ports/111292: [patch] xorg-libraries-6.9.0_1: Incorrect MESA/GL pointer type corrupts stack frame

peterjeremy at optushome.com.au peterjeremy at optushome.com.au
Thu Apr 5 22:30:03 UTC 2007 

>Number:         111292
>Category:       ports
>Synopsis:       [patch] xorg-libraries-6.9.0_1: Incorrect MESA/GL pointer type corrupts stack frame
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 05 22:30:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Peter Jeremy
>Release:        FreeBSD 6.2-STABLE amd64
>Organization:
>Environment:
System: FreeBSD turion.vk2pj.dyndns.org 6.2-STABLE FreeBSD 6.2-STABLE #25: Tue Jan 30 05:01:57 EST 2007 root at turion.vk2pj.dyndns.org:/usr/obj/usr/src/sys/turion amd64

>Description:
	Whilst experimenting with galaxql (http://sol.gfxile.net/galaxql.html)
	I found that enabling 'Render with Glow' would cause a SIGSEGV.
	Working thru the code, I found that one of the MESA/GL functions
	is defined with a (size_t*) argument but called with a (unsigned*)
	parameter in two places.  On amd64, this causes 4 bytes of the
	stack frame (the lower 4 bytes of the saved %rbx) to be zeroed.

>How-To-Repeat:
	Download galaxgl sources and build it or
	Compile xorg-libraries with '-Wall' and check "incompatible pointer
	type" warnings.

>Fix:
	The fix I used is below.  Note that I have since found that this bug
	has been fixed in the MESA/GL GIT repository by changing the callers
	from unsigned to size_t.  I changed the callee because the range was
	equally valid and this reduced the impact of the change in the
	calling function.

--- extras/Mesa/src/glx/x11/indirect_vertex_array.c~	Tue Oct 18 12:51:53 2005
+++ extras/Mesa/src/glx/x11/indirect_vertex_array.c	Thu Apr  5 22:56:22 2007
@@ -530,7 +530,7 @@
 emit_DrawArrays_header_old( __GLXcontext * gc,
 			    struct array_state_vector * arrays,
 			    size_t * elements_per_request,
-			    size_t * total_requests,
+			    unsigned * total_requests,
 			    GLenum mode, GLsizei count )
 {
     size_t command_size;

	The "incompatible pointer type" warning also turned up the following
	bug which has not been fixed:
--- extras/Mesa/src/glx/x11/indirect_vertex_program.c~	Wed Oct 19 06:42:12 2005
+++ extras/Mesa/src/glx/x11/indirect_vertex_program.c	Thu Apr  5 23:02:30 2007
@@ -195,7 +195,11 @@
     get_vertex_attrib( gc, 1303, index, pname, (xReply *) & reply );
 
     if ( reply.size != 0 ) {
-	if ( ! get_attrib_array_data( state, index, pname, params ) ) {
+	GLintptr data;
+	if ( get_attrib_array_data( state, index, pname, &data ) ) {
+	    *params = (GLint) data;
+	}
+	else {
 	    if (reply.size == 1) {
 		*params = (GLint) reply.pad3;
 	    } 
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list