From 2a47e328641c061d73b3fc4602343500d18500c1 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Tue, 14 Mar 2017 15:22:31 +0100 Subject: glamor: Check for NULL pixmap in glamor_get_pixmap_texture() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit glamor_create_pixmap() would return a NullPixmap if the given size is larger than the maximum size of a pixmap. But glamor_get_pixmap_texture() won't check if the given pixmap is non-null, leading to a segfault if glamor_create_pixmap() failed. This can be reproduced by passing Xephyr a very large screen width, e.g.: $ Xephyr -glamor -screen 32768x1024 :10 (EE) (EE) Backtrace: (EE) 0: Xephyr (OsSigHandler+0x29) (EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) (EE) 2: Xephyr (glamor_get_pixmap_texture+0x30) (EE) 3: Xephyr (ephyr_glamor_create_screen_resources+0xc6) (EE) 4: Xephyr (ephyrCreateResources+0x98) (EE) 5: Xephyr (dix_main+0x275) (EE) 6: /lib64/libc.so.6 (__libc_start_main+0xf1) (EE) 7: Xephyr (_start+0x2a) (EE) 8: ? (?+0x2a) [0x2a] (EE) (EE) Segmentation fault at address 0x0 (EE) Fatal server error: (EE) Caught signal 11 (Segmentation fault). Server aborting (EE) Aborted (core dumped) Bugzilla: https://bugzilla.redhat.com/1431633 Reviewed-by: Michel Dänzer Signed-off-by: Olivier Fourdan (cherry picked from commit f40ff18c96e02ff18a367bf53feeb4bd8ee952a0) --- glamor/glamor.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'glamor') diff --git a/glamor/glamor.c b/glamor/glamor.c index c54cf3b43..2467443e0 100644 --- a/glamor/glamor.c +++ b/glamor/glamor.c @@ -133,6 +133,9 @@ glamor_get_pixmap_texture(PixmapPtr pixmap) { glamor_pixmap_private *pixmap_priv = glamor_get_pixmap_private(pixmap); + if (!pixmap_priv) + return 0; + if (pixmap_priv->type != GLAMOR_TEXTURE_ONLY) return 0; -- cgit v1.2.3