[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#712545: xserver-xorg-core: Xorg crashes when displaying pictures

Am 15.02.2014 um 22:53 schrieb Hilmar Preusse:

> On 15.02.14 Sven Joachim (svenjoac@gmx.de) wrote:
>> Am 15.02.2014 um 16:01 schrieb Hilmar Preusse:
>
> Hi,
>
>> > He says, it is fixed latest in 1:1.0.10-1 (Debian testing).
>> 
>> Yes.  What I mean is that I cannot find anything in the commit logs of
>> xserver-xorg-nouveau which would explain this to me.
>> 
> The only one I found was the following from upstream changelog:
>
> commit 2fa3397e348161a3394e2b456f065921272a056a
> Author: Ilia Mirkin <imirkin@alum.mit.edu>
> Date:   Fri May 3 09:59:39 2013 -0400
>
>     nouveau_xv: Avoid reading off the end of the source image on NV50+
>     
>     The 'w' argument to NVCopyNV12ColorPlanes is used to index into the
>     source image. line_len is rounded up to 8 on NV50+, so if the source
>     image (+ left offset) is not rounded to 8, NVCopyNV12ColorPlanes could
>     read past the end of the array and crash X. This change can cause the
>     last few horizontal pixels of dst to not be initialized, but they
>     should be truncated by the renderer anyways.
>     
>     See https://bugs.freedesktop.org/show_bug.cgi?id=63263
>     
>     Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
>     Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
>
> No, I don't have an NV50+ card, but rather a NV40 card. Could you
> have a short look if my problem is related to this issue?

Probably not, but I'm not totally sure.  Here is the commit diff if you
want to try:

--8<---------------cut here---------------start------------->8---
diff --git a/src/nouveau_xv.c b/src/nouveau_xv.c
index f7dc2bc..8eafcf0 100644
--- a/src/nouveau_xv.c
+++ b/src/nouveau_xv.c
@@ -1095,7 +1095,7 @@ NVPutImage(ScrnInfoPtr pScrn, short src_x, short src_y, short drw_x,
 				NVCopyNV12ColorPlanes(buf + s2offset,
 						      buf + s3offset, dst,
 						      line_len, srcPitch2,
-						      nlines, line_len);
+						      nlines, npixels);
 			}
 		} else {
 			for (i = 0; i < nlines; i++) {
@@ -1161,7 +1161,7 @@ CPU_copy:
 				NVCopyNV12ColorPlanes(buf + s2offset,
 						      buf + s3offset,
 						      map, dstPitch, srcPitch2,
-						      nlines, line_len);
+						      nlines, npixels);
 			}
 		} else {
 			/* YUY2 and RGB */
--8<---------------cut here---------------end--------------->8---

Cheers,
       Sven
Reply to: