[PATCH] DRI2: Don't return bogus data when driverType is unrecognized
Aaron Plattner
aplattner at nvidia.com
Thu Oct 15 11:55:04 PDT 2009
Return BadValue instead, like the code intended.
Signed-off-by: Aaron Plattner <aplattner at nvidia.com>
---
This is potentially a denial of service if driverName or deviceName happen
to point to unmapped memory because the very next thing ProcDRI2Connect
does is pass them into strlen.
I'll send an alternate patch that preserves the ABI by just returning FALSE.
glx/glxdri2.c | 4 ++--
hw/xfree86/dri2/dri2.c | 8 +++++---
hw/xfree86/dri2/dri2.h | 2 +-
hw/xfree86/dri2/dri2ext.c | 21 +++++++++++++--------
4 files changed, 21 insertions(+), 14 deletions(-)
diff --git a/glx/glxdri2.c b/glx/glxdri2.c
index ed7dc80..7e78b17 100644
--- a/glx/glxdri2.c
+++ b/glx/glxdri2.c
@@ -602,8 +602,8 @@ __glXDRIscreenProbe(ScreenPtr pScreen)
return NULL;
if (!xf86LoaderCheckSymbol("DRI2Connect") ||
- !DRI2Connect(pScreen, DRI2DriverDRI,
- &screen->fd, &driverName, &deviceName)) {
+ DRI2Connect(pScreen, DRI2DriverDRI,
+ &screen->fd, &driverName, &deviceName) != Success) {
LogMessage(X_INFO,
"AIGLX: Screen %d is not DRI2 capable\n", pScreen->myNum);
return NULL;
diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
index d15ced1..d4b63a5 100644
--- a/hw/xfree86/dri2/dri2.c
+++ b/hw/xfree86/dri2/dri2.c
@@ -377,14 +377,16 @@ DRI2DestroyDrawable(DrawablePtr pDraw)
}
}
-Bool
+int
DRI2Connect(ScreenPtr pScreen, unsigned int driverType, int *fd,
const char **driverName, const char **deviceName)
{
DRI2ScreenPtr ds = DRI2GetScreen(pScreen);
+ *driverName = *deviceName = NULL;
+
if (ds == NULL)
- return FALSE;
+ return Success;
if (driverType != DRI2DriverDRI)
return BadValue;
@@ -393,7 +395,7 @@ DRI2Connect(ScreenPtr pScreen, unsigned int driverType, int *fd,
*driverName = ds->driverName;
*deviceName = ds->deviceName;
- return TRUE;
+ return Success;
}
Bool
diff --git a/hw/xfree86/dri2/dri2.h b/hw/xfree86/dri2/dri2.h
index 175471a..95969aa 100644
--- a/hw/xfree86/dri2/dri2.h
+++ b/hw/xfree86/dri2/dri2.h
@@ -91,7 +91,7 @@ extern _X_EXPORT Bool DRI2ScreenInit(ScreenPtr pScreen,
extern _X_EXPORT void DRI2CloseScreen(ScreenPtr pScreen);
-extern _X_EXPORT Bool DRI2Connect(ScreenPtr pScreen,
+extern _X_EXPORT int DRI2Connect(ScreenPtr pScreen,
unsigned int driverType,
int *fd,
const char **driverName,
diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
index dc07b47..b6fab20 100644
--- a/hw/xfree86/dri2/dri2ext.c
+++ b/hw/xfree86/dri2/dri2ext.c
@@ -116,16 +116,21 @@ ProcDRI2Connect(ClientPtr client)
rep.driverNameLength = 0;
rep.deviceNameLength = 0;
- if (!DRI2Connect(pDraw->pScreen,
- stuff->driverType, &fd, &driverName, &deviceName))
- goto fail;
+ status = DRI2Connect(pDraw->pScreen, stuff->driverType, &fd, &driverName,
+ &deviceName);
+ if (status != Success) {
+ if (status == BadValue)
+ client->errorValue = stuff->driverType;
+ return status;
+ }
- rep.driverNameLength = strlen(driverName);
- rep.deviceNameLength = strlen(deviceName);
- rep.length = (rep.driverNameLength + 3) / 4 +
- (rep.deviceNameLength + 3) / 4;
+ if (driverName != NULL) {
+ rep.driverNameLength = strlen(driverName);
+ rep.deviceNameLength = strlen(deviceName);
+ rep.length = (rep.driverNameLength + 3) / 4 +
+ (rep.deviceNameLength + 3) / 4;
+ }
- fail:
WriteToClient(client, sizeof(xDRI2ConnectReply), &rep);
WriteToClient(client, rep.driverNameLength, driverName);
WriteToClient(client, rep.deviceNameLength, deviceName);
--
1.6.0.4
More information about the xorg-devel
mailing list