Bug 15964 - off by one error in hw/xfree86/ddc/edid.h / interpret_edid.c
Summary: off by one error in hw/xfree86/ddc/edid.h / interpret_edid.c
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: git
Hardware: Other All
: medium minor
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: xorg-7.4
  Show dependency treegraph
 
Reported: 2008-05-16 13:10 UTC by Török Edwin
Modified: 2008-05-27 04:51 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Török Edwin 2008-05-16 13:10:49 UTC 
In interpret_edid.c wp[2] is accessed from struct detailed_monitor_section, however it is declared as having only 2 elements.

Since it is part of a larger union, this is not a bounds violation, but either the declaration, or the code accessing it should be fixed.

hw/xfree86/ddc/edid.h has this struct declared:
struct detailed_monitor_section {
  int type;
  union {
    struct detailed_timings d_timings;  /* 56 */
    Uchar serial[13];
    Uchar ascii_data[13];
    Uchar name[13];
    struct monitor_ranges ranges;       /* 56 */
    struct std_timings std_t[5];        /* 80 */
    struct whitePoints wp[2];           /* 32 */
    /* color management data */
    struct cvt_timings cvt[4];          /* 64 */
    /* established timings III */
  } section;                            /* max: 80 */
};

where the member wp is declared as an array having 2 elements,
however interpret_edid.c:get_white_point_section()  accesses the 3rd element:

wp[2].white_x = WHITEX2;

It is called from get_dt_md_section(): get_whitepoint_section(c,det_mon[i].section.wp);

This issue was found by a static analysis tool.
Comment 1 Peter Hutterer 2008-05-27 04:51:52 UTC 
Pushed as 64677f6a167a5bee99e5dfb599a3c3a6fb5dffe7. Thanks for reporting.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.