From 21916ae148393ff09889cc486d8b8b72b0988958 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Thu, 25 Apr 2024 16:43:16 +0200 Subject: [PATCH] xwayland: Check for outputs before lease devices In xwl_randr_request_lease(), the code checks first for leased device, and then checks for existing output for lease. The former assumes there are outputs for lease whereas the latter checks for the output, connector and lease. So if there is any existing rrLease->outputs[]->devPrivate unset, the code would crash on a NULL pointer dereference on the first sanity check before having a chance to reach the second check that would have caught the problem. Invert the sanity checks so that we would catch this first and return a BadValue instead of possibly segfaulting. Signed-off-by: Olivier Fourdan Reviewed-by: Xaver Hugl Part-of: --- hw/xwayland/xwayland-drm-lease.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hw/xwayland/xwayland-drm-lease.c b/hw/xwayland/xwayland-drm-lease.c index 4f9004d8c..9d3b90f56 100644 --- a/hw/xwayland/xwayland-drm-lease.c +++ b/hw/xwayland/xwayland-drm-lease.c @@ -116,6 +116,13 @@ xwl_randr_request_lease(ClientPtr client, ScreenPtr screen, RRLeasePtr rrLease) return BadMatch; } + for (i = 0; i < rrLease->numOutputs; ++i) { + output = rrLease->outputs[i]->devPrivate; + if (!output || !output->lease_connector || output->lease) { + return BadValue; + } + } + xorg_list_for_each_entry(device_data, &xwl_screen->drm_lease_devices, link) { Bool connectors_of_device = FALSE; for (i = 0; i < rrLease->numOutputs; ++i) { @@ -134,13 +141,6 @@ xwl_randr_request_lease(ClientPtr client, ScreenPtr screen, RRLeasePtr rrLease) } } - for (i = 0; i < rrLease->numOutputs; ++i) { - output = rrLease->outputs[i]->devPrivate; - if (!output || !output->lease_connector || output->lease) { - return BadValue; - } - } - req = wp_drm_lease_device_v1_create_lease_request( lease_device->drm_lease_device); lease_private = calloc(1, sizeof(struct xwl_drm_lease));