Date: Fri, 6 Apr 2007 08:24:24 +1000 (EST) From: peterjeremy@optushome.com.au To: FreeBSD-gnats-submit@FreeBSD.org Cc: peterjeremy@optushome.com.au Subject: ports/111292: [patch] xorg-libraries-6.9.0_1: Incorrect MESA/GL pointer type corrupts stack frame Message-ID: <200704052224.l35MOOr7069246@turion.vk2pj.dyndns.org> Resent-Message-ID: <200704052230.l35MU2Cn059129@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 111292 >Category: ports >Synopsis: [patch] xorg-libraries-6.9.0_1: Incorrect MESA/GL pointer type corrupts stack frame >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Apr 05 22:30:02 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Peter Jeremy >Release: FreeBSD 6.2-STABLE amd64 >Organization: >Environment: System: FreeBSD turion.vk2pj.dyndns.org 6.2-STABLE FreeBSD 6.2-STABLE #25: Tue Jan 30 05:01:57 EST 2007 root@turion.vk2pj.dyndns.org:/usr/obj/usr/src/sys/turion amd64 >Description: Whilst experimenting with galaxql (http://sol.gfxile.net/galaxql.html) I found that enabling 'Render with Glow' would cause a SIGSEGV. Working thru the code, I found that one of the MESA/GL functions is defined with a (size_t*) argument but called with a (unsigned*) parameter in two places. On amd64, this causes 4 bytes of the stack frame (the lower 4 bytes of the saved %rbx) to be zeroed. >How-To-Repeat: Download galaxgl sources and build it or Compile xorg-libraries with '-Wall' and check "incompatible pointer type" warnings. >Fix: The fix I used is below. Note that I have since found that this bug has been fixed in the MESA/GL GIT repository by changing the callers from unsigned to size_t. I changed the callee because the range was equally valid and this reduced the impact of the change in the calling function. --- extras/Mesa/src/glx/x11/indirect_vertex_array.c~ Tue Oct 18 12:51:53 2005 +++ extras/Mesa/src/glx/x11/indirect_vertex_array.c Thu Apr 5 22:56:22 2007 @@ -530,7 +530,7 @@ emit_DrawArrays_header_old( __GLXcontext * gc, struct array_state_vector * arrays, size_t * elements_per_request, - size_t * total_requests, + unsigned * total_requests, GLenum mode, GLsizei count ) { size_t command_size; The "incompatible pointer type" warning also turned up the following bug which has not been fixed: --- extras/Mesa/src/glx/x11/indirect_vertex_program.c~ Wed Oct 19 06:42:12 2005 +++ extras/Mesa/src/glx/x11/indirect_vertex_program.c Thu Apr 5 23:02:30 2007 @@ -195,7 +195,11 @@ get_vertex_attrib( gc, 1303, index, pname, (xReply *) & reply ); if ( reply.size != 0 ) { - if ( ! get_attrib_array_data( state, index, pname, params ) ) { + GLintptr data; + if ( get_attrib_array_data( state, index, pname, &data ) ) { + *params = (GLint) data; + } + else { if (reply.size == 1) { *params = (GLint) reply.pad3; } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704052224.l35MOOr7069246>