Bug 52059

Summary: __indirect_glReadPixels USE_XCB path buffer overflow
Product: Mesa Reporter: Julien Cristau <jcristau>
Component: GLXAssignee: mesa-dev
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium Keywords: patch
Version: 8.0   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Julien Cristau 2012-07-13 15:52:15 UTC
Hi,

it seems the USE_XCB path in indirect glReadPixels doesn't take the state set e.g. with glPixelStorei( GL_PACK_ALIGNMENT, 1 ) into account.  The non-xcb path uses __glEmptyImage which does use these values, the xcb path does a plain memcpy which may overwrite the caller's buffer.
Comment 1 Julien Cristau 2012-07-13 16:23:32 UTC
as a PoC, the patch below seems to fix the crashes and valgrind complaints I'd been seeing.  A real fix would involve glX_proto_send.py.

diff --git a/src/glx/indirect.c b/src/glx/indirect.c
index a6b0c0d..ea0ccf2 100644
--- a/src/glx/indirect.c
+++ b/src/glx/indirect.c
@@ -3756,9 +3756,7 @@ __indirect_glReadPixels(GLint x, GLint y, GLsizei width, GLsizei height,
                                                           state->storePack.
                                                           swapEndian, 0),
                                       NULL);
-        (void) memcpy(pixels, xcb_glx_read_pixels_data(reply),
-                      xcb_glx_read_pixels_data_length(reply) *
-                      sizeof(GLvoid));
+        __glEmptyImage(gc, 3, width, height, 1, format, type, xcb_glx_read_pixels_data(reply), pixels);
         free(reply);
 #else
         GLubyte const *pc =
Comment 3 Julien Cristau 2012-08-28 12:40:53 UTC
fixed in master, commit ac889b24109ba0aec4f8c7f103d3c23e78c11a29

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.