b33f487a7c
If randrp->palette_size is zero, the memcpy() path can read past the end of the randr_crtc's gammaRed/Green/Blue tables if the hw crtc's gamma_size is greater than the randr_crtc's gammaSize. Avoid this by clamping the to-be-copied size to the smaller of both sizes. Note that during regular server startup, the memcpy() path is only taken initially twice, but then a suitable palette is created for use during a session. Therefore during an actual running X-Session, the xf86RandR12CrtcComputeGamma() will be used, which makes sure that data is properly up- or down-sampled for mismatching source and target crtc gamma sizes. This should avoid reading past randr_crtc gamma memory for gpu's with big crtc->gamma_size, e.g., AMD/MALI/KOMEDA 4096 slots, or Intel Icelake and later with 262145 slots. Tested against modesetting-ddx and amdgpu-ddx under screen color depth 24 (8 bpc) and 30 (10 bpc) to make sure that clamping happens properly. This is an alternative fix for the one attempted in commit |
||
|---|---|---|
| .. | ||
| kdrive | ||
| vfb | ||
| xfree86 | ||
| xnest | ||
| xquartz | ||
| xwin | ||
| Makefile.am | ||
| meson.build | ||