From d4eafbaa980a7698e4c0c8170ab29f9fd929754c Mon Sep 17 00:00:00 2001 From: Pekka Paalanen Date: Thu, 28 Jul 2022 16:56:21 +0300 Subject: [PATCH] backend-wayland: fix pixman buffer size As wayland-backend is blitting the output decorations into the output buffer itself, it pretends towards the pixman-renderer that there is no decorations area. The pixman_image_create_bits() call wraps the previously allocated buffer with an offset so that pixman-renderer will paint in the right position. The bug is that this pixman image was using the original buffer width and height, instead of the composited area width and height. So the pixman image looks too big to pixman-renderer, but the renderer didn't care. The image being too big does risk access out of bounds in pixman-renderer. I found this when I was making renderers explicitly aware of the frambuffer size and resizing, added asserts, and they surprisingly failed. This fixes that. Signed-off-by: Pekka Paalanen --- libweston/backend-wayland/wayland.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/libweston/backend-wayland/wayland.c b/libweston/backend-wayland/wayland.c index 9272b414..a5e0183a 100644 --- a/libweston/backend-wayland/wayland.c +++ b/libweston/backend-wayland/wayland.c @@ -301,7 +301,7 @@ wayland_output_get_shm_buffer(struct wayland_output *output) struct wl_shm_pool *pool; int width, height, stride; - int32_t fx, fy; + struct weston_geometry area; int fd; unsigned char *data; @@ -377,13 +377,20 @@ wayland_output_get_shm_buffer(struct wayland_output *output) cairo_image_surface_create_for_data(data, CAIRO_FORMAT_ARGB32, width, height, stride); - fx = 0; - fy = 0; - if (output->frame) - frame_interior(output->frame, &fx, &fy, 0, 0); + if (output->frame) { + frame_interior(output->frame, &area.x, &area.y, + &area.width, &area.height); + } else { + area.x = 0; + area.y = 0; + area.width = output->base.current_mode->width; + area.height = output->base.current_mode->height; + } + + /* Address only the interior, excluding output decorations */ sb->pm_image = - pixman_image_create_bits(PIXMAN_a8r8g8b8, width, height, - (uint32_t *)(data + fy * stride) + fx, + pixman_image_create_bits(PIXMAN_a8r8g8b8, area.width, area.height, + (uint32_t *)(data + area.y * stride) + area.x, stride); return sb;