Bug#615197: xserver-xorg-video-intel: Screen corruptions to due insufficient clipping

[Julien Cristau <jcristau@debian.org>]

On Sun, May 15, 2011 at 20:11:04 +0200, Thomas Richter wrote:

> I finally found the bug. It persists in 2.15.0. A patch for the bug
> is included.
> 
Thanks for your investigation.

> The bug is in uxa/uxa-accel.c, in the function uxa_fill_spans(). The
> problem is that the clipping performed in lines 180ff does not
> include a check for y2 of the clipped region. The fixed code reads
> as follows:
> 
> pbox = REGION_RECTS(pClip);
> while (nbox--) {
> 	if (pbox->y1 > fullY1)
> 		break;
> 	if (pbox->y1 <= fullY1 && pbox->y2 > fullY1 /*<--bug here */ ) {
> 		partX1 = pbox->x1;
> 		if (partX1 < fullX1)
> 			partX1 = fullX1;
> 
> 		partX2 = pbox->x2;
> 		if (partX2 > fullX2)
> 			partX2 = fullX2;
> 
> 		if (partX2 > partX1) {
> 			uxa_screen->info->composite(dst_pixmap,
> 					    0, 0, 0, 0,
> 					    partX1 + off_x,
> 					    fullY1 + off_y,
> 					    partX2 - partX1, 1);
> 		}
> 	}
> 	pbox++;
> }
> 
> The bug is the missing check of "fullY1" against the lower bottom of
> the clipping rectangle, pbox->y2.
> 
Asked upstream, one question for you:
21:16 < ickle> pbox->y2 < pbox->y1 is an invalid rect
21:18 < ickle> the previous line should be pbox->y1 >= fullY1 break
21:18 < ickle> can you ask if it appears to be just an off-by-one?

ie what are the values of pbox->y1 and pbox->y2?

Cheers,
Julien