[PATCH 2/2] randr: Catch two more potential unset rrScrPriv uses

Keith Packard keithp at keithp.com
Thu Jun 21 18:51:31 PDT 2012

Ricardo Salveti <ricardo.salveti at linaro.org> found one place where the
randr code could use the randr screen private data without checking
for null first. This happens when the X server is running with
multiple screens, some of which are randr enabled and some of which
are not. Applications making protocol requests to the non-randr
screens can cause segfaults where the server touches the unset private

I audited the code and found two more possible problem spots; the
trick to auditing for this issue was to look for functions not taking
a RandR data structure and where there was no null screen private
check above them in the call graph.

Signed-off-by: Keith Packard <keithp at keithp.com>
 randr/rroutput.c |    3 ++-
 randr/rrscreen.c |    3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/randr/rroutput.c b/randr/rroutput.c
index 091e06b..fbd0e32 100644
--- a/randr/rroutput.c
+++ b/randr/rroutput.c
@@ -546,7 +546,8 @@ ProcRRSetOutputPrimary(ClientPtr client)
     pScrPriv = rrGetScrPriv(pWin->drawable.pScreen);
-    RRSetPrimaryOutput(pWin->drawable.pScreen, pScrPriv, output);
+    if (pScrPriv)
+        RRSetPrimaryOutput(pWin->drawable.pScreen, pScrPriv, output);
     return Success;
diff --git a/randr/rrscreen.c b/randr/rrscreen.c
index f570afa..55110e0 100644
--- a/randr/rrscreen.c
+++ b/randr/rrscreen.c
@@ -248,6 +248,9 @@ ProcRRSetScreenSize(ClientPtr client)
     pScreen = pWin->drawable.pScreen;
     pScrPriv = rrGetScrPriv(pScreen);
+    if (!pScrPriv)
+        return BadMatch;
     if (stuff->width < pScrPriv->minWidth || pScrPriv->maxWidth < stuff->width) {
         client->errorValue = stuff->width;
         return BadValue;

More information about the xorg-devel mailing list