Bug 250070 - Stack corruption when get XV_FREQ on 64bit arches
Summary: Stack corruption when get XV_FREQ on 64bit arches
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: xorg-x11-drv-v4l   
(Show other bugs)
Version: 7
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
Assignee: Adam Jackson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: EasyFix, Patch
: 247747 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-07-30 10:57 UTC by Dmitry Butskoy
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

Fixed In Version: 0.1.1-8.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-07 17:18:36 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
This patch fixes the issue. (934 bytes, patch)
2007-07-30 10:57 UTC, Dmitry Butskoy
no flags Details | Diff

Description Dmitry Butskoy 2007-07-30 10:57:02 UTC
The applications which work with v4l device throw Xvideo X11 extension (not
directly) uses XV_FREQ attribute to obtain the current v4l tuner frequency.

There is a bug in xorg-x11-drv-v4l, which cause X11 server to crash when XV_FREQ
attribute is asked.

Only 64bit systems are affected.

The problem is that when x11-drv-v4l receive such a request, it ask the hardware
for frequency, using v4l1 ioctl VIDIOCGFREQ. This ioctl has an argument -- a
pointer to "unsigned long". But the actual pointer, passed to the ioctl call, is
(INT32 *).

IOW, the actual pointer points to 4-byte area, whereas ioctl call assumes that
it points to "unsigned long", which on 64bit arches is 8 bytes long...


How to reproduce:

On any 64bit system with TV-tuner capable v4l hardware, with "v4l" driver
included in xorg.conf "Module" sections, just run "xvinfo". The whole X11 server
is crashed then.


This bug was initially found by using xawtv (see bug #247747).


The patch attached fixes the issue. I have a success report from the initial bug
reporter about it.

Comment 1 Dmitry Butskoy 2007-07-30 10:57:02 UTC
Created attachment 160234 [details]
This patch fixes the issue.

Comment 2 Dmitry Butskoy 2007-07-30 11:04:16 UTC
*** Bug 247747 has been marked as a duplicate of this bug. ***

Comment 3 Adam Jackson 2007-08-28 17:20:33 UTC
Fixed in 0.1.1-8.fc8.  Will post an F7 update shortly.

Comment 4 Fedora Update System 2007-08-29 17:26:31 UTC
xorg-x11-drv-v4l-0.1.1-8.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2007-09-07 17:18:35 UTC
xorg-x11-drv-v4l-0.1.1-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.