Possible SEGV (null pointer dereference) in dri2GetGlxDrawableFromXDrawableId()
Describe the issue
A possible NULL pointer dereference will occur in dri2GetGlxDrawableFromXDrawableId()
if the X11 server sends an DRI2_BufferSwapComplete
event unexpectedly when the application is using DRI3.
This bug is difficult to reproduce (it is necessary for the X11 server to send an unexpected event). Nevetheless, here is the relevant source code + annotations:
libGLX_mesa.so:dri2_glx.c
/* This will be called from DRI2WireFromEvent on an unexpected
* DRI2_BufferSwapComplete event. */
__GLXDRIdrawable * dri2GetGlxDrawableFromXDrawableId(...)
{
struct glx_display *d = __glXInitialize(dpy);
struct dri2_display *pdp = (struct dri2_display *) d->dri2Display;
/* <---- Here pdp will be NULL if the program is using DRI3,
* leading to a SEGV in the following line: */
if (__glxHashLookup(pdp->dri2Hash, id, (void *) &pdraw) == 0)
return pdraw;
return NULL;
}
System information
System:
Host: gjd-VirtualBox Kernel: 6.2.0-24-generic arch: x86_64 bits: 64
compiler: N/A Desktop: GNOME v: 44.0 tk: GTK v: 3.24.37 wm: gnome-shell
dm: GDM3 Distro: Ubuntu 23.04 (Lunar Lobster)
CPU:
Info: 8-core model: Intel Xeon E5-2630 v4 bits: 64 type: MCP arch: Broadwell
rev: 1 cache: L1: 512 KiB L2: 2 MiB L3: 200 MiB
Speed (MHz): avg: 2195 min/max: N/A cores: 1: 2195 2: 2195 3: 2195 4: 2195
5: 2195 6: 2195 7: 2195 8: 2195 bogomips: 35118
Flags: avx ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3
Graphics:
Device-1: InnoTek Systemberatung GmbH VirtualBox Graphics Adapter
driver: vboxvideo v: kernel ports: active: VGA-1 empty: none bus-ID: 00:02.0
chip-ID: 80ee:beef
Display: x11 server: X.Org v: 1.21.1.7 with: Xwayland v: 22.1.8
compositor: gnome-shell driver: X: loaded: modesetting unloaded: fbdev,vesa
alternate: vboxvideo dri: swrast gpu: vboxvideo display-ID: :1 screens: 1
Screen-1: 0 s-res: 3576x1999 s-dpi: 96
Monitor-1: VGA-1 model: VBOX monitor res: 3576x1999 size: N/A
API: OpenGL v: 4.5 Mesa 23.0.4-0ubuntu1~23.04.1 renderer: llvmpipe (LLVM
15.0.7 256 bits) direct-render: Yes