From d2af650a280f94d7ddd155cb499110ab45135100 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Fri, 19 Oct 2018 16:04:32 +0200 Subject: [PATCH xserver] xwayland: do not crash if `gbm_bo_create()` fails The function `xwl_glamor_gbm_create_pixmap()` first creates a buffer objects and then creates the xwl_pixmap from it. However, `xwl_glamor_gbm_create_pixmap_for_bo()` is not called if the buffer object creation fails, and `xwl_glamor_gbm_create_pixmap()` simply returns `glamor_create_pixmap()`. The problem with this is that if `xwl_glamor_gbm_create_pixmap_for_bo()` is not called then neither is `xwl_pixmap_set_private()` and further calls to `xwl_pixmap_get()` will return NULL and cause a NULL pointer dereference if the return value is not checked: #0 xwl_glamor_gbm_get_wl_buffer_for_pixmap () at hw/xwayland/xwayland-glamor-gbm.c:248 #1 xwl_window_post_damage () at hw/xwayland/xwayland.c:697 #2 xwl_display_post_damage () at hw/xwayland/xwayland.c:759 #3 block_handler () at hw/xwayland/xwayland.c:890 #4 BlockHandler () at dix/dixutils.c:388 #5 WaitForSomething () at os/WaitFor.c:201 #6 Dispatch () at dix/dispatch.c:421 #7 dix_main () at dix/main.c:276 #8 __libc_start_main () at ../csu/libc-start.c:308 #9 _start () (gdb) print xwl_pixmap $1 = (struct xwl_pixmap *) 0x0 Make sure we check for `xwl_pixmap_get()` returned value where relevant and fail gracefully if this is the case. See also: https://gitlab.gnome.org/GNOME/mutter/issues/340 Signed-off-by: Olivier Fourdan Reviewed-by: Marco Trevisan Reviewed-by: Peter Hutterer (cherry picked from commit 036794bebce72a3fa2f95996d2e537ff568e0ff1) --- hw/xwayland/xwayland-glamor-gbm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/xwayland/xwayland-glamor-gbm.c b/hw/xwayland/xwayland-glamor-gbm.c index 6aa1e4641d..5f8a68fd8c 100644 --- a/hw/xwayland/xwayland-glamor-gbm.c +++ b/hw/xwayland/xwayland-glamor-gbm.c @@ -244,6 +244,9 @@ xwl_glamor_gbm_get_wl_buffer_for_pixmap(PixmapPtr pixmap, uint64_t modifier; int i; + if (xwl_pixmap == NULL) + return NULL; + if (xwl_pixmap->buffer) { /* Buffer already exists. Return it and inform caller if interested. */ if (created) @@ -494,6 +497,9 @@ glamor_egl_fds_from_pixmap(ScreenPtr screen, PixmapPtr pixmap, int *fds, xwl_pixmap = xwl_pixmap_get(pixmap); + if (xwl_pixmap == NULL) + return 0; + if (!xwl_pixmap->bo) return 0; -- 2.19.1