Handle wl_array_add() failures (!205) · Merge requests · wayland / wayland

Aleksandr Mezin requested to merge amezin/wayland:main into main Jan 26, 2022

Handle wl_array_add() failures in direct and indirect callers.

Direct:

wl_map_reserve_new()
wl_map_insert_at()

In both cases, unchecked wl_array_add() caused writes past the end of the allocated buffer if realloc() failed.

These functions now set errno so the caller can distinguish a memory allocation failure from an invalid id.

Indirect (through wl_map_reserve_new(), wl_map_insert_at() or wl_map_insert_new()):

wl_connection_demarshal(): modified to pass errno from wl_map_reserve_new() to the caller correctly.
wl_display_connect_to_fd(): now returns NULL and properly cleans up after memory allocation failure.
wl_resource_create(), wl_client_add_resource(): now handle wl_map_insert_new() failure, don't post WL_DISPLAY_ERROR_INVALID_OBJECT on memory allocation failure.

In wl_resource_create(), unchecked wl_map_insert_new() (returns 0 on failure) can cause the resource to be created with id=0 (and inserted into the map). Not sure what consequences it could have.

wl_map_insert_at() calls in wl_resource_destroy(), proxy_destroy() were left unchecked, because a) they should replace existing ids only - no memory allocation b) no idea what could be done if wl_map_insert_at() fails there anyway (nothing?)

Edited Feb 13, 2022 by Aleksandr Mezin

Handle wl_array_add() failures

Merge request reports