Ricardo Salveti <[email protected]> found one place where the randr code could use the randr screen private data without checking for null first. This happens when the X server is running with multiple screens, some of which are randr enabled and some of which are not. Applications making protocol requests to the non-randr screens can cause segfaults where the server touches the unset private structure.
I audited the code and found two more possible problem spots; the trick to auditing for this issue was to look for functions not taking a RandR data structure and where there was no null screen private check above them in the call graph. Signed-off-by: Keith Packard <[email protected]> --- randr/rroutput.c | 3 ++- randr/rrscreen.c | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/randr/rroutput.c b/randr/rroutput.c index 091e06b..fbd0e32 100644 --- a/randr/rroutput.c +++ b/randr/rroutput.c @@ -546,7 +546,8 @@ ProcRRSetOutputPrimary(ClientPtr client) } pScrPriv = rrGetScrPriv(pWin->drawable.pScreen); - RRSetPrimaryOutput(pWin->drawable.pScreen, pScrPriv, output); + if (pScrPriv) + RRSetPrimaryOutput(pWin->drawable.pScreen, pScrPriv, output); return Success; } diff --git a/randr/rrscreen.c b/randr/rrscreen.c index f570afa..55110e0 100644 --- a/randr/rrscreen.c +++ b/randr/rrscreen.c @@ -248,6 +248,9 @@ ProcRRSetScreenSize(ClientPtr client) pScreen = pWin->drawable.pScreen; pScrPriv = rrGetScrPriv(pScreen); + if (!pScrPriv) + return BadMatch; + if (stuff->width < pScrPriv->minWidth || pScrPriv->maxWidth < stuff->width) { client->errorValue = stuff->width; return BadValue; -- 1.7.10 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
