Hi Olivier, On 18 January 2018 at 10:41, Olivier Fourdan <ofour...@redhat.com> wrote: > This is a rare occurrence of a crash in Xwayland for which I don't have > the reproducing steps, just a core file. > > The backtrace looks as follow: > > [...] > #6 <signal handler called> > #7 xwl_glamor_pixmap_get_wl_buffer () at xwayland-glamor.c:162 > #8 xwl_screen_post_damage () at xwayland.c:514 > #9 block_handler () at xwayland.c:665 > [...] > > The crash is caused by dereferencing “xwl_pixmap->buffer” in > xwl_glamor_pixmap_get_wl_buffer() because “xwl_pixmap” is NULL. > > Reason for this is because the corresponding pixmap has a size of 0×0 > and no xwl_pixmap is created for pixmaps of size 0×0. > > Avoid the NULL pointer dereference by checking the actual “xwl_pixmap” > value in both glamor and shm implementations of pixmap_get_wl_buffer() > and return a NULL buffer if there is no “xwl_pixmap”.
Odd; how could we have a realized 0x0 window which also has damage? I wonder if this isn't actually a UAF where the xwl_window has since been unrealized, in which case you should be able to reproduce pretty easily by causing damage on a window and then immediately destroying it. In that case, we just need wl_list_remove(&xwl_window->link_damage) inside xwl_window_unrealize(). Cheers, Daniel _______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel
