• Mario Kleiner's avatar
    xfree86: Avoid crash in xf86RandR12CrtcSetGamma() memcpy path. · 966f5674
    Mario Kleiner authored and Povilas Kanapickas's avatar Povilas Kanapickas committed
    If randrp->palette_size is zero, the memcpy() path can read past the
    end of the randr_crtc's gammaRed/Green/Blue tables if the hw crtc's
    gamma_size is greater than the randr_crtc's gammaSize.
    
    Avoid this by clamping the to-be-copied size to the smaller of both
    sizes.
    
    Note that during regular server startup, the memcpy() path is only
    taken initially twice, but then a suitable palette is created for
    use during a session. Therefore during an actual running X-Session,
    the xf86RandR12CrtcComputeGamma() will be used, which makes sure that
    data is properly up- or down-sampled for mismatching source and
    target crtc gamma sizes.
    
    This should avoid reading past randr_crtc gamma memory for gpu's
    with big crtc->gamma_size, e.g., AMD/MALI/KOMEDA 4096 slots, or
    Intel Icelake and later with 262145 slots.
    
    Tested against modesetting-ddx and amdgpu-ddx under screen color
    depth 24 (8 bpc) and 30 (10 bpc) to make sure that clamping happens
    properly.
    
    This is an alternative fix for the one attempted in commit
    617f591f
    
    .
    Signed-off-by: Mario Kleiner's avatarMario Kleiner <mario.kleiner.de@gmail.com>
    966f5674