• Mario Kleiner's avatar
    xfree86: Avoid crash in xf86RandR12CrtcSetGamma() memcpy path. · 966f5674
    Mario Kleiner authored and Povilas Kanapickas's avatar Povilas Kanapickas committed
    If randrp->palette_size is zero, the memcpy() path can read past the
    end of the randr_crtc's gammaRed/Green/Blue tables if the hw crtc's
    gamma_size is greater than the randr_crtc's gammaSize.
    Avoid this by clamping the to-be-copied size to the smaller of both
    Note that during regular server startup, the memcpy() path is only
    taken initially twice, but then a suitable palette is created for
    use during a session. Therefore during an actual running X-Session,
    the xf86RandR12CrtcComputeGamma() will be used, which makes sure that
    data is properly up- or down-sampled for mismatching source and
    target crtc gamma sizes.
    This should avoid reading past randr_crtc gamma memory for gpu's
    with big crtc->gamma_size, e.g., AMD/MALI/KOMEDA 4096 slots, or
    Intel Icelake and later with 262145 slots.
    Tested against modesetting-ddx and amdgpu-ddx under screen color
    depth 24 (8 bpc) and 30 (10 bpc) to make sure that clamping happens
    This is an alternative fix for the one attempted in commit
    Signed-off-by: Mario Kleiner's avatarMario Kleiner <mario.kleiner.de@gmail.com>