diff mbox

[i-g-t,4/5] lib/igt_kms: Fix memory corruption when there's no cursor plane

Message ID 1487354070-14487-4-git-send-email-brian.starkey@arm.com (mailing list archive)
State New, archived
Headers show

Commit Message

Brian Starkey Feb. 17, 2017, 5:54 p.m. UTC
The dynamic plane support means that if there's no cursor plane, then
there is no space in the pipe->planes array for it, and thus assigning
a "drm_plane-less" plane is out-of-bounds and leads to heap corruption
and later crashes.

The "drm_plane-less" cursor plane isn't included in n_planes anyway,
which means there's no way to ever access it/know that it's there - so
just remove it entirely.

Fixes: 36656239ef96 lib/igt_kms: Implement dynamic plane count support
Signed-off-by: Brian Starkey <brian.starkey@arm.com>
---
 lib/igt_kms.c |    6 ------
 1 file changed, 6 deletions(-)

Comments

Robert Foss Feb. 19, 2017, 8:43 p.m. UTC | #1
On 2017-02-17 12:54 PM, Brian Starkey wrote:
> The dynamic plane support means that if there's no cursor plane, then
> there is no space in the pipe->planes array for it, and thus assigning
> a "drm_plane-less" plane is out-of-bounds and leads to heap corruption
> and later crashes.
>
> The "drm_plane-less" cursor plane isn't included in n_planes anyway,
> which means there's no way to ever access it/know that it's there - so
> just remove it entirely.

Nice catch!

Reviewed-by: Robert Foss <robert.foss@collabora.com>


Rob.

>
> Fixes: 36656239ef96 lib/igt_kms: Implement dynamic plane count support
> Signed-off-by: Brian Starkey <brian.starkey@arm.com>
> ---
>  lib/igt_kms.c |    6 ------
>  1 file changed, 6 deletions(-)
>
> diff --git a/lib/igt_kms.c b/lib/igt_kms.c
> index 45c90c71f301..ef7bfd1a8108 100644
> --- a/lib/igt_kms.c
> +++ b/lib/igt_kms.c
> @@ -1837,12 +1837,6 @@ void igt_display_init(igt_display_t *display, int drm_fd)
>  				memset(&pipe->planes[last_plane], 0,
>  				       sizeof *plane);
>  			}
> -		} else {
> -			/* Add drm_plane-less cursor */
> -			plane = &pipe->planes[p];
> -			plane->pipe = pipe;
> -			plane->index = p;
> -			plane->type = DRM_PLANE_TYPE_CURSOR;
>  		}
>
>  		pipe->n_planes = n_planes;
>
diff mbox

Patch

diff --git a/lib/igt_kms.c b/lib/igt_kms.c
index 45c90c71f301..ef7bfd1a8108 100644
--- a/lib/igt_kms.c
+++ b/lib/igt_kms.c
@@ -1837,12 +1837,6 @@  void igt_display_init(igt_display_t *display, int drm_fd)
 				memset(&pipe->planes[last_plane], 0,
 				       sizeof *plane);
 			}
-		} else {
-			/* Add drm_plane-less cursor */
-			plane = &pipe->planes[p];
-			plane->pipe = pipe;
-			plane->index = p;
-			plane->type = DRM_PLANE_TYPE_CURSOR;
 		}
 
 		pipe->n_planes = n_planes;