Bug 30159

Summary: hw/xfree86/vbe/vbe.c off-by-one error
Product: xorg Reporter: Chí-Thanh Christopher Nguyễn <chithanh>
Component: Server/GeneralAssignee: Adam Jackson <ajax>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium CC: frank.mehnert, robatino, tetromino
Version: unspecifiedKeywords: patch
Hardware: Other   
OS: All   
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 27592    
Description Flags
xorg-server-1.9-fix-VbeModeInfoBlock-memcpy.patch none

Description Chí-Thanh Christopher Nguyễn 2010-09-13 01:53:15 UTC
Created attachment 38667 [details] [review]

Originally reported as https://bugs.gentoo.org/show_bug.cgi?id=337020

GCC since 4.5 produces a warning in hw/xfree86/vbe/vbe.c
In file included from /usr/include/string.h:642:0,
                 from vbe.c:16:
In function ‘memcpy’,
    inlined from ‘VBEGetModeInfo’ at vbe.c:589:8:
/usr/include/bits/string3.h:52:3: warning: call to __builtin___memcpy_chk will always overflow destination buffer
In function ‘memcpy’,
    inlined from ‘VBEGetModeInfo’ at vbe.c:592:8:
/usr/include/bits/string3.h:52:3: warning: call to __builtin___memcpy_chk will always overflow destination buffer
The cause is apparently an off-by-one error in vbe.c memcpy call. Attached patch was submitted in https://bugs.gentoo.org/show_bug.cgi?id=337020#c9 .
Comment 1 Alan Coopersmith 2010-09-13 07:30:43 UTC
xorg-server patches are only applied after they are submitted to the
xorg-devel mailing list and reviewed there.   Please see the instructions
on http://www.x.org/wiki/Development/Documentation/SubmittingPatches
Comment 2 Alexandre Rostovtsev 2010-09-14 08:48:49 UTC
(In reply to comment #1)

OK, I've submitted the patch by email: http://lists.x.org/archives/xorg-devel/2010-September/012920.html
Comment 3 Alan Coopersmith 2010-10-03 09:10:02 UTC
*** Bug 30585 has been marked as a duplicate of this bug. ***
Comment 4 Alan Coopersmith 2010-10-03 09:13:02 UTC
Comment on attachment 38667 [details] [review]

ajax proposed a revised patch that simplifies the code to solve the problem:
Comment 5 Frank Mehnert 2010-10-05 00:31:20 UTC
Still not right! VbeModeInfoBlock has a length of 255 bytes not 256.
Comment 6 Frank Mehnert 2010-10-05 01:19:13 UTC
I believe the correct fix is to change the structure definition to define reserved to have a size of 190 not 189 as the VBE spec defines 256 bytes of data.
Comment 7 Jesse Adkins 2010-10-05 16:06:36 UTC
This was fixed in xserver master today. Closing.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.