[PATCH xserver] xwayland: avoid a crash with empty window pixmaps

[Daniel Stone]

Hi Olivier,

On 18 January 2018 at 10:41, Olivier Fourdan <ofourdan at redhat.com> wrote:
> This is a rare occurrence of a crash in Xwayland for which I don't have
> the reproducing steps, just a core file.
>
> The backtrace looks as follow:
>
>   [...]
>   #6  <signal handler called>
>   #7  xwl_glamor_pixmap_get_wl_buffer () at xwayland-glamor.c:162
>   #8  xwl_screen_post_damage () at xwayland.c:514
>   #9  block_handler () at xwayland.c:665
>   [...]
>
> The crash is caused by dereferencing “xwl_pixmap->buffer” in
> xwl_glamor_pixmap_get_wl_buffer() because “xwl_pixmap” is NULL.
>
> Reason for this is because the corresponding pixmap has a size of 0×0
> and no xwl_pixmap is created for pixmaps of size 0×0.
>
> Avoid the NULL pointer dereference by checking the actual “xwl_pixmap”
> value in both glamor and shm implementations of pixmap_get_wl_buffer()
> and return a NULL buffer if there is no “xwl_pixmap”.

Odd; how could we have a realized 0x0 window which also has damage? I
wonder if this isn't actually a UAF where the xwl_window has since
been unrealized, in which case you should be able to reproduce pretty
easily by causing damage on a window and then immediately destroying
it. In that case, we just need
wl_list_remove(&xwl_window->link_damage) inside
xwl_window_unrealize().

Cheers,
Daniel