From 2957bf04fc2847fdfb43c427cd77fdcb9df0a159 Mon Sep 17 00:00:00 2001 From: "Enrico Weigelt, metux IT consult" Date: Tue, 6 May 2025 16:39:28 +0200 Subject: [PATCH] randr: add BUG_* checks for possible NULL pointer issue MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ‘RRCrtcNotify() and RRCrtcSet() functions are exported, so there's chance that a buggy driver could call them with NULL parameter, leading to segfault. Those are hard to trace, so it's better having a BUG_* check here. | ../randr/rrcrtc.c: In function ‘RRCrtcNotify’: | ../randr/rrcrtc.c:187:5: warning: use of NULL ‘outputs’ where non-null expected [CWE-476] [-Wanalyzer-null-argument] | 187 | memcpy(crtc->outputs, outputs, numOutputs * sizeof(RROutputPtr)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ../randr/rrcrtc.c: In function ‘RRCrtcSet’: | ../randr/rrcrtc.c:742:20: warning: dereference of NULL ‘outputs’ [CWE-476] [-Wanalyzer-null-dereference] | 742 | if (outputs[o]) { | | ~~~~~~~^~~ Signed-off-by: Enrico Weigelt, metux IT consult --- randr/rrcrtc.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c index b828b7301..55e32ae82 100644 --- a/randr/rrcrtc.c +++ b/randr/rrcrtc.c @@ -20,12 +20,16 @@ * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE * OF THIS SOFTWARE. */ +#include + +#include + +#include "os/bug_priv.h" #include "randrstr_priv.h" #include "swaprep.h" #include "mipointer.h" -#include RESTYPE RRCrtcType = 0; @@ -181,10 +185,13 @@ RRCrtcNotify(RRCrtcPtr crtc, crtc->outputs = newoutputs; crtc->numOutputs = numOutputs; } + /* * Copy the new list of outputs into the crtc */ + BUG_RETURN_VAL(outputs == NULL, FALSE); memcpy(crtc->outputs, outputs, numOutputs * sizeof(RROutputPtr)); + /* * Update remaining crtc fields */ @@ -735,6 +742,8 @@ RRCrtcSet(RRCrtcPtr crtc, Bool crtcChanged; int o; + BUG_RETURN_VAL(outputs == NULL, FALSE); + rrScrPriv(pScreen); crtcChanged = FALSE;