| Summary: |
off by one error in hw/xfree86/ddc/edid.h / interpret_edid.c |
| Product: |
xorg
|
Reporter: |
Török Edwin <edwin+bugs> |
| Component: |
Server/General | Assignee: |
Xorg Project Team <xorg-team> |
| Status: |
RESOLVED
FIXED
|
QA Contact: |
Xorg Project Team <xorg-team> |
| Severity: |
minor
|
|
|
| Priority: |
medium
|
|
|
| Version: |
git | |
|
| Hardware: |
Other | |
|
| OS: |
All | |
|
| Whiteboard: |
|
|
i915 platform:
|
|
i915 features:
|
|
|---|
| Bug Depends on: |
|
|
|
| Bug Blocks: |
10101
|
|
|
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
In interpret_edid.c wp[2] is accessed from struct detailed_monitor_section, however it is declared as having only 2 elements. Since it is part of a larger union, this is not a bounds violation, but either the declaration, or the code accessing it should be fixed. hw/xfree86/ddc/edid.h has this struct declared: struct detailed_monitor_section { int type; union { struct detailed_timings d_timings; /* 56 */ Uchar serial[13]; Uchar ascii_data[13]; Uchar name[13]; struct monitor_ranges ranges; /* 56 */ struct std_timings std_t[5]; /* 80 */ struct whitePoints wp[2]; /* 32 */ /* color management data */ struct cvt_timings cvt[4]; /* 64 */ /* established timings III */ } section; /* max: 80 */ }; where the member wp is declared as an array having 2 elements, however interpret_edid.c:get_white_point_section() accesses the 3rd element: wp[2].white_x = WHITEX2; It is called from get_dt_md_section(): get_whitepoint_section(c,det_mon[i].section.wp); This issue was found by a static analysis tool.