Bug 4243 - Off by one read overflow in RasterizeEdges8
Off by one read overflow in RasterizeEdges8
Status: RESOLVED FIXED
Product: xorg
Classification: Unclassified
Component: Server/General
git
All All
: high major
Assigned To: Xorg Project Team
:
Depends on:
Blocks: 1690
  Show dependency treegraph
 
Reported: 2005-08-25 12:14 UTC by Matthieu Herrb
Modified: 2005-09-11 18:37 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:


Attachments
Proposed patch (441 bytes, patch)
2005-08-25 12:16 UTC, Matthieu Herrb
no flags Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Herrb 2005-08-25 12:14:51 UTC
This is one more problem spotted by the new OpenBSD malloc, this time by Niklas
Hallqvist:

Program received signal SIGSEGV, Segmentation fault.
0x1c4cd48d in fbRasterizeEdges8 (buf=0x7cfb7ff8, width=8, stride=2,
l=0xcfbcc6f0, r=0xcfbcc6c0, t=2184, b=63350)
   at fbedgeimp.h:107
107                         AddAlpha (rxs);
(gdb) bt
#0  0x1c4cd48d in fbRasterizeEdges8 (buf=0x7cfb7ff8, width=8, stride=2,
l=0xcfbcc6f0, r=0xcfbcc6c0, t=2184, b=63350)
   at fbedgeimp.h:107
#1  0x1c4cdd59 in fbRasterizeEdges (buf=0x7cfb7ff8, bpp=8, width=8, stride=2,
l=0xcfbcc6f0, r=0xcfbcc6c0, t=2184, b=63350)
   at fbedge.c:129
#2  0x1c4cce53 in fbRasterizeTrapezoid (pPicture=0x87e84c00, trap=0x8c462608,
x_off=-29, y_off=-558) at fbtrap.c:139
#3  0x1c664641 in miTrapezoids (op=3 '\003', pSrc=0x87e84a00, pDst=0x87e84300,
maskFormat=0x85919830, xSrc=-2, ySrc=-7,
   ntrap=1, traps=0x8c462608) at mitrap.c:167
#4  0x1c667e74 in CompositeTrapezoids (op=3 '\003', pSrc=0x87e84a00,
pDst=0x87e84300, maskFormat=0x85919830, xSrc=-2, ySrc=-7,
   ntrap=1, traps=0x8c462608) at picture.c:1417
#5  0x1c669bd0 in ProcRenderTrapezoids (client=0x7f4ba800) at render.c:789
#6  0x1c66c17d in ProcRenderDispatch (client=0x7f4ba800) at render.c:1846
#7  0x1c45c9df in Dispatch () at dispatch.c:455
#8  0x1c472e61 in main (argc=4, argv=0xcfbccb50, envp=0xcfbccb64) at main.c:442
Comment 1 Matthieu Herrb 2005-08-25 12:16:46 UTC
Created attachment 3033 [details] [review]
Proposed patch

It looks like it segfault on the very last AddAlpha() call, which should
probably not be done.
Comment 2 Egbert Eich 2005-09-01 02:19:29 UTC
Also adding Keith.
Comment 3 Matthieu Herrb 2005-09-12 11:37:04 UTC
Ok. So Eric Anholt committed another fix for this bug on 08/30 without noticing
this report ?
See fbedgeimp rev 1.4...