subject:"\[Intel\-gfx\] \[PATCH i\-g\-t 4\/5\] lib\/igt_kms\: Fix memory corruption when there's no cursor plane"

Re: [Intel-gfx] [PATCH i-g-t 4/5] lib/igt_kms: Fix memory corruption when there's no cursor plane

2017-02-19 Thread Robert Foss




On 2017-02-17 12:54 PM, Brian Starkey wrote:

The dynamic plane support means that if there's no cursor plane, then
there is no space in the pipe->planes array for it, and thus assigning
a "drm_plane-less" plane is out-of-bounds and leads to heap corruption
and later crashes.

The "drm_plane-less" cursor plane isn't included in n_planes anyway,
which means there's no way to ever access it/know that it's there - so
just remove it entirely.


Nice catch!

Reviewed-by: Robert Foss 


Rob.



Fixes: 36656239ef96 lib/igt_kms: Implement dynamic plane count support
Signed-off-by: Brian Starkey 
---
 lib/igt_kms.c |6 --
 1 file changed, 6 deletions(-)

diff --git a/lib/igt_kms.c b/lib/igt_kms.c
index 45c90c71f301..ef7bfd1a8108 100644
--- a/lib/igt_kms.c
+++ b/lib/igt_kms.c
@@ -1837,12 +1837,6 @@ void igt_display_init(igt_display_t *display, int drm_fd)
memset(&pipe->planes[last_plane], 0,
   sizeof *plane);
}
-   } else {
-   /* Add drm_plane-less cursor */
-   plane = &pipe->planes[p];
-   plane->pipe = pipe;
-   plane->index = p;
-   plane->type = DRM_PLANE_TYPE_CURSOR;
}

pipe->n_planes = n_planes;


___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

[Intel-gfx] [PATCH i-g-t 4/5] lib/igt_kms: Fix memory corruption when there's no cursor plane

2017-02-17 Thread Brian Starkey

The dynamic plane support means that if there's no cursor plane, then
there is no space in the pipe->planes array for it, and thus assigning
a "drm_plane-less" plane is out-of-bounds and leads to heap corruption
and later crashes.

The "drm_plane-less" cursor plane isn't included in n_planes anyway,
which means there's no way to ever access it/know that it's there - so
just remove it entirely.

Fixes: 36656239ef96 lib/igt_kms: Implement dynamic plane count support
Signed-off-by: Brian Starkey 
---
 lib/igt_kms.c |6 --
 1 file changed, 6 deletions(-)

diff --git a/lib/igt_kms.c b/lib/igt_kms.c
index 45c90c71f301..ef7bfd1a8108 100644
--- a/lib/igt_kms.c
+++ b/lib/igt_kms.c
@@ -1837,12 +1837,6 @@ void igt_display_init(igt_display_t *display, int drm_fd)
memset(&pipe->planes[last_plane], 0,
   sizeof *plane);
}
-   } else {
-   /* Add drm_plane-less cursor */
-   plane = &pipe->planes[p];
-   plane->pipe = pipe;
-   plane->index = p;
-   plane->type = DRM_PLANE_TYPE_CURSOR;
}
 
pipe->n_planes = n_planes;
-- 
1.7.9.5

___
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [Intel-gfx] [PATCH i-g-t 4/5] lib/igt_kms: Fix memory corruption when there's no cursor plane

[Intel-gfx] [PATCH i-g-t 4/5] lib/igt_kms: Fix memory corruption when there's no cursor plane

2 matches

Site Navigation

Mail list logo

Footer information