function drm_output_choose_initial_mode (struct drm_output *output, enum output_config kind, int width, int height, const drmModeModeInfo *current_mode, -----> already pointer to struct const drmModeModeInfo *modeline) line 2215: if (memcmp(¤t_mode, ------> incorrect &drm_mode->mode_info, sizeof *current_mode) == 0) address sanitizer: ==13723==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbf9eeee4 at pc 0xb72b9d87 bp 0xbf9eecc8 sp 0xbf9ee89c READ of size 68 at 0xbf9eeee4 thread T0 #0 0xb72b9d86 in __interceptor_memcmp /build/gcc/src/gcc-5-20160209/libsanitizer/asan/asan_interceptors.cc:332 #1 0xb5b3a371 in drm_output_choose_initial_mode src/compositor-drm.c:2215 #2 0xb5b3a371 in create_output_for_connector src/compositor-drm.c:2392 #3 0xb5b3e012 in create_outputs src/compositor-drm.c:2591 #4 0xb5b3e012 in drm_backend_create src/compositor-drm.c:3165 #5 0xb5b3e012 in backend_init src/compositor-drm.c:3265 #6 0x8050015 in load_backend_old src/main.c:653 #7 0x8050015 in load_backend src/main.c:677 #8 0x8050015 in main src/main.c:781 #9 0xb6f36526 in __libc_start_main (/usr/lib/libc.so.6+0x18526) #10 0x8050d4a (/usr/bin/weston+0x8050d4a) Address 0xbf9eeee4 is located in stack of thread T0 at offset 356 in frame #0 0xb5b38fcf in create_output_for_connector src/compositor-drm.c:2298 This frame has 11 object(s): [32, 36) 'width' [96, 100) 'height' [160, 164) 'scale' [224, 228) 's' [288, 292) 'transform' [352, 356) 'current_mode' [416, 484) 'crtc_mode' <== Memory access at offset 356 partially underflows this variable [544, 612) 'modeline' [672, 688) 'hsync' [736, 752) 'vsync' [800, 832) 'name' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /build/gcc/src/gcc-5-20160209/libsanitizer/asan/asan_interceptors.cc:332 __interceptor_memcmp Shadow bytes around the buggy address: 0x37f3dd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f3dd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f3dda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x37f3ddb0: f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 0x37f3ddc0: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 =>0x37f3ddd0: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2[04]f4 f4 f4 0x37f3dde0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 04 f4 f4 f4 0x37f3ddf0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 04 f4 f4 f4 0x37f3de00: f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 0x37f3de10: f2 f2 f2 f2 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3 0x37f3de20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==13723==ABORTING
Created attachment 122333 [details] [review] misc patch to correct this
You're right, a good catch! And the patch looks fine, but could you please send it to wayland-devel@ mailing list where we handle patches? With proper commit message and author info, of course, and a reference to this report. Thanks.
commit 7a5c562d1aa7e893f0a0910a3f6860b450127acd Author: comic fans <comicfans44@gmail.com> Date: Thu Mar 17 14:29:27 2016 +0200 compositor-drm: fix memcmp using a bad pointer in drm_outout_choose_initial_mode
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.