From 9e4abe746786f0f632d1f82f99fe0c6b8ffedf9e Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 30 Jun 2013 16:52:59 -0700 Subject: XRRGetProviderInfo returned bad associated_capability list in 64-bit Unlike most of the values returned by this function, which are arrays of XIDs (long int), associated_capability is defined as an array of unsigned int. _XRead32 reads 32-bit values from the wire protocol and writes them to the provided buffer as an array of long ints, even if that means expanding them from 32-bit to 64-bit. Doing that for associated_capability resulted in a garbage value between each actual value, and overflowing the provided buffer into the space for the provider name (which is written later and would overwrite the overflowed data). Created xhiv libXrandr/XRRGetProviderInfo test case to test & confirm. Signed-off-by: Alan Coopersmith Reviewed-by: Dave Airlie --- src/XrrProvider.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/XrrProvider.c b/src/XrrProvider.c index 309e321..014ddd9 100644 --- a/src/XrrProvider.c +++ b/src/XrrProvider.c @@ -156,7 +156,16 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi _XRead32(dpy, xpi->outputs, rep.nOutputs << 2); _XRead32(dpy, xpi->associated_providers, rep.nAssociatedProviders << 2); - _XRead32(dpy, xpi->associated_capability, rep.nAssociatedProviders << 2); + + /* + * _XRead32 reads a series of 32-bit values from the protocol and writes + * them out as a series of "long int" values, but associated_capability + * is defined as unsigned int *, so that won't work for this array. + * Instead we assume for now that "unsigned int" is also 32-bits, so + * the values can be read without any conversion. + */ + _XRead(dpy, (char *) xpi->associated_capability, + rep.nAssociatedProviders << 2); _XReadPad(dpy, xpi->name, rep.nameLength); xpi->name[rep.nameLength] = '\0'; -- cgit v1.2.3