diff options
author | Keith Packard <keithp@keithp.com> | 2012-06-21 18:45:18 -0700 |
---|---|---|
committer | Jeremy Huddleston Sequoia <jeremyhu@apple.com> | 2012-08-01 17:31:49 -0700 |
commit | 6f4b6bca4c8f823adf83519b40f02b39a0c271ed (patch) | |
tree | 10ab8530190416ca835455cd7fd6c29daf151186 | |
parent | 47c61c56472f885e355f4b5e932f5282c1a7b1f5 (diff) |
randr: Catch two more potential unset rrScrPriv uses
Ricardo Salveti <ricardo.salveti@linaro.org> found one place where the
randr code could use the randr screen private data without checking
for null first. This happens when the X server is running with
multiple screens, some of which are randr enabled and some of which
are not. Applications making protocol requests to the non-randr
screens can cause segfaults where the server touches the unset private
structure.
I audited the code and found two more possible problem spots; the
trick to auditing for this issue was to look for functions not taking
a RandR data structure and where there was no null screen private
check above them in the call graph.
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 855003c333a0ead1db912695bc9705ef2b3144b4)
-rw-r--r-- | randr/rroutput.c | 3 | ||||
-rw-r--r-- | randr/rrscreen.c | 3 |
2 files changed, 5 insertions, 1 deletions
diff --git a/randr/rroutput.c b/randr/rroutput.c index 091e06b8a..fbd0e32b3 100644 --- a/randr/rroutput.c +++ b/randr/rroutput.c @@ -546,7 +546,8 @@ ProcRRSetOutputPrimary(ClientPtr client) } pScrPriv = rrGetScrPriv(pWin->drawable.pScreen); - RRSetPrimaryOutput(pWin->drawable.pScreen, pScrPriv, output); + if (pScrPriv) + RRSetPrimaryOutput(pWin->drawable.pScreen, pScrPriv, output); return Success; } diff --git a/randr/rrscreen.c b/randr/rrscreen.c index f570afaf4..55110e088 100644 --- a/randr/rrscreen.c +++ b/randr/rrscreen.c @@ -248,6 +248,9 @@ ProcRRSetScreenSize(ClientPtr client) pScreen = pWin->drawable.pScreen; pScrPriv = rrGetScrPriv(pScreen); + if (!pScrPriv) + return BadMatch; + if (stuff->width < pScrPriv->minWidth || pScrPriv->maxWidth < stuff->width) { client->errorValue = stuff->width; return BadValue; |