NV50+, so if the source image (+ left offset) is not rounded to 8, NVCopyNV12ColorPlanes could read past the end of the array and crash X. This change can cause the last few horizontal pixels of dst to not be initialized, but they should be truncated by the renderer anyways. See https://bugs.freedesktop.org/show_bug.cgi?id=63263 Signed-off-by: Ilia Mirkin --- I've been running with this patch (+ some extra debug info) for a while and haven't seen any ill effects in Xv rendering. The debugging info I had added suggests that the overruns are gone when the image is dragged partially off the screen on the left. src/nouveau_xv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/nouveau_xv.c b/src/nouveau_xv.c index f7dc2bc..8eafcf0 100644 --- a/src/nouveau_xv.c +++ b/src/nouveau_xv.c @@ -1095,7 +1095,7 @@ NVPutImage(ScrnInfoPtr pScrn, short src_x, short src_y, short drw_x, NVCopyNV12ColorPlanes(buf + s2offset, buf + s3offset, dst, line_len, srcPitch2, - nlines, line_len); + nlines, npixels); } } else { for (i = 0; i < nlines; i++) { @@ -1161,7 +1161,7 @@ CPU_copy: NVCopyNV12ColorPlanes(buf + s2offset, buf + s3offset, map, dstPitch, srcPitch2, - nlines, line_len); + nlines, npixels); } } else { /* YUY2 and RGB */ -- 1.8.1.5