https://bugs.kde.org/show_bug.cgi?id=419860
Bug ID: 419860
Summary: Buffer overrun when iterating over CTRC's outputs
Product: kwin
Version: 5.16.5
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: platform-x11-standalone
Assignee: kwin-bugs-n...@kde.org
Reporter: b7.10110...@gmail.com
Target Milestone: ---
In KWin 5.16.5 in XRandRScreens::update() function CrtcInfo is created, from
which outputs() are obtained. Then a loop iterates over this array, indexing
outputs[i] with i from 0 to resources->num_outputs. But this upper limit is not
number of outputs for the given CRTC. It's the number of outputs in all the
screen resources. CrtcInfo instead has its own associated
xcb_randr_get_crtc_info_reply_t::num_outputs, which should be used as the upper
limit.
The same mistake remains in KWin 5.18 in
X11StandalonePlatform::doUpdateOutputs() function.
The result is that current code reads past outputs, from possible_outputs, and
then the reads go beyond the server reply if there are more total outputs than
CRTC's num_outputs + num_possible_outputs.
--
You are receiving this mail because:
You are watching all bug changes.
