b33f487a7c
If randrp->palette_size is zero, the memcpy() path can read past the end of the randr_crtc's gammaRed/Green/Blue tables if the hw crtc's gamma_size is greater than the randr_crtc's gammaSize. Avoid this by clamping the to-be-copied size to the smaller of both sizes. Note that during regular server startup, the memcpy() path is only taken initially twice, but then a suitable palette is created for use during a session. Therefore during an actual running X-Session, the xf86RandR12CrtcComputeGamma() will be used, which makes sure that data is properly up- or down-sampled for mismatching source and target crtc gamma sizes. This should avoid reading past randr_crtc gamma memory for gpu's with big crtc->gamma_size, e.g., AMD/MALI/KOMEDA 4096 slots, or Intel Icelake and later with 262145 slots. Tested against modesetting-ddx and amdgpu-ddx under screen color depth 24 (8 bpc) and 30 (10 bpc) to make sure that clamping happens properly. This is an alternative fix for the one attempted in commit |
||
|---|---|---|
| .. | ||
| Makefile.am | ||
| meson.build | ||
| xf86Crtc.c | ||
| xf86Crtc.h | ||
| xf86Cursors.c | ||
| xf86DiDGA.c | ||
| xf86EdidModes.c | ||
| xf86Modes.c | ||
| xf86Modes.h | ||
| xf86RandR12.c | ||
| xf86RandR12.h | ||
| xf86Rotate.c | ||
| xf86gtf.c | ||