From 5193f57aaebbd8f11da362d4308af3049ff427a9 Mon Sep 17 00:00:00 2001 From: "Enrico Weigelt, metux IT consult" Date: Tue, 6 May 2025 16:39:28 +0200 Subject: [PATCH] randr: add BUG_* checks for possible NULL pointer issue MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ‘RRCrtcNotify() and RRCrtcSet() functions are exported, so there's chance that a buggy driver could call them with NULL parameter, leading to segfault. Those are hard to trace, so it's better having a BUG_* check here. | ../randr/rrcrtc.c: In function ‘RRCrtcNotify’: | ../randr/rrcrtc.c:187:5: warning: use of NULL ‘outputs’ where non-null expected [CWE-476] [-Wanalyzer-null-argument] | 187 | memcpy(crtc->outputs, outputs, numOutputs * sizeof(RROutputPtr)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ../randr/rrcrtc.c: In function ‘RRCrtcSet’: | ../randr/rrcrtc.c:742:20: warning: dereference of NULL ‘outputs’ [CWE-476] [-Wanalyzer-null-dereference] | 742 | if (outputs[o]) { | | ~~~~~~~^~~ Signed-off-by: Enrico Weigelt, metux IT consult --- randr/rrcrtc.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c index d1e13e3f1..e08afb595 100644 --- a/randr/rrcrtc.c +++ b/randr/rrcrtc.c @@ -22,13 +22,15 @@ */ #include +#include + #include "randr/randrstr_priv.h" #include "randr/rrdispatch_priv.h" +#include "os/bug_priv.h" #include "swaprep.h" #include "mipointer.h" -#include RESTYPE RRCrtcType = 0; @@ -184,10 +186,13 @@ RRCrtcNotify(RRCrtcPtr crtc, crtc->outputs = newoutputs; crtc->numOutputs = numOutputs; } + /* * Copy the new list of outputs into the crtc */ + BUG_RETURN_VAL(outputs == NULL, FALSE); memcpy(crtc->outputs, outputs, numOutputs * sizeof(RROutputPtr)); + /* * Update remaining crtc fields */ @@ -749,6 +754,8 @@ RRCrtcSet(RRCrtcPtr crtc, Bool crtcChanged; int o; + BUG_RETURN_VAL(outputs == NULL, FALSE); + rrScrPriv(pScreen); crtcChanged = FALSE;