XRRGetProviderInfo returned bad associated_capability list in 64-bit

Unlike most of the values returned by this function, which are arrays
of XIDs (long int), associated_capability is defined as an array of
unsigned int.   _XRead32 reads 32-bit values from the wire protocol
and writes them to the provided buffer as an array of long ints, even
if that means expanding them from 32-bit to 64-bit.   Doing that for
associated_capability resulted in a garbage value between each actual
value, and overflowing the provided buffer into the space for the
provider name (which is written later and would overwrite the overflowed
data).

Created xhiv libXrandr/XRRGetProviderInfo test case to test & confirm.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>

1 files changed, 10 insertions, 1 deletions

diff --git a/src/XrrProvider.c b/src/XrrProvider.c
index 309e321..014ddd9 100644
--- a/src/XrrProvider.c
+++ b/src/XrrProvider.c
@@ -156,7 +156,16 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
     _XRead32(dpy, xpi->outputs, rep.nOutputs << 2);
 
     _XRead32(dpy, xpi->associated_providers, rep.nAssociatedProviders << 2);
-    _XRead32(dpy, xpi->associated_capability, rep.nAssociatedProviders << 2);
+
+    /*
+     * _XRead32 reads a series of 32-bit values from the protocol and writes
+     * them out as a series of "long int" values, but associated_capability
+     * is defined as unsigned int *, so that won't work for this array.
+     * Instead we assume for now that "unsigned int" is also 32-bits, so
+     * the values can be read without any conversion.
+     */
+    _XRead(dpy, (char *) xpi->associated_capability,
+           rep.nAssociatedProviders << 2);
 
     _XReadPad(dpy, xpi->name, rep.nameLength);
     xpi->name[rep.nameLength] = '\0';