[PATCH xserver] xwayland: avoid a crash with empty window pixmaps
Olivier Fourdan
ofourdan at redhat.com
Thu Jan 18 12:12:38 UTC 2018
Hi Daniel,
On Thu, Jan 18, 2018 at 12:22 PM, Daniel Stone <daniel at fooishbar.org> wrote:
> Odd; how could we have a realized 0x0 window which also has damage? I
>
Hehe, yeap, I had the same question, but didn't find the answer... :)
> wonder if this isn't actually a UAF where the xwl_window has since
> been unrealized, in which case you should be able to reproduce pretty
> easily by causing damage on a window and then immediately destroying
> it. In that case, we just need
> wl_list_remove(&xwl_window->link_damage) inside
> xwl_window_unrealize().
>
But we do already do an “xorg_list_del(&xwl_window->link_damage);” in
xwl_window_unrealize()
However, we do that only if xwl_window is a thing and the damage region is
not empty:
https://cgit.freedesktop.org/xorg/xserver/tree/hw/xwayland/xwayland.c#n583
Weird...
Cheers,
Olivier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/wayland-devel/attachments/20180118/f347d025/attachment.html>
More information about the wayland-devel
mailing list