xf86RandR12: use correct gamma size when allocating gamma table

When setting crtc->gamma_size to randr_crtc->gammaSize we should use randr_crtc->gammaSize to allocate new gamma table in crtc. Currently, if randr_crtc->gammaSize > crtc->gammaSize the subsequent memcpy will overwrite memory beyond the end of gamma table. Signed-off-by: Dominik Behr <dbehr@chromium.org> Reviewed-by: Stéphane Marchesin <marcheu@chromium.org> Signed-off-by: Keith Packard <keithp@keithp.com>
author: Dominik Behr <dbehr@chromium.org> 2014-04-01 20:36:13 -0700
committer: Keith Packard <keithp@keithp.com> 2014-04-21 22:27:09 -0700
commit: 70e564104b69bc53d29633f392f2c1ab94caddc9 (patch)
tree: 8449546669e2989bf90e7cc08653f6a499fcec80
parent: 35d275c7519570ceaf82cd5e7a663a8a5be4d441 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
index 66139dcf0..8a04dfc2c 100644
--- a/hw/xfree86/modes/xf86RandR12.c
+++ b/hw/xfree86/modes/xf86RandR12.c
@@ -1256,12 +1256,13 @@ xf86RandR12CrtcSetGamma(ScreenPtr pScreen, RRCrtcPtr randr_crtc)
         CARD16 *tmp_ptr;
 
         tmp_ptr =
-            realloc(crtc->gamma_red, 3 * crtc->gamma_size * sizeof(CARD16));
+            realloc(crtc->gamma_red,
+                    3 * randr_crtc->gammaSize * sizeof(CARD16));
         if (!tmp_ptr)
             return FALSE;
         crtc->gamma_red = tmp_ptr;
-        crtc->gamma_green = crtc->gamma_red + crtc->gamma_size;
-        crtc->gamma_blue = crtc->gamma_green + crtc->gamma_size;
+        crtc->gamma_green = crtc->gamma_red + randr_crtc->gammaSize;
+        crtc->gamma_blue = crtc->gamma_green + randr_crtc->gammaSize;
     }
 
     crtc->gamma_size = randr_crtc->gammaSize;
author	Dominik Behr <dbehr@chromium.org>	2014-04-01 20:36:13 -0700
committer	Keith Packard <keithp@keithp.com>	2014-04-21 22:27:09 -0700
commit	70e564104b69bc53d29633f392f2c1ab94caddc9 (patch)
tree	8449546669e2989bf90e7cc08653f6a499fcec80
parent	35d275c7519570ceaf82cd5e7a663a8a5be4d441 (diff)