nouveau_xv: Avoid reading off the end of the source image on NV50+

The 'w' argument to NVCopyNV12ColorPlanes is used to index into the
source image. line_len is rounded up to 8 on NV50+, so if the source
image (+ left offset) is not rounded to 8, NVCopyNV12ColorPlanes could
read past the end of the array and crash X. This change can cause the
last few horizontal pixels of dst to not be initialized, but they
should be truncated by the renderer anyways.

See https://bugs.freedesktop.org/show_bug.cgi?id=63263

Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/src/nouveau_xv.c b/src/nouveau_xv.c
index f7dc2bc..8eafcf0 100644
--- a/src/nouveau_xv.c
+++ b/src/nouveau_xv.c
@@ -1095,7 +1095,7 @@ NVPutImage(ScrnInfoPtr pScrn, short src_x, short src_y, short drw_x,
 				NVCopyNV12ColorPlanes(buf + s2offset,
 						      buf + s3offset, dst,
 						      line_len, srcPitch2,
-						      nlines, line_len);
+						      nlines, npixels);
 			}
 		} else {
 			for (i = 0; i < nlines; i++) {
@@ -1161,7 +1161,7 @@ CPU_copy:
 				NVCopyNV12ColorPlanes(buf + s2offset,
 						      buf + s3offset,
 						      map, dstPitch, srcPitch2,
-						      nlines, line_len);
+						      nlines, npixels);
 			}
 		} else {
 			/* YUY2 and RGB */