Bug 9526

Summary: Length field in create gradient requests is not set correctly
Product: xorg Reporter: David Reveman <reveman>
Component: Lib/XrenderAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: major    
Priority: high CC: fred, krh
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
Properly set length field in gradient requests none

Description David Reveman 2007-01-03 06:16:58 UTC 
XRenderCreateLinearGradient, XRenderCreateRadialGradient and
XRenderCreateConicalGradient functions in Picture.c adds the color stop length
after adding the color stop data. If the color stop data exceeds the output
buffer, the request will be sent to the server with an incorrect length field.
Simply adding the color stop length before sending the color stop data will fix
this issue.

This bug affects any client using gradient pictures. Clients that use a version
of libXrender without this fixed can workaround the issue by flushing the output
buffer just before creating a gradient picture.

The current code is also not handling the case where the number of color stops
is so great that a "Big Request" is required. Using SetReqLen to set the length
field instead of manually incrementing it will take care of this.

I'm attaching a patch that will fix both issues. Can I commit this patch and
increment the version number to 0.9.3?
Comment 1 David Reveman 2007-01-03 06:19:37 UTC 
Created attachment 8281 [details] [review]
Properly set length field in gradient requests
Comment 2 Daniel Stone 2007-02-27 01:35:28 UTC 
Sorry about the phenomenal bug spam, guys.  Adding xorg-team@ to the QA contact so bugs don't get lost in future.
Comment 3 Kristian Høgsberg 2007-08-15 10:53:57 UTC 
David, looks like the right fix to me, please apply and make a 0.9.3 release.
Comment 4 David Reveman 2007-08-21 11:56:41 UTC 
done.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.