Bug 52059 - __indirect_glReadPixels USE_XCB path buffer overflow
Summary: __indirect_glReadPixels USE_XCB path buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Mesa
Classification: Unclassified
Component: GLX (show other bugs)
Version: 8.0
Hardware: Other All
: medium normal
Assignee: mesa-dev
QA Contact:
URL:
Whiteboard:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2012-07-13 15:52 UTC by Julien Cristau
Modified: 2012-08-28 12:40 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments

Description Julien Cristau 2012-07-13 15:52:15 UTC
Hi,

it seems the USE_XCB path in indirect glReadPixels doesn't take the state set e.g. with glPixelStorei( GL_PACK_ALIGNMENT, 1 ) into account.  The non-xcb path uses __glEmptyImage which does use these values, the xcb path does a plain memcpy which may overwrite the caller's buffer.
Comment 1 Julien Cristau 2012-07-13 16:23:32 UTC
as a PoC, the patch below seems to fix the crashes and valgrind complaints I'd been seeing.  A real fix would involve glX_proto_send.py.

diff --git a/src/glx/indirect.c b/src/glx/indirect.c
index a6b0c0d..ea0ccf2 100644
--- a/src/glx/indirect.c
+++ b/src/glx/indirect.c
@@ -3756,9 +3756,7 @@ __indirect_glReadPixels(GLint x, GLint y, GLsizei width, GLsizei height,
                                                           state->storePack.
                                                           swapEndian, 0),
                                       NULL);
-        (void) memcpy(pixels, xcb_glx_read_pixels_data(reply),
-                      xcb_glx_read_pixels_data_length(reply) *
-                      sizeof(GLvoid));
+        __glEmptyImage(gc, 3, width, height, 1, format, type, xcb_glx_read_pixels_data(reply), pixels);
         free(reply);
 #else
         GLubyte const *pc =
Comment 3 Julien Cristau 2012-08-28 12:40:53 UTC
fixed in master, commit ac889b24109ba0aec4f8c7f103d3c23e78c11a29


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.