randr: add BUG_* checks for possible NULL pointer issue

The ‘RRCrtcNotify() and RRCrtcSet() functions are exported, so there's chance that a buggy driver could call them with NULL parameter, leading to segfault. Those are hard to trace, so it's better having a BUG_* check here. | ../randr/rrcrtc.c: In function ‘RRCrtcNotify’: | ../randr/rrcrtc.c:187:5: warning: use of NULL ‘outputs’ where non-null expected [CWE-476] [-Wanalyzer-null-argument] | 187 | memcpy(crtc->outputs, outputs, numOutputs * sizeof(RROutputPtr)); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ../randr/rrcrtc.c: In function ‘RRCrtcSet’: | ../randr/rrcrtc.c:742:20: warning: dereference of NULL ‘outputs’ [CWE-476] [-Wanalyzer-null-dereference] | 742 | if (outputs[o]) { | | ~~~~~~~^~~ Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
2025-05-06 16:39:28 +02:00 · 2025-05-06 16:39:28 +02:00 · 5193f57aae
parent 90cd5c38ee
commit 5193f57aae
1 changed files with 8 additions and 1 deletions
--- a/randr/rrcrtc.c
+++ b/randr/rrcrtc.c
@ -22,13 +22,15 @@
 */
 #include <dix-config.h>

+#include <X11/Xatom.h>
+
 #include "randr/randrstr_priv.h"
 #include "randr/rrdispatch_priv.h"
+#include "os/bug_priv.h"

 #include "swaprep.h"
 #include "mipointer.h"

-#include <X11/Xatom.h>

 RESTYPE RRCrtcType = 0;

@ -184,10 +186,13 @@ RRCrtcNotify(RRCrtcPtr crtc,
        crtc->outputs = newoutputs;
        crtc->numOutputs = numOutputs;
    }
+
    /*
     * Copy the new list of outputs into the crtc
     */
+    BUG_RETURN_VAL(outputs == NULL, FALSE);
    memcpy(crtc->outputs, outputs, numOutputs * sizeof(RROutputPtr));
+
    /*
     * Update remaining crtc fields
     */
@ -749,6 +754,8 @@ RRCrtcSet(RRCrtcPtr crtc,
    Bool crtcChanged;
    int  o;

+    BUG_RETURN_VAL(outputs == NULL, FALSE);
+
    rrScrPriv(pScreen);

    crtcChanged = FALSE;