Xext: panoramix: extra safety checks

Even though risk of being actually hit is minimal, better having some extra safety checks instead of segfaulting, just in case. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Xext: panoramix: protect from allocation failures
2025-05-12 17:41:34 +02:00 · 2025-05-12 17:41:30 +02:00 · 2025-05-12 17:41:27 +02:00 · 2025-05-12 17:41:24 +02:00 · 2025-05-12 17:41:20 +02:00 · 2025-05-12 17:41:17 +02:00
9 changed files with 84 additions and 38 deletions
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@ -806,7 +806,6 @@ extern void
 PanoramiXConsolidate(void)
 {
    int i;
-    PanoramiXRes *root, *defmap, *saver;
    ScreenPtr pScreen = screenInfo.screens[0];
    DepthPtr pDepth = pScreen->allowedDepths;
    VisualPtr pVisual = pScreen->visuals;
@ -820,11 +819,23 @@ PanoramiXConsolidate(void)
    for (i = 0; i < pScreen->numVisuals; i++)
        PanoramiXMaybeAddVisual(pVisual++);

-    root = malloc(sizeof(PanoramiXRes));
+    PanoramiXRes *root = calloc(1, sizeof(PanoramiXRes));
+    if (!root)
+        return;
+
    root->type = XRT_WINDOW;
-    defmap = malloc(sizeof(PanoramiXRes));
+    PanoramiXRes *defmap = calloc(1, sizeof(PanoramiXRes));
+    if (!defmap) {
+        free(root);
+        return;
+    }
    defmap->type = XRT_COLORMAP;
-    saver = malloc(sizeof(PanoramiXRes));
+    PanoramiXRes *saver = calloc(1, sizeof(PanoramiXRes));
+    if (!saver) {
+        free(root);
+        free(defmap);
+        return;
+    }
    saver->type = XRT_WINDOW;

    FOR_NSCREENS(i) {
@ -1253,11 +1264,15 @@ XineramaGetImageData(DrawablePtr *pDrawables,
                    for (j = 0, index = (pitch * y) + x, index2 = 0; j < h;
                         j++, index += pitch, index2 += ScratchPitch) {
                        if (w) {
-                            if (!shift)
+                            if (!shift) {
+                                assert(ScratchMem);
                                memcpy(data + index, ScratchMem + index2, w);
-                            else
+                            }
+                            else {
+                                assert(ScratchMem);
                                CopyBits(data + index, shift,
                                         ScratchMem + index2, w);
+                            }
                        }

                        if (leftover) {
@ -1277,6 +1292,7 @@ XineramaGetImageData(DrawablePtr *pDrawables,
                    w *= j;

                    for (j = 0; j < h; j++) {
+                        assert(ScratchMem);
                        memcpy(data + (pitch * (y + j)) + x,
                               ScratchMem + (ScratchPitch * j), w);
                    }
--- a/Xext/panoramiXprocs.c
+++ b/Xext/panoramiXprocs.c
@ -1098,7 +1098,7 @@ PanoramiXCopyArea(ClientPtr client)
    if ((dst->type == XRT_PIXMAP) && (src->type == XRT_WINDOW)) {
        DrawablePtr drawables[MAXSCREENS];
        DrawablePtr pDst;
-        GCPtr pGC;
+        GCPtr pGC = NULL;
        char *data;
        int pitch, rc;

@ -1136,7 +1136,7 @@ PanoramiXCopyArea(ClientPtr client)
        }
        free(data);

-        if (pGC->graphicsExposures) {
+        if (pGC && pGC->graphicsExposures) {
            RegionRec rgn;
            int dx, dy;
            BoxRec sourceBox;
--- a/Xext/shape.c
+++ b/Xext/shape.c
@ -938,7 +938,7 @@ ProcShapeGetRectangles(ClientPtr client)
    REQUEST(xShapeGetRectanglesReq);
    WindowPtr pWin;
    xShapeGetRectanglesReply rep;
-    xRectangle *rects;
+    xRectangle *rects = NULL;
    int nrects, i, rc;
    RegionPtr region;

@ -991,14 +991,16 @@ ProcShapeGetRectangles(ClientPtr client)

        nrects = RegionNumRects(region);
        box = RegionRects(region);
-        rects = xallocarray(nrects, sizeof(xRectangle));
-        if (!rects && nrects)
-            return BadAlloc;
-        for (i = 0; i < nrects; i++, box++) {
-            rects[i].x = box->x1;
-            rects[i].y = box->y1;
-            rects[i].width = box->x2 - box->x1;
-            rects[i].height = box->y2 - box->y1;
+        if (nrects) {
+            rects = calloc(nrects, sizeof(xRectangle));
+            if (!rects)
+                return BadAlloc;
+            for (i = 0; i < nrects; i++, box++) {
+                rects[i].x = box->x1;
+                rects[i].y = box->y1;
+                rects[i].width = box->x2 - box->x1;
+                rects[i].height = box->y2 - box->y1;
+            }
        }
    }
    rep = (xShapeGetRectanglesReply) {
--- a/Xext/shm.c
+++ b/Xext/shm.c
@ -1536,6 +1536,8 @@ ShmExtensionInit(void)
        for (i = 0; i < screenInfo.numScreens; i++) {
            ShmScrPrivateRec *screen_priv =
                ShmInitScreenPriv(screenInfo.screens[i]);
+            if (!screen_priv)
+                continue;
            if (!screen_priv->shmFuncs)
                screen_priv->shmFuncs = &miFuncs;
            if (!screen_priv->shmFuncs->CreatePixmap)
--- a/Xext/sync.c
+++ b/Xext/sync.c
@ -2647,16 +2647,15 @@ typedef struct {
 static void
 IdleTimeQueryValue(void *pCounter, int64_t *pValue_return)
 {
-    int deviceid;
+    int deviceid = XIAllDevices;
    CARD32 idle;

    if (pCounter) {
        SyncCounter *counter = pCounter;
        IdleCounterPriv *priv = SysCounterGetPrivate(counter);
-        deviceid = priv->deviceid;
+        if (priv)
+            deviceid = priv->deviceid;
    }
-    else
-        deviceid = XIAllDevices;
    idle = GetTimeInMillis() - LastEventTime(deviceid).milliseconds;
    *pValue_return = idle;
 }
@ -2666,6 +2665,8 @@ IdleTimeBlockHandler(void *pCounter, void *wt)
 {
    SyncCounter *counter = pCounter;
    IdleCounterPriv *priv = SysCounterGetPrivate(counter);
+    if (!priv)
+        return;
    int64_t *less = priv->value_less;
    int64_t *greater = priv->value_greater;
    int64_t idle, old_idle;
@ -2756,6 +2757,8 @@ IdleTimeWakeupHandler(void *pCounter, int rc)
 {
    SyncCounter *counter = pCounter;
    IdleCounterPriv *priv = SysCounterGetPrivate(counter);
+    if (!priv)
+        return;
    int64_t *less = priv->value_less;
    int64_t *greater = priv->value_greater;
    int64_t idle;
@ -2789,6 +2792,8 @@ IdleTimeBracketValues(void *pCounter, int64_t *pbracket_less,
 {
    SyncCounter *counter = pCounter;
    IdleCounterPriv *priv = SysCounterGetPrivate(counter);
+    if (!priv)
+        return;
    int64_t *less = priv->value_less;
    int64_t *greater = priv->value_greater;
    Bool registered = (less || greater);
@ -2818,20 +2823,24 @@ init_system_idle_counter(const char *name, int deviceid)

    IdleTimeQueryValue(NULL, &idle);

+    IdleCounterPriv *priv = calloc(1, sizeof(IdleCounterPriv));
+    if (!priv)
+        return NULL;
+
    idle_time_counter = SyncCreateSystemCounter(name, idle, resolution,
                                                XSyncCounterUnrestricted,
                                                IdleTimeQueryValue,
                                                IdleTimeBracketValues);

-    if (idle_time_counter != NULL) {
-        IdleCounterPriv *priv = malloc(sizeof(IdleCounterPriv));
-
-        priv->value_less = priv->value_greater = NULL;
-        priv->deviceid = deviceid;
-
-        idle_time_counter->pSysCounterInfo->private = priv;
+    if (!idle_time_counter) {
+        free(priv);
+        return NULL;
    }

+    priv->value_less = priv->value_greater = NULL;
+    priv->deviceid = deviceid;
+
+    idle_time_counter->pSysCounterInfo->private = priv;
    return idle_time_counter;
 }

--- a/Xext/vidmode.c
+++ b/Xext/vidmode.c
@ -739,7 +739,7 @@ ProcVidModeModModeLine(ClientPtr client)
    xXF86VidModeModModeLineReq newstuff;
    ScreenPtr pScreen;
    VidModePtr pVidMode;
-    DisplayModePtr mode, modetmp;
+    DisplayModePtr mode;
    int len, dotClock;
    int ver;

@ -805,7 +805,10 @@ ProcVidModeModModeLine(ClientPtr client)
    if (!pVidMode->GetCurrentModeline(pScreen, &mode, &dotClock))
        return BadValue;

-    modetmp = VidModeCreateMode();
+    DisplayModePtr modetmp = VidModeCreateMode();
+    if (!modetmp)
+        return BadAlloc;
+
    VidModeCopyMode(mode, modetmp);

    VidModeSetModeValue(modetmp, VIDMODE_H_DISPLAY, stuff->hdisplay);
@ -949,6 +952,9 @@ ProcVidModeValidateModeLine(ClientPtr client)
        return BadValue;

    modetmp = VidModeCreateMode();
+    if (!modetmp)
+        return BadAlloc;
+
    VidModeCopyMode(mode, modetmp);

    VidModeSetModeValue(modetmp, VIDMODE_H_DISPLAY, stuff->hdisplay);
@ -1370,7 +1376,7 @@ ProcVidModeGetDotClocks(ClientPtr client)
        swapl(&rep.flags);
    }
    WriteToClient(client, sizeof(xXF86VidModeGetDotClocksReply), &rep);
-    if (!ClockProg) {
+    if (!ClockProg && Clocks) {
        for (n = 0; n < numClocks; n++) {
            dotclock = Clocks[n];
            if (client->swapped) {
--- a/Xext/xres.c
+++ b/Xext/xres.c
@ -136,9 +136,11 @@ static void
 DestroyFragments(struct xorg_list *frags)
 {
    FragmentList *it, *tmp;
-    xorg_list_for_each_entry_safe(it, tmp, frags, l) {
-        xorg_list_del(&it->l);
-        free(it);
+    if (!xorg_list_is_empty(frags)) {
+        xorg_list_for_each_entry_safe(it, tmp, frags, l) {
+            xorg_list_del(&it->l);
+            free(it);
+        }
    }
 }

--- a/Xext/xselinux_ext.c
+++ b/Xext/xselinux_ext.c
@ -313,6 +313,8 @@ SELinuxPopulateItem(SELinuxListItemRec * i, PrivateRec ** privPtr, CARD32 id,
    SELinuxObjectRec *obj = dixLookupPrivate(privPtr, objectKey);
    SELinuxObjectRec *data = dixLookupPrivate(privPtr, dataKey);

+    if (!i)
+        return BadValue;
    if (avc_sid_to_context_raw(obj->sid, &i->octx) < 0)
        return BadValue;
    if (avc_sid_to_context_raw(data->sid, &i->dctx) < 0)
@ -331,6 +333,9 @@ SELinuxFreeItems(SELinuxListItemRec * items, int count)
 {
    int k;

+    if (!items)
+        return;
+
    for (k = 0; k < count; k++) {
        freecon(items[k].octx);
        freecon(items[k].dctx);
@ -348,6 +353,9 @@ SELinuxSendItemsToClient(ClientPtr client, SELinuxListItemRec * items,
        goto out;
    }

+    if (!buf) // silence analyzer warning
+        goto sendreply;
+
    /* Fill in the buffer */
    for (k = 0; k < count; k++) {
        buf[pos] = items[k].id;
@ -371,6 +379,7 @@ SELinuxSendItemsToClient(ClientPtr client, SELinuxListItemRec * items,
        pos += items[k].dctx_len;
    }

+sendreply: ;
    /* Send reply to client */
    SELinuxListItemsReply rep = {
        .type = X_Reply,
--- a/Xext/xtest.c
+++ b/Xext/xtest.c
@ -385,7 +385,7 @@ ProcXTestFakeInput(ClientPtr client)
    switch (type) {
    case KeyPress:
    case KeyRelease:
-        if (!dev->key)
+        if ((!dev) || (!dev->key))
            return BadDevice;

        if (ev->u.u.detail < dev->key->xkbInfo->desc->min_key_code ||
@ -397,7 +397,7 @@ ProcXTestFakeInput(ClientPtr client)
        need_ptr_update = 0;
        break;
    case MotionNotify:
-        if (!dev->valuator)
+        if (!dev || !dev->valuator)
            return BadDevice;

        if (!(extension || ev->u.keyButtonPointer.root == None)) {
@ -428,7 +428,7 @@ ProcXTestFakeInput(ClientPtr client)
        break;
    case ButtonPress:
    case ButtonRelease:
-        if (!dev->button)
+        if (!dev || !dev->button)
            return BadDevice;

        if (!ev->u.u.detail || ev->u.u.detail > dev->button->numButtons) {
@ -442,7 +442,7 @@ ProcXTestFakeInput(ClientPtr client)

    valuator_mask_set_range(&mask, firstValuator, numValuators, valuators);

-    if (dev->sendEventsProc)
+    if (dev && dev->sendEventsProc)
        (*dev->sendEventsProc) (dev, type, ev->u.u.detail, flags, &mask);

