Bug 67069

Summary:

xf86Crtc.c guarantee compat_output in the range [ -1 .. num_output-1 ]

Product:

xorg

Reporter:

vdb128 <vdb128>

Component:

Server/General

Assignee:

Xorg Project Team <xorg-team>

Status:

RESOLVED FIXED

QA Contact:

Xorg Project Team <xorg-team>

Severity:

normal

Priority:

medium

Version:

git

Hardware:

All

OS:

All

Whiteboard:

i915 platform:

i915 features:

Bug Depends on:

65212

Bug Blocks:

Attachments:

Description	Flags
guarantee compat_output in the range [ -1 .. num_output-1 ]	none

Description vdb128 2013-07-19 09:03:13 UTC

The current code in xf86Crtc.c SetCompatOutput(config) allows for 
compat_output >= num_output when num_output decreases to zero.  Thus 
xf86Crtc.h xf86CompatOutput(pScrn) may read beyond the end of the 
output array via config->output[config->compat_output].

The patch moves the compat_output update into its own if() block.  
Then it is always updated to the last selected compat output, 
including the compat == -1 case.

Comment 1 vdb128 2013-07-19 09:05:18 UTC

Created attachment 82664 [details] [review]
guarantee compat_output in the range [ -1 .. num_output-1 ]

Comment 2 Adam Jackson 2018-06-13 18:07:04 UTC

Should be made unnecessary by:

commit 28159eff6badf6181b255f26d1f444abe81c05b7
Author: Jason Gerecke <killertofu@gmail.com>
Date:   Thu Apr 30 18:06:14 2015 -0700

    xfree86: Return NULL from xf86CompatOutput if no compat_output is defined
    
    If no compat_output is defined, we inadvertently (attempt to) return
    whatever data is at index -1. Instead, return NULL since that's what
    callers are expecting.
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.