Bug 30159 - hw/xfree86/vbe/vbe.c off-by-one error
Summary: hw/xfree86/vbe/vbe.c off-by-one error
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Adam Jackson
QA Contact: Xorg Project Team
Keywords: patch
: 30585 (view as bug list)
Depends on:
Blocks: xserver-1.9
  Show dependency treegraph
Reported: 2010-09-13 01:53 UTC by Chí-Thanh Christopher Nguyễn
Modified: 2010-10-05 16:06 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:

xorg-server-1.9-fix-VbeModeInfoBlock-memcpy.patch (1.32 KB, patch)
2010-09-13 01:53 UTC, Chí-Thanh Christopher Nguyễn
no flags Details | Splinter Review

Description Chí-Thanh Christopher Nguyễn 2010-09-13 01:53:15 UTC
Created attachment 38667 [details] [review]

Originally reported as https://bugs.gentoo.org/show_bug.cgi?id=337020

GCC since 4.5 produces a warning in hw/xfree86/vbe/vbe.c
In file included from /usr/include/string.h:642:0,
                 from vbe.c:16:
In function ‘memcpy’,
    inlined from ‘VBEGetModeInfo’ at vbe.c:589:8:
/usr/include/bits/string3.h:52:3: warning: call to __builtin___memcpy_chk will always overflow destination buffer
In function ‘memcpy’,
    inlined from ‘VBEGetModeInfo’ at vbe.c:592:8:
/usr/include/bits/string3.h:52:3: warning: call to __builtin___memcpy_chk will always overflow destination buffer
The cause is apparently an off-by-one error in vbe.c memcpy call. Attached patch was submitted in https://bugs.gentoo.org/show_bug.cgi?id=337020#c9 .
Comment 1 Alan Coopersmith 2010-09-13 07:30:43 UTC
xorg-server patches are only applied after they are submitted to the
xorg-devel mailing list and reviewed there.   Please see the instructions
on http://www.x.org/wiki/Development/Documentation/SubmittingPatches
Comment 2 Alexandre Rostovtsev 2010-09-14 08:48:49 UTC
(In reply to comment #1)

OK, I've submitted the patch by email: http://lists.x.org/archives/xorg-devel/2010-September/012920.html
Comment 3 Alan Coopersmith 2010-10-03 09:10:02 UTC
*** Bug 30585 has been marked as a duplicate of this bug. ***
Comment 4 Alan Coopersmith 2010-10-03 09:13:02 UTC
Comment on attachment 38667 [details] [review]

ajax proposed a revised patch that simplifies the code to solve the problem:
Comment 5 Frank Mehnert 2010-10-05 00:31:20 UTC
Still not right! VbeModeInfoBlock has a length of 255 bytes not 256.
Comment 6 Frank Mehnert 2010-10-05 01:19:13 UTC
I believe the correct fix is to change the structure definition to define reserved to have a size of 190 not 189 as the VBE spec defines 256 bytes of data.
Comment 7 Jesse Adkins 2010-10-05 16:06:36 UTC
This was fixed in xserver master today. Closing.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.