[PATCH xserver] xwayland: Fix a segfault with pointer locking

Peter Hutterer peter.hutterer at who-t.net
Tue Sep 5 01:36:58 UTC 2017 

On Thu, Aug 31, 2017 at 10:23:00AM +0200, Olivier Fourdan wrote:
> Xwayland would crash in some circumstances while trying to issue a
> pointer locking when the cursor is hidden when there is no seat focus
> window set.
> 
> The crash signature looks like:
> 
>  #0  zwp_pointer_constraints_v1_lock_pointer ()
>  #1  xwl_pointer_warp_emulator_lock () at xwayland-input.c:2584
>  #2  xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2756
>  #3  xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2765
>  #4  xwl_seat_cursor_visibility_changed () at xwayland-input.c:2768
>  #5  xwl_set_cursor () at xwayland-cursor.c:245
>  #6  miPointerUpdateSprite () at mipointer.c:468
>  #7  miPointerDisplayCursor () at mipointer.c:206
>  #8  CursorDisplayCursor () at cursor.c:150
>  #9  AnimCurDisplayCursor () at animcur.c:220
>  #10 ChangeToCursor () at events.c:936
>  #11 ActivatePointerGrab () at events.c:1542
>  #12 GrabDevice () at events.c:5120
>  #13 ProcGrabPointer () at events.c:4908
>  #14 Dispatch () at dispatch.c:478
>  #15 dix_main () at main.c:276
> 
> xwl_pointer_warp_emulator_lock() tries to use the surface from the
> xwl_seat->focus_window leading to a NULL pointer dereference when that
> value is NULL.
> 
> Check that xwl_seat->focus_window is not NULL earlier in the stack in
> xwl_seat_maybe_lock_on_hidden_cursor() and return early if not the case
> to avoid the crash.
> 
> Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=102474
> Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>

seems to make sense to me, pushed, thanks

   3fbc3c3ee..cdd0352ba  master -> master

Cheers,
   Peter

> ---
>  hw/xwayland/xwayland-input.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/hw/xwayland/xwayland-input.c b/hw/xwayland/xwayland-input.c
> index 92e530d0d..acb467b91 100644
> --- a/hw/xwayland/xwayland-input.c
> +++ b/hw/xwayland/xwayland-input.c
> @@ -2749,6 +2749,9 @@ xwl_seat_maybe_lock_on_hidden_cursor(struct xwl_seat *xwl_seat)
>          !xwl_seat->cursor_confinement_window)
>          return FALSE;
>  
> +    if (!xwl_seat->focus_window)
> +        return FALSE;
> +
>      if (xwl_seat->confined_pointer)
>          xwl_seat_destroy_confined_pointer(xwl_seat);
>  
> -- 
> 2.13.5
> 
> _______________________________________________
> wayland-devel mailing list
> wayland-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/wayland-devel
>

More information about the wayland-devel mailing list