On Tue, Apr 1, 2014 at 8:36 PM, <[email protected]> wrote: > From: Dominik Behr <[email protected]> > > When setting crtc->gamma_size to randr_crtc->gammaSize we should > use randr_crtc->gammaSize to allocate new gamma table in crtc. > Currently, if randr_crtc->gammaSize > crtc->gammaSize the subsequent > memcpy will overwrite memory beyond the end of gamma table. > > Signed-off-by: Dominik Behr <[email protected]> > Reviewed-by: Stéphane Marchesin <[email protected]>
> --- > hw/xfree86/modes/xf86RandR12.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/hw/xfree86/modes/xf86RandR12.c > b/hw/xfree86/modes/xf86RandR12.c > index 66139dc..8a04dfc 100644 > --- a/hw/xfree86/modes/xf86RandR12.c > +++ b/hw/xfree86/modes/xf86RandR12.c > @@ -1256,12 +1256,13 @@ xf86RandR12CrtcSetGamma(ScreenPtr pScreen, > RRCrtcPtr randr_crtc) > CARD16 *tmp_ptr; > > tmp_ptr = > - realloc(crtc->gamma_red, 3 * crtc->gamma_size * > sizeof(CARD16)); > + realloc(crtc->gamma_red, > + 3 * randr_crtc->gammaSize * sizeof(CARD16)); > if (!tmp_ptr) > return FALSE; > crtc->gamma_red = tmp_ptr; > - crtc->gamma_green = crtc->gamma_red + crtc->gamma_size; > - crtc->gamma_blue = crtc->gamma_green + crtc->gamma_size; > + crtc->gamma_green = crtc->gamma_red + randr_crtc->gammaSize; > + crtc->gamma_blue = crtc->gamma_green + randr_crtc->gammaSize; > } > > crtc->gamma_size = randr_crtc->gammaSize; > -- > 1.9.1.423.g4596e3a > > _______________________________________________ > [email protected]: X.Org development > Archives: http://lists.x.org/archives/xorg-devel > Info: http://lists.x.org/mailman/listinfo/xorg-devel >
_______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
