We have encountered a crash in xorg on debian jessie (xorg-server-1.16.4). Our client was sometimes passing a bogus shmaddr in XShmSegmentInfo, when calling XvShmPutImage. This results in a crash in ProcXvShmPutImage (Xext/xvdisp.c), in the following code: width = stuff->width; height = stuff->height; size_needed = (*pPort->pAdaptor->ddQueryImageAttributes) (client, pPort, pImage, &width, &height, NULL, NULL); if ((size_needed + stuff->offset) > shmdesc->size) return BadAccess; The if test is not good enough. If offset is big enough to cause a wrap around, size_needed + stuff->offset will be smaller then or equal shmdesc->size. So an additional check to see if stuff->offset is smaller then shmdesc->size is needed here.
This is a backtrace of the crash: #0 memcpy () at ../sysdeps/i386/i586/memcpy.S:84 #1 0xb6d0acec in memcpy (__len=<optimized out>, __src=0xb084bfec, __dest=<optimized out>) at /usr/include/i386-linux-gnu/bits/string3.h:51 #2 sna_video_copy_data (video=0x80807590, frame=0xbfc303bc, buf=0xb084bfec <error: Cannot access memory at address 0xb084bfec>) at ../../../src/sna/sna_video.c:526 #3 0xb6d0ec45 in sna_video_textured_put_image (client=0x80b5f860, draw=0x80b66c00, port=0x80809598, gc=0x80b74650, src_x=0, src_y=0, src_w=768, src_h=576, drw_x=267, drw_y=0, drw_w=1386, drw_h=1040, format=0xb6dd4bc0 <Images+256>, buf=0xb084bfec <error: Cannot access memory at address 0xb084bfec>, sync=0, width=768, height=576) at ../../../src/sna/sna_video_textured.c:222 #4 0x80157912 in XvdiPutImage (client=0x80b5f860, pDraw=0x80b66c00, pPort=0x80809598, pGC=0x80b74650, src_x=0, src_y=0, src_w=768, src_h=576, drw_x=267, drw_y=0, drw_w=1386, drw_h=1040, image=0xb6dd4bc0 <Images+256>, data=0xb084bfec <error: Cannot access memory at address 0xb084bfec>, sync=0, width=768, height=576) at ../../Xext/xvmain.c:673 #5 0x80158f3c in ProcXvShmPutImage (client=0x80b5f860) at ../../Xext/xvdisp.c:1014 #6 0x8015b59c in ProcXvDispatch (client=0x80b5f860) at ../../Xext/xvdisp.c:1201 #7 0x800b2086 in Dispatch () at ../../dix/dispatch.c:432 #8 0x800b626a in dix_main (argc=13, argv=0xbfc306e4, envp=0x802e7b1c <noPanoramiXExtension>) at ../../dix/main.c:296 #9 0x8009ff2a in main (argc=13, argv=0xbfc306e4, envp=0xbfc3071c) at ../../dix/stubmain.c:34
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/xserver/issues/507.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.