Bug 93667 - Crash in eglCreateImageKHR with huge texture size
Summary: Crash in eglCreateImageKHR with huge texture size
Status: RESOLVED FIXED
Alias: None
Product: Mesa
Classification: Unclassified
Component: EGL (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: mesa-dev
QA Contact: mesa-dev
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-11 12:26 UTC by Fabian Vogt
Modified: 2016-03-07 08:41 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Vogt 2016-01-11 12:26:23 UTC
I couldn't select 11.1 as version, so I used "unspecified".

Originally reported as bug in KWin: https://bugs.kde.org/show_bug.cgi?id=357754

"I accidentially set QT_DEVICE_PIXEL_RATIO=100 when opening a Qt application that uses OpenGL and kwin_x11 crashes repoducably with the following backtrace until I kill the application:

#5  <signal handler called>
#6  dri2_create_image_khr_pixmap (ctx=<optimized out>, attr_list=<optimized out>, buffer=<optimized out>, disp=0x363b480) at drivers/dri2/platform_x11.c:1051
#7  dri2_x11_create_image_khr (drv=<optimized out>, disp=0x363b480, ctx=<optimized out>, target=<optimized out>, buffer=<optimized out>, attr_list=<optimized out>) at drivers/dri2/platform_x11.c:1074
#8  0x00007fcc598c6279 in eglCreateImageKHR (dpy=0x363b480, ctx=0x0, target=12464, buffer=0x7657a89, attr_list=0x7ffdd25b8db0) at main/eglapi.c:1331
#9  0x00007fcc6738fada in KWin::AbstractEglTexture::loadTexture (this=0x4d8c670, pix=124091017, size=...) at /usr/src/debug/kwin-5.5.2/abstract_egl_backend.cpp:312"

xcb_dri2_get_buffers_reply in dri2_create_image_khr_pixmap (egl/drivers/dri2/platform_x11.c:1000) returns NULL,
but this is not detected and xcb_dri2_get_buffers_buffers (buffers_reply) returns 0x20.
This passes the check against NULL and it crashes when accessing buffers_reply->width in :1052.
I found multiple places where xcb_dri2_get_buffers_reply is used this way, AFAICS they're all affected.
Comment 1 Emil Velikov 2016-03-05 21:22:21 UTC
Hi Fabian, just send out the a patch for this case. Can you please test it ?

The only other case that I've spot has already been addressed with commit 5d87a7c894d "egl_dri2: NULL check for xcb_dri2_get_buffers_reply()". Can you let me know if we've missed any others ?

-Emil
Comment 2 Fabian Vogt 2016-03-07 08:41:55 UTC
(In reply to Emil Velikov from comment #1)
> Hi Fabian, just send out the a patch for this case. Can you please test it ?
> 
> The only other case that I've spot has already been addressed with commit
> 5d87a7c894d "egl_dri2: NULL check for xcb_dri2_get_buffers_reply()". Can you
> let me know if we've missed any others ?
> 
> -Emil

Patch tested and confirmed to work :)
The other places seem to be fixed now.
Thanks!


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.