Commit 9e4abe74 authored by Alan Coopersmith's avatar Alan Coopersmith

XRRGetProviderInfo returned bad associated_capability list in 64-bit

Unlike most of the values returned by this function, which are arrays
of XIDs (long int), associated_capability is defined as an array of
unsigned int.   _XRead32 reads 32-bit values from the wire protocol
and writes them to the provided buffer as an array of long ints, even
if that means expanding them from 32-bit to 64-bit.   Doing that for
associated_capability resulted in a garbage value between each actual
value, and overflowing the provided buffer into the space for the
provider name (which is written later and would overwrite the overflowed
data).

Created xhiv libXrandr/XRRGetProviderInfo test case to test & confirm.
Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: default avatarDave Airlie <airlied@redhat.com>
parent f97d44f8
......@@ -156,7 +156,16 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
_XRead32(dpy, xpi->outputs, rep.nOutputs << 2);
_XRead32(dpy, xpi->associated_providers, rep.nAssociatedProviders << 2);
_XRead32(dpy, xpi->associated_capability, rep.nAssociatedProviders << 2);
/*
* _XRead32 reads a series of 32-bit values from the protocol and writes
* them out as a series of "long int" values, but associated_capability
* is defined as unsigned int *, so that won't work for this array.
* Instead we assume for now that "unsigned int" is also 32-bits, so
* the values can be read without any conversion.
*/
_XRead(dpy, (char *) xpi->associated_capability,
rep.nAssociatedProviders << 2);
_XReadPad(dpy, xpi->name, rep.nameLength);
xpi->name[rep.nameLength] = '\0';
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment