xserver/hw/modes: compat_output bad dereference. The commit 37d956e3ac9513b74078882dff489f9b0a7a5a28 into xserver/hw/modes/xf86Crtc.c xf86CrtcConfigInit() initializes
config->compat_output = -1; So an unset compat_output is now invalid, a good property since the previous initial compat_output == 0 is not guaranteed available. It usually is available because a driver first calls xf86OutputCreate() followed by xf86InitialConfiguration(). This change exposes a bug. During initial configuration a monitor detection is attempted and if an EDID block is available the driver calls xf86OutputSetEDID(). There a bad dereference occurs: xf86InitialConfiguration(ScrnInfoPtr scrn, Bool canGrow) -> xf86ProbeOutputModes(scrn, width, height); --> output_modes = (*output->funcs->get_modes) (output); ---> xf86OutputSetEDID(xf86OutputPtr output, xf86MonPtr edid_mon) ----> if (output == xf86CompatOutput(scrn)) XX now bad dereference -----> return config->output[config->compat_output]; ----> xf86SetDDCproperties(scrn, edid_mon); XX for screen monitor -> xf86SetScrnInfoModes(scrn); --> output = SetCompatOutput(config); XX sets compat_output ---> config->compat_output = compat; Hence previously the screen monitor properties were always copied from output 0 since compat_output is only set at the end of the function. The suggestion > If there is no compat output, config->compat_output is -1 and xf86CompatOutput > reads before the beginning of the outputs array. > Signed-off-by: Aaron Plattner <aplatt...@nvidia.com> > diff --git a/hw/xfree86/modes/xf86Crtc.h b/hw/xfree86/modes/xf86Crtc.h > index 802303f..1ac8485 100644 > --- a/hw/xfree86/modes/xf86Crtc.h > +++ b/hw/xfree86/modes/xf86Crtc.h > @@ -731,6 +731,8 @@ xf86CompatOutput(ScrnInfoPtr pScrn) > { > xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(pScrn); > > + if (config->compat_output < 0) > + return NULL; > return config->output[config->compat_output]; > } Tested-by: Servaas Vandenberghe avoids the bad dereference. _______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel