Bug 419860 - Buffer overrun when iterating over CTRC's outputs
Summary: Buffer overrun when iterating over CTRC's outputs
Status: RESOLVED UNMAINTAINED
Alias: None
Product: kwin
Classification: Plasma
Component: platform-x11-standalone (other bugs)
Version First Reported In: 5.16.5
Platform: Other Linux
: NOR normal
Target Milestone: ---
Assignee: KWin default assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-08 22:12 UTC by Ruslan Kabatsayev
Modified: 2023-09-06 10:38 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Ruslan Kabatsayev 2020-04-08 22:12:31 UTC 
In KWin 5.16.5 in XRandRScreens::update() function CrtcInfo is created, from which outputs() are obtained. Then a loop iterates over this array, indexing outputs[i] with i from 0 to resources->num_outputs. But this upper limit is not number of outputs for the given CRTC. It's the number of outputs in all the screen resources. CrtcInfo instead has its own associated xcb_randr_get_crtc_info_reply_t::num_outputs, which should be used as the upper limit.

The same mistake remains in KWin 5.18 in X11StandalonePlatform::doUpdateOutputs() function.

The result is that current code reads past outputs, from possible_outputs, and then the reads go beyond the server reply if there are more total outputs than CRTC's num_outputs + num_possible_outputs.
Comment 1 Zamundaaa 2023-09-06 10:37:18 UTC 
Doesn't seem to be the case in 5.27 anymore
Comment 2 David Edmundson 2023-09-06 10:38:15 UTC 
This bug was reported against an outdated version of KWin. We have made many changes since the. 
If the issue persists in newer versions can you reopen the bug report updating the version number.