[PATCH RFC xserver 0/2] glamor pixmap FBO array can be NULL

Olivier Fourdan ofourdan at redhat.com
Tue Mar 14 13:58:25 UTC 2017


Downstream bugzilla https://bugzilla.redhat.com/1417575 relates to a 
crash in glamor:


While this is clearly a client bug, I reckon the Xserver should not

It appears that glamor_create_fbo_array() can fail to allocate the FBO
array, but then we always assume that the FBO returned by further calls
to glamor_pixmap_fbo_at() is not NULL.

To avoid the issue, check for the value returned by glamor_pixmap_fbo_at()
and return early without crashing when NULL, and change the API of
glamor_set_destination_drawable() to return a boolean, that will be FALSE
if the FBO is NULL so that we can check for the that calue and use a
fallback code path when this occurs.

There are some cases where we don't have a fallback code path, in which
case we'll avoid the crash in glamor_set_destination_drawable() but won't
render properly, but this is a rare occurence and not rendering properly
is still better than crashing the X server and the user losing his/her
entire session...

Note, I tried but failed to come up with a simple reproducer client for
this bug, thus the RFC status of the following patches...


Olivier Fourdan (2):
  glamor: glamor_set_destination_drawable() can fail
  glamor: Check glamor_set_destination_drawable() return value

 glamor/glamor_copy.c      | 17 ++++++++++-------
 glamor/glamor_glyphblt.c  | 26 ++++++++++++++++----------
 glamor/glamor_lines.c     | 13 ++++++++-----
 glamor/glamor_points.c    | 14 ++++++++------
 glamor/glamor_rects.c     | 16 +++++++++++-----
 glamor/glamor_segs.c      | 14 ++++++++------
 glamor/glamor_spans.c     | 13 ++++++++-----
 glamor/glamor_transform.c | 11 +++++++++--
 glamor/glamor_transform.h |  2 +-
 9 files changed, 79 insertions(+), 47 deletions(-)


More information about the xorg-devel mailing list