Bug 54013 - Wide PolyLine can overflow a buffer, leading to a stack smash.
Summary: Wide PolyLine can overflow a buffer, leading to a stack smash.
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: git
Hardware: All All
: medium normal
Assignee: Adam Jackson
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-24 15:28 UTC by Peter Harris
Modified: 2014-03-24 16:42 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
Band-aid patch (1.36 KB, patch)
2012-08-24 15:28 UTC, Peter Harris 		no flags Details | Splinter Review
Test case (1.91 KB, text/plain)
2012-08-24 15:30 UTC, Peter Harris 		no flags Details
View All

Description Peter Harris 2012-08-24 15:28:24 UTC 
Created attachment 66070 [details] [review]
Band-aid patch

In miWideDashSegment, left[2] and right[2] can have (at least) three elements stored in them by miPolyBuildPoly.

I don't fully grok the line code. Maybe this shouldn't ever happen, but the obvious bandaid is to increase the size of left and right.
Comment 1 Peter Harris 2012-08-24 15:30:23 UTC 
Created attachment 66071 [details]
Test case
Comment 2 Adam Jackson 2014-03-24 16:42:02 UTC 
commit 20c2a3bcb11b5baf564e2c73a477ba23f5ae2b10
Author: Peter Harris <pharris@opentext.com>
Date:   Mon Jul 15 19:44:29 2013 -0400

    mi: Avoid stack smash when drawing dashed lines
    
    X.org Bug 54013 <https://bugs.freedesktop.org/show_bug.cgi?id=54013>
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Signed-off-by: Peter Harris <pharris@opentext.com>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.