    if (need_ptr_update)
Author	SHA1	Message	Date
Enrico Weigelt, metux IT consult	fc669d839e	Xext: panoramix: extra safety checks Even though risk of being actually hit is minimal, better having some extra safety checks instead of segfaulting, just in case. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>	2025-05-12 17:41:34 +02:00
Enrico Weigelt, metux IT consult	2b5e9043ec	Xext: panoramix: protect from allocation failures Handle memory allocations gracefully, instead of just segfaulting. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>	2025-05-12 17:41:30 +02:00
Enrico Weigelt, metux IT consult	04a81859e5	Xext: panoramix: fix uninitialized variable \| ../Xext/panoramiXprocs.c: In function ‘PanoramiXCopyArea’: \| ../Xext/panoramiXprocs.c:1152:13: warning: use of uninitialized value ‘pGC’ [CWE-457] [-Wanalyzer-use-of-uninitialized-value] \| 1152 \| if (pGC && pGC->graphicsExposures) { \| \| ^~~ Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>	2025-05-12 17:41:27 +02:00
Enrico Weigelt, metux IT consult	8651a45c9d	Xext: xtest: extra NULL checks Even though these probably never happen, it's still better having some (really cheap) extra checks, just in case. \| ../Xext/xtest.c: In function ‘ProcXTestFakeInput’: \| ../Xext/xtest.c:385:17: warning: dereference of NULL ‘dev’ [CWE-476] [-Wanalyzer-null-dereference] \| 385 \| if (!dev->key) \| \| ~~~^~~~~ \| ../Xext/xtest.c:442:12: warning: dereference of NULL ‘dev’ [CWE-476] [-Wanalyzer-null-dereference] \| 442 \| if (dev->sendEventsProc) \| \| ~~~^~~~~~~~~~~~~~~~ Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>	2025-05-12 17:41:24 +02:00
Enrico Weigelt, metux IT consult	bf5d98bfbd	Xext: shape: fix warning on possible NULL dereference Try not to rely on deep black magic of calloc(), instead skip the whole part of nrects is zero. \| ../Xext/shape.c: In function ‘ProcShapeGetRectangles’: \| ../Xext/shape.c:995:24: warning: dereference of possibly-NULL ‘rects’ [CWE-690] [-Wanalyzer-possible-null-dereference] \| 995 \| rects[i].x = box->x1; \| \| ~~~~~~~~~~~^~~~~~~~~ Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>	2025-05-12 17:41:20 +02:00
Enrico Weigelt, metux IT consult	4180f9f445	Xext: shm: protect against possible NULL dereference \| ../Xext/shm.c: In function ‘ShmExtensionInit’: \| ../Xext/shm.c:1534:29: warning: dereference of possibly-NULL ‘screen_priv’ [CWE-690] [-Wanalyzer-possible-null-dereference] \| 1534 \| if (!screen_priv->shmFuncs) \| \| ~~~~~~~~~~~^~~~~~~~~~ Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>	2025-05-12 17:41:17 +02:00
Enrico Weigelt, metux IT consult	2ab12e0a89	Xext: vidmode: protect against alloc failures and NULL pointers Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>	2025-05-12 17:41:13 +02:00
Enrico Weigelt, metux IT consult	123807c247	Xext: selinux: fix possible NULL dereference > ../Xext/xselinux_ext.c: In function ‘SELinuxSendItemsToClient’: > ../Xext/xselinux_ext.c:358:18: warning: dereference of possibly-NULL ‘buf’ [CWE-690] [-Wanalyzer-possible-null-dereference] > 358 \| buf[pos] = items[k].id; > \| ~~~~~~~~~^~~~~~~~~~~~~ > ../Xext/xselinux_ext.c: In function ‘SELinuxFreeItems’: > ../Xext/xselinux_ext.c:335:9: warning: dereference of possibly-NULL ‘items’ [CWE-690] [-Wanalyzer-possible-null-dereference] > 335 \| freecon(items[k].octx); > \| ^~~~~~~~~~~~~~~~~~~~~~ > ../Xext/xselinux_ext.c: In function ‘SELinuxPopulateItem’: > ../Xext/xselinux_ext.c:321:11: warning: dereference of possibly-NULL ‘i’ [CWE-690] [-Wanalyzer-possible-null-dereference] > 321 \| i->id = id; > \| ~~~~~~^~~~ Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>	2025-05-12 17:41:10 +02:00
Enrico Weigelt, metux IT consult	fba3ce0d95	Xext: sync: protect from NULL pointer dereference > ../Xext/sync.c: In function ‘IdleTimeQueryValue’: > ../Xext/sync.c:2654:18: warning: dereference of NULL ‘priv’ [CWE-476] [-Wanalyzer-null-dereference] > 2654 \| deviceid = priv->deviceid; > \| ~~~~~~~~~^~~~~~~~~~~~~~~~ > ../Xext/sync.c: In function ‘IdleTimeBlockHandler’: > ../Xext/sync.c:2666:14: warning: dereference of NULL ‘priv’ [CWE-476] [-Wanalyzer-null-dereference] > 2666 \| int64_t less = priv->value_less; > \| ^~~~ > ../Xext/sync.c:2773:9: warning: dereference of NULL ‘priv’ [CWE-476] [-Wanalyzer-null-dereference] > 2773 \| if (LastEventTimeWasReset(priv->deviceid)) { > \| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ../Xext/sync.c: In function ‘IdleTimeBracketValues’: > ../Xext/sync.c:2791:14: warning: dereference of NULL ‘priv’ [CWE-476] [-Wanalyzer-null-dereference] > 2791 \| int64_t less = priv->value_less; > \| ^~~~ Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>	2025-05-12 17:41:04 +02:00
Enrico Weigelt, metux IT consult	2d6fdfd7c8	Xext: sync: protect init_system_idle_counter() from allocation failure Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>	2025-05-12 17:41:00 +02:00
Enrico Weigelt, metux IT consult	58d4316106	Xext: xres: protect against free()ing from non-heap > ../Xext/xres.c: In function ‘DestroyFragments’: > ../Xext/xres.c:124:9: warning: ‘free’ of ‘it’ which points to memory on the stack [CWE-590] [-Wanalyzer-free-of-non-heap] > 124 \| free(it); > \| ^~~~~~~~ Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>	2025-05-12 17:40:49 +02:00