xwayland: do not crash if `gbm_bo_create()` fails (!47) · Merge requests · xorg / xserver

Olivier Fourdan requested to merge ofourdan/xserver:gnome-mutter-issue-340 into master Oct 19, 2018

The function xwl_glamor_gbm_create_pixmap() first creates a buffer objects and then creates the xwl_pixmap from it.

However, xwl_glamor_gbm_create_pixmap_for_bo() is not called if the buffer object creation fails, and xwl_glamor_gbm_create_pixmap() simply returns glamor_create_pixmap().

The problem with this is that if xwl_glamor_gbm_create_pixmap_for_bo() is not called then neither is xwl_pixmap_set_private() and further calls to xwl_pixmap_get() will return NULL and causes a NULL poitner dereference if the return value is not checked:

  #0  xwl_glamor_gbm_get_wl_buffer_for_pixmap ()
      at hw/xwayland/xwayland-glamor-gbm.c:248
  #1  xwl_window_post_damage () at hw/xwayland/xwayland.c:697
  #2  xwl_display_post_damage () at hw/xwayland/xwayland.c:759
  #3  block_handler () at hw/xwayland/xwayland.c:890
  #4  BlockHandler () at dix/dixutils.c:388
  #5  WaitForSomething () at os/WaitFor.c:201
  #6  Dispatch () at dix/dispatch.c:421
  #7  dix_main () at dix/main.c:276
  #8  __libc_start_main () at ../csu/libc-start.c:308
  #9  _start ()

  (gdb) print xwl_pixmap
  $1 = (struct xwl_pixmap *) 0x0

Make sure we check for xwl_pixmap_get() returned value where relevant and fail gracefully if this is the case.

See also: https://gitlab.gnome.org/GNOME/mutter/issues/340 Signed-off-by: Olivier Fourdan ofourdan@redhat.com

Edited Oct 19, 2018 by Olivier Fourdan

xwayland: do not crash if `gbm_bo_create()` fails

Merge request reports