[Wayland-bugs] [Bug 93833] NULL dereference in weston_pointer_send_frame with RDP backend

Mon Jan 25 22:15:27 PST 2016

https://bugs.freedesktop.org/show_bug.cgi?id=93833

--- Comment #5 from Laurentiu Nicola <lnicola at dend.ro> ---
(In reply to Jonas Ådahl from comment #3)
> (In reply to Laurentiu Nicola from comment #2)
> > Connecting with freerdp seems to work, at least with my patch applied.
> 
> Do you have that patch somewhere?

Sorry, what I meant is that even after fixing the crash here (see attached
patch), weston still crashes with mstsc, while it works with wfreerdp. When I
made that comment I didn't know whether connecting with wfreerdp worked without
my initial patch.

I tested it in the meanwhile and:

1. the original code crashes with both wfreerdp and mstsc
2. with my fix, wfreerdp can connect, while mstsc can't:

[08:12:30.778] kbd_layout:0x409 kbd_type:0x7 kbd_subType:0x0
kbd_functionKeys:0xc
[08:12:30.778] xf_peer_activate: matching layout=us variant=(null)
[08:12:30.886] unable to checkDescriptor for 0x731010
[Thread 0x7fffe860a700 (LWP 18653) exited]
[Thread 0x7fffe7e09700 (LWP 18652) exited]
[Thread 0x7fffe7608700 (LWP 18651) exited]
[Thread 0x7fffe6e07700 (LWP 18650) exited]
[08:12:30.889] input_method disconnected, respawning...
[08:12:30.889] launching '/usr/lib/weston/weston-keyboard'
wl_registry at 2: error 0: invalid global wl_seat (14)
[08:12:30.893] Error: /usr/lib/weston/weston-desktop-shell apparently cannot
run at all.
Quitting...wl_registry at 2: error 0: invalid global wl_seat (14)
[Inferior 1 (process 18640) exited normally]

3. there are a few other places in the same file that lack the same NULL check

I'm not familiar with the code, so I don't know whether focus_client should be
NULL.

PS: while toying with it, I also got another crash:

Program received signal SIGSEGV, Segmentation fault.
weston_compositor_wake (compositor=compositor at entry=0x0) at
../src/compositor.c:3894
3894            uint32_t old_state = compositor->state;
(gdb) bt
#0  weston_compositor_wake (compositor=compositor at entry=0x0) at
../src/compositor.c:3894
#1  0x00000000004131c3 in notify_motion_absolute (seat=seat at entry=0x71c608,
time=2089892085, x=x at entry=143872, y=y at entry=84992) at ../src/input.c:1281
#2  0x00007ffff61c4e3b in xf_mouseEvent (input=<optimized out>,
flags=<optimized out>, x=<optimized out>, y=<optimized out>) at
../src/compositor-rdp.c:956
#3  0x00007ffff5f0f61c in fastpath_recv_inputs () from
/usr/lib/libfreerdp.so.2.0
#4  0x00007ffff5f1f1b7 in ?? () from /usr/lib/libfreerdp.so.2.0
#5  0x00007ffff5f1f7a8 in ?? () from /usr/lib/libfreerdp.so.2.0
#6  0x00007ffff5f124f0 in transport_check_fds () from
/usr/lib/libfreerdp.so.2.0
#7  0x00007ffff5f0b338 in rdp_check_fds () from /usr/lib/libfreerdp.so.2.0
#8  0x00007ffff5f1ef23 in ?? () from /usr/lib/libfreerdp.so.2.0
#9  0x00007ffff61c4c88 in rdp_client_activity (fd=<optimized out>,
mask=<optimized out>, data=0x730ec0) at ../src/compositor-rdp.c:658
#10 0x00007ffff7bd2462 in wl_event_loop_dispatch () from
/usr/lib/libwayland-server.so.0
#11 0x00007ffff7bd0cc5 in wl_display_run () from
/usr/lib/libwayland-server.so.0
#12 0x000000000041c22b in main (argc=1, argv=0x7fffffffe4d8) at
../src/main.c:859
(gdb) l
3889     * Restarts the idle timer.
3890     */
3891    WL_EXPORT void
3892    weston_compositor_wake(struct weston_compositor *compositor)
3893    {
3894            uint32_t old_state = compositor->state;
3895
3896            /* The state needs to be changed before emitting the wake
3897             * signal because that may try to schedule a repaint which
3898             * will not work if the compositor is still sleeping */
(gdb) p compositor
$1 = (struct weston_compositor *) 0x0

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/wayland-bugs/attachments/20160126/01b46e6d/attachment.html>