From a6ce91fe526a5dee4c79b9deffac6829d22dd805 Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Tue, 17 May 2016 08:35:29 +0200 Subject: glxcmds: glXGetFBConfigs, fix screen bounds Bounds of screen are 0 (inclusive) and ScreenCount(dpy) (exclusive). The upper bound was too ScreenCount(dpy) (inclusive). This causes a crash invoked by java3d which passes down an invalid screen: 6 0x00007f0e5198ba70 in () at /lib64/libc.so.6 7 0x00007f0e14531e14 in glXGetFBConfigs (dpy=, screen=1, nelements=nelements@entry=0x7f0dab3c522c) at glxcmds.c:1660 8 0x00007f0e14532f7f in glXChooseFBConfig (dpy=, screen=, attribList=0x7f0dab3c54e0, nitems=0x7f0dab3c535c) at glxcmds.c:1611 9 0x00007f0e1478d29b in find_S_FBConfigs () at /usr/lib64/libj3dcore-ogl.so 10 0x00007f0e1478d3dc in find_S_S_FBConfigs () at /usr/lib64/libj3dcore-ogl.so 11 0x00007f0e1478d567 in find_AA_S_S_FBConfigs () at /usr/lib64/libj3dcore-ogl.so 12 0x00007f0e1478d728 in find_DB_AA_S_S_FBConfigs () at /usr/lib64/libj3dcore-ogl.so 13 0x00007f0e1478d97c in Java_javax_media_j3d_X11NativeConfigTemplate3D_chooseOglVisual () at /usr/lib64/libj3dcore-ogl.so While ScreenCount(dpy) is actually 1: (gdb) p dpy->nscreens $2 = 1 screen=1 is passed to glXGetFBConfigs. Fix this typo in glXGetFBConfigs. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=95456 Signed-off-by: Jiri Slaby Cc: Reviewed-by: Adam Jackson Reviewed-by: Emil Velikov --- src/glx/glxcmds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/glx/glxcmds.c b/src/glx/glxcmds.c index 63f492128bc..46bc214081a 100644 --- a/src/glx/glxcmds.c +++ b/src/glx/glxcmds.c @@ -1657,7 +1657,7 @@ glXGetFBConfigs(Display * dpy, int screen, int *nelements) *nelements = 0; if (priv && (priv->screens != NULL) - && (screen >= 0) && (screen <= ScreenCount(dpy)) + && (screen >= 0) && (screen < ScreenCount(dpy)) && (priv->screens[screen]->configs != NULL) && (priv->screens[screen]->configs->fbconfigID != (int) GLX_DONT_CARE)) { -- cgit v1.2.3