Bug 93667 - Crash in eglCreateImageKHR with huge texture size
Summary: Crash in eglCreateImageKHR with huge texture size
Status: RESOLVED FIXED
Alias: None
Product: Mesa
Classification: Unclassified
Component: EGL (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: mesa-dev
QA Contact: mesa-dev
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-11 12:26 UTC by Fabian Vogt
Modified: 2016-03-07 08:41 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Vogt 2016-01-11 12:26:23 UTC
I couldn't select 11.1 as version, so I used "unspecified".

Originally reported as bug in KWin: https://bugs.kde.org/show_bug.cgi?id=357754

"I accidentially set QT_DEVICE_PIXEL_RATIO=100 when opening a Qt application that uses OpenGL and kwin_x11 crashes repoducably with the following backtrace until I kill the application:

#5  <signal handler called>
#6  dri2_create_image_khr_pixmap (ctx=<optimized out>, attr_list=<optimized out>, buffer=<optimized out>, disp=0x363b480) at drivers/dri2/platform_x11.c:1051
#7  dri2_x11_create_image_khr (drv=<optimized out>, disp=0x363b480, ctx=<optimized out>, target=<optimized out>, buffer=<optimized out>, attr_list=<optimized out>) at drivers/dri2/platform_x11.c:1074
#8  0x00007fcc598c6279 in eglCreateImageKHR (dpy=0x363b480, ctx=0x0, target=12464, buffer=0x7657a89, attr_list=0x7ffdd25b8db0) at main/eglapi.c:1331
#9  0x00007fcc6738fada in KWin::AbstractEglTexture::loadTexture (this=0x4d8c670, pix=124091017, size=...) at /usr/src/debug/kwin-5.5.2/abstract_egl_backend.cpp:312"

xcb_dri2_get_buffers_reply in dri2_create_image_khr_pixmap (egl/drivers/dri2/platform_x11.c:1000) returns NULL,
but this is not detected and xcb_dri2_get_buffers_buffers (buffers_reply) returns 0x20.
This passes the check against NULL and it crashes when accessing buffers_reply->width in :1052.
I found multiple places where xcb_dri2_get_buffers_reply is used this way, AFAICS they're all affected.
Comment 1 Emil Velikov 2016-03-05 21:22:21 UTC
Hi Fabian, just send out the a patch for this case. Can you please test it ?

The only other case that I've spot has already been addressed with commit 5d87a7c894d "egl_dri2: NULL check for xcb_dri2_get_buffers_reply()". Can you let me know if we've missed any others ?

-Emil
Comment 2 Fabian Vogt 2016-03-07 08:41:55 UTC
(In reply to Emil Velikov from comment #1)
> Hi Fabian, just send out the a patch for this case. Can you please test it ?
> 
> The only other case that I've spot has already been addressed with commit
> 5d87a7c894d "egl_dri2: NULL check for xcb_dri2_get_buffers_reply()". Can you
> let me know if we've missed any others ?
> 
> -Emil

Patch tested and confirmed to work :)
The other places seem to be fixed now.
Thanks!


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.