Unlike most of the values returned by this function, which are arrays of XIDs (long int), associated_capability is defined as an array of unsigned int. _XRead32 reads 32-bit values from the wire protocol and writes them to the provided buffer as an array of long ints, even if that means expanding them from 32-bit to 64-bit. Doing that for associated_capability resulted in a garbage value between each actual value, and overflowing the provided buffer into the space for the provider name (which is written later and would overwrite the overflowed data).
Created xhiv libXrandr/XRRGetProviderInfo test case to test & confirm. Signed-off-by: Alan Coopersmith <[email protected]> --- src/XrrProvider.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/XrrProvider.c b/src/XrrProvider.c index 309e321..014ddd9 100644 --- a/src/XrrProvider.c +++ b/src/XrrProvider.c @@ -156,7 +156,16 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi _XRead32(dpy, xpi->outputs, rep.nOutputs << 2); _XRead32(dpy, xpi->associated_providers, rep.nAssociatedProviders << 2); - _XRead32(dpy, xpi->associated_capability, rep.nAssociatedProviders << 2); + + /* + * _XRead32 reads a series of 32-bit values from the protocol and writes + * them out as a series of "long int" values, but associated_capability + * is defined as unsigned int *, so that won't work for this array. + * Instead we assume for now that "unsigned int" is also 32-bits, so + * the values can be read without any conversion. + */ + _XRead(dpy, (char *) xpi->associated_capability, + rep.nAssociatedProviders << 2); _XReadPad(dpy, xpi->name, rep.nameLength); xpi->name[rep.nameLength] = '\0'; -- 1.7.9.2 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
