Possible SEGV (null pointer dereference) in check_xshm()
Describe the issue
There is a possible NULL pointer dereference in check_xshm()
. To reproduce, the X11 connection must be put into a has_error
state. If this occurs, then xcb_wait_for_reply()
will return NULL
which is not checked by check_xshm()
.
Here is the relevant source code + annotations:
libxcb.so: xcb_in.c
void *xcb_wait_for_reply(...)
{
...
if(c->has_error)
return 0; /* <---- NULL can be returned */
...
}
libxcb.so: xproto.c
xcb_query_extension_reply_t *xcb_query_extension_reply (...)
{
return (xcb_query_extension_reply_t *) xcb_wait_for_reply(...);
}
libGLX_meta.so:drisw_glx.c
static int check_xshm(Display *dpy)
{
...
shm_reply = xcb_query_extension_reply(c, shm_cookie, NULL);
/* <---- shm_reply is dereferenced without NULL check below. */
xshm_opcode = shm_reply->major_opcode;
...
}
System information
System:
Host: gjd-VirtualBox Kernel: 6.2.0-24-generic arch: x86_64 bits: 64
compiler: N/A Desktop: GNOME v: 44.0 tk: GTK v: 3.24.37 wm: gnome-shell
dm: GDM3 Distro: Ubuntu 23.04 (Lunar Lobster)
CPU:
Info: 8-core model: Intel Xeon E5-2630 v4 bits: 64 type: MCP arch: Broadwell
rev: 1 cache: L1: 512 KiB L2: 2 MiB L3: 200 MiB
Speed (MHz): avg: 2195 min/max: N/A cores: 1: 2195 2: 2195 3: 2195 4: 2195
5: 2195 6: 2195 7: 2195 8: 2195 bogomips: 35118
Flags: avx ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3
Graphics:
Device-1: InnoTek Systemberatung GmbH VirtualBox Graphics Adapter
driver: vboxvideo v: kernel ports: active: VGA-1 empty: none bus-ID: 00:02.0
chip-ID: 80ee:beef
Display: x11 server: X.Org v: 1.21.1.7 with: Xwayland v: 22.1.8
compositor: gnome-shell driver: X: loaded: modesetting unloaded: fbdev,vesa
alternate: vboxvideo dri: swrast gpu: vboxvideo display-ID: :1 screens: 1
Screen-1: 0 s-res: 3576x1999 s-dpi: 96
Monitor-1: VGA-1 model: VBOX monitor res: 3576x1999 size: N/A
API: OpenGL v: 4.5 Mesa 23.0.4-0ubuntu1~23.04.1 renderer: llvmpipe (LLVM
15.0.7 256 bits) direct-render: Yes