Commit 99f0365b "Add a command line argument for disabling indirect GLX" added a test to check if indirect context are enabled in `DoCreateContext()` but `__glXDisp_CreateContextAttribsARB()` doesn't use `DoCreateContext()` and doesn't check if indirect context is enabled.
As a result, clients can still manage to create indirect contexts using `glXCreateContextAttribsARB()` even if indirect contexts are disabled, which can possibly crash Xservers such as Xwayland or Xephyr when the context is destroyed. To avoid the issue, check for `enableIndirectGLX` in `__glXDisp_CreateContextAttribsARB()` as well. Fixes: 99f0365b "Add a command line argument for disabling indirect GLX" Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107508 Signed-off-by: Olivier Fourdan <ofour...@redhat.com> --- glx/createcontext.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/glx/createcontext.c b/glx/createcontext.c index 7d09c3a1c..24b02ddfb 100644 --- a/glx/createcontext.c +++ b/glx/createcontext.c @@ -28,6 +28,7 @@ #include "glxserver.h" #include "glxext.h" #include "indirect_dispatch.h" +#include "opaque.h" #define ALL_VALID_FLAGS \ (GLX_CONTEXT_DEBUG_BIT_ARB | GLX_CONTEXT_FORWARD_COMPATIBLE_BIT_ARB \ @@ -320,6 +321,17 @@ __glXDisp_CreateContextAttribsARB(__GLXclientState * cl, GLbyte * pc) err = BadAlloc; } else { + /* Only allow creating indirect GLX contexts if allowed by + * server command line. Indirect GLX is of limited use (since + * it's only GL 1.4), it's slower than direct contexts, and + * it's a massive attack surface for buffer overflow type + * errors. + */ + if (!enableIndirectGLX) { + client->errorValue = req->isDirect; + return BadValue; + } + ctx = glxScreen->createContext(glxScreen, config, shareCtx, req->numAttribs, (uint32_t *) attribs, &err); -- 2.17.1 _______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel