On 02/17/13 05:25 PM, Peter Hutterer wrote:
> From: Karl Tomlinson <[email protected]>
>
> MakeBigReq inserts a length field after the first 4 bytes of the request
> (after req->length), pushing everything else back by 4 bytes.
>
> The current memmove moves everything but the first 4 bytes back.
> If a request aligns to the end of the buffer pointer when MakeBigReq is
> invoked for that request, this runs over the buffer.
> Instead, we need to memmove minus the first 4 bytes (which aren't moved),
> minus the last 4 bytes (so we still align to the previous tail).
>
> The 4 bytes that fell out are already handled with Data32, which will handle
> the buffermax correctly.
>
> The case where req->length = 1 was already not functional.
>
> Reported by Abhishek Arya <[email protected]>.
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=803762
>
> Reviewed-by: Jeff Muizelaar <[email protected]>
> Reviewed-by: Peter Hutterer <[email protected]>
Fixed the patch to still apply after my WORD64 removal deleted one of the
clauses you were updating and pushed to git master.
Thanks for the fix.
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel
