From fd007d9d465b9b3ddbbaf769931ec921a6f5ecb8 Mon Sep 17 00:00:00 2001 From: Chris Wilson Date: Thu, 28 Nov 2013 21:13:33 +0000 Subject: [PATCH] sna/video: Correct handling of cropped images along packed fast path In particular, it was offseting the read from the source image, but not correcting the length to read - causing a read from beyond the end of the source and a segfault. Reported-by: Jan Engelhardt Signed-off-by: Chris Wilson --- src/sna/sna_video.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/src/sna/sna_video.c b/src/sna/sna_video.c index 7f1eeb2c..e4d33158 100644 --- a/src/sna/sna_video.c +++ b/src/sna/sna_video.c @@ -520,11 +520,25 @@ sna_video_copy_data(struct sna_video *video, return true; } } else { - if (frame->width*2 == frame->pitch[0]) { + int x, y, w, h; + + if (video->textured) { + /* XXX support copying cropped extents */ + x = y = 0; + w = frame->width; + h = frame->height; + } else { + x = frame->image.x1; + y = frame->image.y1; + w = frame->image.x2 - frame->image.x1; + h = frame->image.y2 - frame->image.y1; + } + + if (w*2 == frame->pitch[0]) { + buf += (2U*y * frame->width) + (x << 1); if (frame->bo) { kgem_bo_write(&video->sna->kgem, frame->bo, - buf + (2U*frame->image.y1 * frame->width) + (frame->image.x1 << 1), - 2U*(frame->image.y2-frame->image.y1)*frame->width); + buf, 2U*h*frame->width); } else { frame->bo = kgem_create_buffer(&video->sna->kgem, frame->size, KGEM_BUFFER_WRITE | KGEM_BUFFER_WRITE_INPLACE, @@ -532,9 +546,7 @@ sna_video_copy_data(struct sna_video *video, if (frame->bo == NULL) return false; - memcpy(dst, - buf + (frame->image.y1 * frame->width*2) + (frame->image.x1 << 1), - 2U*(frame->image.y2-frame->image.y1)*frame->width); + memcpy(dst, buf, 2U*h*frame->width); } return true; }