Bug 15964 - off by one error in hw/xfree86/ddc/edid.h / interpret_edid.c
Summary: off by one error in hw/xfree86/ddc/edid.h / interpret_edid.c
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: git
Hardware: Other All
: medium minor
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
Depends on:
Blocks: xorg-7.4
  Show dependency treegraph
Reported: 2008-05-16 13:10 UTC by Török Edwin
Modified: 2008-05-27 04:51 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Note You need to log in before you can comment on or make changes to this bug.
Description Török Edwin 2008-05-16 13:10:49 UTC
In interpret_edid.c wp[2] is accessed from struct detailed_monitor_section, however it is declared as having only 2 elements.

Since it is part of a larger union, this is not a bounds violation, but either the declaration, or the code accessing it should be fixed.

hw/xfree86/ddc/edid.h has this struct declared:
struct detailed_monitor_section {
  int type;
  union {
    struct detailed_timings d_timings;  /* 56 */
    Uchar serial[13];
    Uchar ascii_data[13];
    Uchar name[13];
    struct monitor_ranges ranges;       /* 56 */
    struct std_timings std_t[5];        /* 80 */
    struct whitePoints wp[2];           /* 32 */
    /* color management data */
    struct cvt_timings cvt[4];          /* 64 */
    /* established timings III */
  } section;                            /* max: 80 */

where the member wp is declared as an array having 2 elements,
however interpret_edid.c:get_white_point_section()  accesses the 3rd element:

wp[2].white_x = WHITEX2;

It is called from get_dt_md_section(): get_whitepoint_section(c,det_mon[i].section.wp);

This issue was found by a static analysis tool.
Comment 1 Peter Hutterer 2008-05-27 04:51:52 UTC
Pushed as 64677f6a167a5bee99e5dfb599a3c3a6fb5dffe7. Thanks for reporting.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.