diff options
author | David Benjamin <davidben@google.com> | 2024-03-24 19:43:58 -0400 |
---|---|---|
committer | David Benjamin <davidben@google.com> | 2024-03-24 20:00:01 -0400 |
commit | 8a7ecd774c4032f30949665b42910c2d2cae53f2 (patch) | |
tree | 1a2f955d0570cd592703c96ef01890a997af005e | |
parent | aa2a6d560bb2ec39b0643103942dc7b3dfa5976c (diff) |
util: fix undefined behavior in wl_array_for_each
If a wl_array has size zero, wl_array_for_each computes NULL + 0 to get
to the end pointer. This should be fine, and indeed it would be fine in
C++. But the C specification has a mistake here and it is actually
undefined behavior. See
https://davidben.net/2024/01/15/empty-slices.html
Clang's -fsanitize=undefined flags this. I ran into this in Chromium's
build with wayland-scanner on one of our XML files.
../../third_party/wayland/src/src/scanner.c:1853:2: runtime error: applying zero offset to null pointer
#0 0x55c979b8e02c in emit_code third_party/wayland/src/src/scanner.c:1853:2
#1 0x55c979b89323 in main third_party/wayland/src/src/scanner.c
#2 0x7f8dfdb8c6c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#3 0x7f8dfdb8c784 in __libc_start_main csu/../csu/libc-start.c:360:3
#4 0x55c979b70f39 in _start (...)
An empty XML file is sufficient to hit this case, so I've added it as a
test. To reproduce, undo the fix and include only the test, then build
with:
CC=clang CFLAGS="-fno-sanitize-recover=undefined" meson build/ -Db_sanitize=undefined -Db_lundef=false
ninja -C build test
Signed-off-by: David Benjamin <davidben@google.com>
-rw-r--r-- | src/wayland-util.h | 1 | ||||
-rw-r--r-- | tests/data/empty-client.h | 83 | ||||
-rw-r--r-- | tests/data/empty-code.c | 20 | ||||
-rw-r--r-- | tests/data/empty-server.h | 58 | ||||
-rw-r--r-- | tests/data/empty.xml | 7 | ||||
-rwxr-xr-x | tests/scanner-test-gen.sh | 4 | ||||
-rwxr-xr-x | tests/scanner-test.sh | 4 |
7 files changed, 177 insertions, 0 deletions
diff --git a/src/wayland-util.h b/src/wayland-util.h index c99069c..929a34f 100644 --- a/src/wayland-util.h +++ b/src/wayland-util.h @@ -598,6 +598,7 @@ wl_array_copy(struct wl_array *array, struct wl_array *source); */ #define wl_array_for_each(pos, array) \ for (pos = (array)->data; \ + (array)->size != 0 && \ (const char *) pos < ((const char *) (array)->data + (array)->size); \ (pos)++) diff --git a/tests/data/empty-client.h b/tests/data/empty-client.h new file mode 100644 index 0000000..bf1264a --- /dev/null +++ b/tests/data/empty-client.h @@ -0,0 +1,83 @@ +/* SCANNER TEST */ + +#ifndef EMPTY_CLIENT_PROTOCOL_H +#define EMPTY_CLIENT_PROTOCOL_H + +#include <stdint.h> +#include <stddef.h> +#include "wayland-client.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @page page_empty The empty protocol + * @section page_ifaces_empty Interfaces + * - @subpage page_iface_empty - + */ +struct empty; + +#ifndef EMPTY_INTERFACE +#define EMPTY_INTERFACE +/** + * @page page_iface_empty empty + * @section page_iface_empty_api API + * See @ref iface_empty. + */ +/** + * @defgroup iface_empty The empty interface + */ +extern const struct wl_interface empty_interface; +#endif + +#define EMPTY_EMPTY 0 + + +/** + * @ingroup iface_empty + */ +#define EMPTY_EMPTY_SINCE_VERSION 1 + +/** @ingroup iface_empty */ +static inline void +empty_set_user_data(struct empty *empty, void *user_data) +{ + wl_proxy_set_user_data((struct wl_proxy *) empty, user_data); +} + +/** @ingroup iface_empty */ +static inline void * +empty_get_user_data(struct empty *empty) +{ + return wl_proxy_get_user_data((struct wl_proxy *) empty); +} + +static inline uint32_t +empty_get_version(struct empty *empty) +{ + return wl_proxy_get_version((struct wl_proxy *) empty); +} + +/** @ingroup iface_empty */ +static inline void +empty_destroy(struct empty *empty) +{ + wl_proxy_destroy((struct wl_proxy *) empty); +} + +/** + * @ingroup iface_empty + */ +static inline void +empty_empty(struct empty *empty) +{ + wl_proxy_marshal_flags((struct wl_proxy *) empty, + EMPTY_EMPTY, NULL, wl_proxy_get_version((struct wl_proxy *) empty), 0); +} + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/tests/data/empty-code.c b/tests/data/empty-code.c new file mode 100644 index 0000000..6f0f619 --- /dev/null +++ b/tests/data/empty-code.c @@ -0,0 +1,20 @@ +/* SCANNER TEST */ + +#include <stdlib.h> +#include <stdint.h> +#include "wayland-util.h" + + +static const struct wl_interface *empty_types[] = { +}; + +static const struct wl_message empty_requests[] = { + { "empty", "", empty_types + 0 }, +}; + +WL_EXPORT const struct wl_interface empty_interface = { + "empty", 1, + 1, empty_requests, + 0, NULL, +}; + diff --git a/tests/data/empty-server.h b/tests/data/empty-server.h new file mode 100644 index 0000000..4baf6d6 --- /dev/null +++ b/tests/data/empty-server.h @@ -0,0 +1,58 @@ +/* SCANNER TEST */ + +#ifndef EMPTY_SERVER_PROTOCOL_H +#define EMPTY_SERVER_PROTOCOL_H + +#include <stdint.h> +#include <stddef.h> +#include "wayland-server.h" + +#ifdef __cplusplus +extern "C" { +#endif + +struct wl_client; +struct wl_resource; + +/** + * @page page_empty The empty protocol + * @section page_ifaces_empty Interfaces + * - @subpage page_iface_empty - + */ +struct empty; + +#ifndef EMPTY_INTERFACE +#define EMPTY_INTERFACE +/** + * @page page_iface_empty empty + * @section page_iface_empty_api API + * See @ref iface_empty. + */ +/** + * @defgroup iface_empty The empty interface + */ +extern const struct wl_interface empty_interface; +#endif + +/** + * @ingroup iface_empty + * @struct empty_interface + */ +struct empty_interface { + /** + */ + void (*empty)(struct wl_client *client, + struct wl_resource *resource); +}; + + +/** + * @ingroup iface_empty + */ +#define EMPTY_EMPTY_SINCE_VERSION 1 + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/tests/data/empty.xml b/tests/data/empty.xml new file mode 100644 index 0000000..2549d8f --- /dev/null +++ b/tests/data/empty.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="UTF-8"?> +<protocol name="empty"> + <interface name="empty" version="1"> + <request name="empty"> + </request> + </interface> +</protocol> diff --git a/tests/scanner-test-gen.sh b/tests/scanner-test-gen.sh index 5af1a72..cf4f79f 100755 --- a/tests/scanner-test-gen.sh +++ b/tests/scanner-test-gen.sh @@ -19,3 +19,7 @@ generate "-c client-header" "small.xml" "small-client-core.h" generate "-c server-header" "small.xml" "small-server-core.h" generate "private-code" "small.xml" "small-private-code.c" + +generate "code" "empty.xml" "empty-code.c" +generate "client-header" "empty.xml" "empty-client.h" +generate "server-header" "empty.xml" "empty-server.h" diff --git a/tests/scanner-test.sh b/tests/scanner-test.sh index 35ba047..4f4da7a 100755 --- a/tests/scanner-test.sh +++ b/tests/scanner-test.sh @@ -67,6 +67,10 @@ generate_and_compare "code" "small.xml" "small-code.c" generate_and_compare "public-code" "small.xml" "small-code.c" generate_and_compare "private-code" "small.xml" "small-private-code.c" +generate_and_compare "code" "empty.xml" "empty-code.c" +generate_and_compare "client-header" "empty.xml" "empty-client.h" +generate_and_compare "server-header" "empty.xml" "empty-server.h" + verify_error "bad-identifier-arg.xml" "bad-identifier-arg.log" 7 verify_error "bad-identifier-entry.xml" "bad-identifier-entry.log" 8 verify_error "bad-identifier-enum.xml" "bad-identifier-enum.log" 6 |