Bug 54013

Summary: Wide PolyLine can overflow a buffer, leading to a stack smash.
Product: xorg Reporter: Peter Harris <pharris>
Component: Server/GeneralAssignee: Adam Jackson <ajax>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium    
Version: git   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
Band-aid patch
none
Test case none

Description Peter Harris 2012-08-24 15:28:24 UTC
Created attachment 66070 [details] [review]
Band-aid patch

In miWideDashSegment, left[2] and right[2] can have (at least) three elements stored in them by miPolyBuildPoly.

I don't fully grok the line code. Maybe this shouldn't ever happen, but the obvious bandaid is to increase the size of left and right.
Comment 1 Peter Harris 2012-08-24 15:30:23 UTC
Created attachment 66071 [details]
Test case
Comment 2 Adam Jackson 2014-03-24 16:42:02 UTC
commit 20c2a3bcb11b5baf564e2c73a477ba23f5ae2b10
Author: Peter Harris <pharris@opentext.com>
Date:   Mon Jul 15 19:44:29 2013 -0400

    mi: Avoid stack smash when drawing dashed lines
    
    X.org Bug 54013 <https://bugs.freedesktop.org/show_bug.cgi?id=54013>
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Peter Harris <pharris@opentext.com>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.