Bug 11053 - Buffer overflow in fbCopyArea()
Summary: Buffer overflow in fbCopyArea()
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: 7.3 (2007.09)
Hardware: All All
: medium normal
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
Whiteboard: 2012BRB_Reviewed
Keywords: patch
Depends on:
Blocks: xserver-1.13
  Show dependency treegraph
Reported: 2007-05-24 11:20 UTC by Sergey Svishchev
Modified: 2018-06-11 19:20 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

proposed fix (474 bytes, patch)
2007-05-24 11:20 UTC, Sergey Svishchev
no flags Details | Splinter Review

Description Sergey Svishchev 2007-05-24 11:20:17 UTC
"#ifdef FB_24_32BIT"'d code in fbCopyArea() doesn't check bit depth and may crash if source is 32-bit and destination is not 24-bit.  This happens for me every time I run xzgv in dual-screen configuration (screen 0 is 16-bit, screen 1 is 24-bit, and best visual for this configuration is 32-bit).
Comment 1 Sergey Svishchev 2007-05-24 11:20:52 UTC
Created attachment 10083 [details] [review]
proposed fix
Comment 2 Sergey Svishchev 2007-11-16 00:03:12 UTC
7.3 has the same code.
Comment 3 Daniel Stone 2009-08-31 18:30:52 UTC
the whole 24_32 code seems so stunningly broken that i'm not sure we can even try to fix this for 1.7.  pushing out to 7.6.
Comment 4 Corbin Simpson 2010-03-27 05:18:19 UTC
Tagging patch; will triage later.
Comment 5 Adam Jackson 2010-08-17 11:54:28 UTC
I really don't see this patch being correct at all.  If we ever hit this path there's a much more fundamental assumption being violated elsewhere.

I'd be interested to see a better backtrace from this case.
Comment 6 Sergey Svishchev 2010-08-17 13:30:04 UTC
I may still have the hardware that triggered this bug; will try to reproduce sometime later.
Comment 7 Jeremy Huddleston Sequoia 2011-04-11 14:09:25 UTC
This is not apparently affecting too many users, and fixing it would require more code change that I'd feel comfortable with in the stable branch.  Moving to the 1.11 tracker.
Comment 8 Adam Jackson 2018-06-11 19:20:48 UTC
This can't happen anymore now that 24bpp support is dead.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.