Bug 4243

Summary: Off by one read overflow in RasterizeEdges8
Product: xorg Reporter: Matthieu Herrb <matthieu.herrb>
Component: Server/GeneralAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: high CC: eich, keithp, sndirsch
Version: git   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 1690    
Attachments:
Description Flags
Proposed patch none

Description Matthieu Herrb 2005-08-25 12:14:51 UTC 
This is one more problem spotted by the new OpenBSD malloc, this time by Niklas
Hallqvist:

Program received signal SIGSEGV, Segmentation fault.
0x1c4cd48d in fbRasterizeEdges8 (buf=0x7cfb7ff8, width=8, stride=2,
l=0xcfbcc6f0, r=0xcfbcc6c0, t=2184, b=63350)
   at fbedgeimp.h:107
107                         AddAlpha (rxs);
(gdb) bt
#0  0x1c4cd48d in fbRasterizeEdges8 (buf=0x7cfb7ff8, width=8, stride=2,
l=0xcfbcc6f0, r=0xcfbcc6c0, t=2184, b=63350)
   at fbedgeimp.h:107
#1  0x1c4cdd59 in fbRasterizeEdges (buf=0x7cfb7ff8, bpp=8, width=8, stride=2,
l=0xcfbcc6f0, r=0xcfbcc6c0, t=2184, b=63350)
   at fbedge.c:129
#2  0x1c4cce53 in fbRasterizeTrapezoid (pPicture=0x87e84c00, trap=0x8c462608,
x_off=-29, y_off=-558) at fbtrap.c:139
#3  0x1c664641 in miTrapezoids (op=3 '\003', pSrc=0x87e84a00, pDst=0x87e84300,
maskFormat=0x85919830, xSrc=-2, ySrc=-7,
   ntrap=1, traps=0x8c462608) at mitrap.c:167
#4  0x1c667e74 in CompositeTrapezoids (op=3 '\003', pSrc=0x87e84a00,
pDst=0x87e84300, maskFormat=0x85919830, xSrc=-2, ySrc=-7,
   ntrap=1, traps=0x8c462608) at picture.c:1417
#5  0x1c669bd0 in ProcRenderTrapezoids (client=0x7f4ba800) at render.c:789
#6  0x1c66c17d in ProcRenderDispatch (client=0x7f4ba800) at render.c:1846
#7  0x1c45c9df in Dispatch () at dispatch.c:455
#8  0x1c472e61 in main (argc=4, argv=0xcfbccb50, envp=0xcfbccb64) at main.c:442
Comment 1 Matthieu Herrb 2005-08-25 12:16:46 UTC 
Created attachment 3033 [details] [review]
Proposed patch

It looks like it segfault on the very last AddAlpha() call, which should
probably not be done.
Comment 2 Egbert Eich 2005-09-01 02:19:29 UTC 
Also adding Keith.
Comment 3 Matthieu Herrb 2005-09-12 11:37:04 UTC 
Ok. So Eric Anholt committed another fix for this bug on 08/30 without noticing
this report ?
See fbedgeimp rev 1.4...

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.