Bug 30159

Summary: hw/xfree86/vbe/vbe.c off-by-one error
Product: xorg Reporter: Chí-Thanh Christopher Nguyễn <chithanh>
Component: Server/GeneralAssignee: Adam Jackson <ajax>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium CC: frank.mehnert, robatino, tetromino
Version: unspecifiedKeywords: patch
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 27592    
Attachments:
Description Flags
xorg-server-1.9-fix-VbeModeInfoBlock-memcpy.patch none

Description Chí-Thanh Christopher Nguyễn 2010-09-13 01:53:15 UTC 
Created attachment 38667 [details] [review]
xorg-server-1.9-fix-VbeModeInfoBlock-memcpy.patch

Originally reported as https://bugs.gentoo.org/show_bug.cgi?id=337020

GCC since 4.5 produces a warning in hw/xfree86/vbe/vbe.c
---
In file included from /usr/include/string.h:642:0,
                 from vbe.c:16:
In function ‘memcpy’,
    inlined from ‘VBEGetModeInfo’ at vbe.c:589:8:
/usr/include/bits/string3.h:52:3: warning: call to __builtin___memcpy_chk will always overflow destination buffer
In function ‘memcpy’,
    inlined from ‘VBEGetModeInfo’ at vbe.c:592:8:
/usr/include/bits/string3.h:52:3: warning: call to __builtin___memcpy_chk will always overflow destination buffer
---
The cause is apparently an off-by-one error in vbe.c memcpy call. Attached patch was submitted in https://bugs.gentoo.org/show_bug.cgi?id=337020#c9 .
Comment 1 Alan Coopersmith 2010-09-13 07:30:43 UTC 
xorg-server patches are only applied after they are submitted to the
xorg-devel mailing list and reviewed there.   Please see the instructions
on http://www.x.org/wiki/Development/Documentation/SubmittingPatches
Comment 2 Alexandre Rostovtsev 2010-09-14 08:48:49 UTC 
(In reply to comment #1)

OK, I've submitted the patch by email: http://lists.x.org/archives/xorg-devel/2010-September/012920.html
Comment 3 Alan Coopersmith 2010-10-03 09:10:02 UTC 
*** Bug 30585 has been marked as a duplicate of this bug. ***
Comment 4 Alan Coopersmith 2010-10-03 09:13:02 UTC 
Comment on attachment 38667 [details] [review]
xorg-server-1.9-fix-VbeModeInfoBlock-memcpy.patch

ajax proposed a revised patch that simplifies the code to solve the problem:
http://lists.x.org/archives/xorg-devel/2010-September/013499.html
Comment 5 Frank Mehnert 2010-10-05 00:31:20 UTC 
Still not right! VbeModeInfoBlock has a length of 255 bytes not 256.
Comment 6 Frank Mehnert 2010-10-05 01:19:13 UTC 
I believe the correct fix is to change the structure definition to define reserved to have a size of 190 not 189 as the VBE spec defines 256 bytes of data.
Comment 7 Jesse Adkins 2010-10-05 16:06:36 UTC 
This was fixed in xserver master today. Closing.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.