Commit 9e4abe74 authored by Alan Coopersmith's avatar Alan Coopersmith

XRRGetProviderInfo returned bad associated_capability list in 64-bit

Unlike most of the values returned by this function, which are arrays
of XIDs (long int), associated_capability is defined as an array of
unsigned int.   _XRead32 reads 32-bit values from the wire protocol
and writes them to the provided buffer as an array of long ints, even
if that means expanding them from 32-bit to 64-bit.   Doing that for
associated_capability resulted in a garbage value between each actual
value, and overflowing the provided buffer into the space for the
provider name (which is written later and would overwrite the overflowed

Created xhiv libXrandr/XRRGetProviderInfo test case to test & confirm.
Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <>
Reviewed-by: default avatarDave Airlie <>
parent f97d44f8
......@@ -156,7 +156,16 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
_XRead32(dpy, xpi->outputs, rep.nOutputs << 2);
_XRead32(dpy, xpi->associated_providers, rep.nAssociatedProviders << 2);
_XRead32(dpy, xpi->associated_capability, rep.nAssociatedProviders << 2);
* _XRead32 reads a series of 32-bit values from the protocol and writes
* them out as a series of "long int" values, but associated_capability
* is defined as unsigned int *, so that won't work for this array.
* Instead we assume for now that "unsigned int" is also 32-bits, so
* the values can be read without any conversion.
_XRead(dpy, (char *) xpi->associated_capability,
rep.nAssociatedProviders << 2);
_XReadPad(dpy, xpi->name, rep.nameLength);
xpi->name[rep.nameLength] = '\0';
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment