glamor-egl, parameter checking

Seth Arnold seth.arnold at canonical.com
Wed Sep 25 18:29:07 PDT 2013 

Hello, I recently gave glamor-egl a very quick audit, and found some
issues that I wanted to run past someone who would know the code better
than I do.

- _glamor_poly_lines():
  - unchecked malloc() return value
  - if n = 1 is passed to the function, the malloc might allocate zero
    bytes:
            rects = malloc(sizeof(xRectangle) * (n - 1));
  Can n = 1 be a realistic input to this function? It appears to be
  callable from outside the library with arbitrary inputs.
  Is this safe?

- _pixman_region_init_clipped_rectangles()
  - The unsigned int num_rects argument is passed, unchecked, to
    boxes = malloc(sizeof(pixman_box16_t) * num_rects);
    -- can a large-enough value of num_rects cause a multiplication
    overflow here, allocating less memory than necessary?
  It appears to be callable from outside the library with arbitrary
  inputs. Is this safe?

- glamor_create_composite_fs() appears to have two unguarded divisions
  in relocate_texture that might result in divide-by-zero, wh.x and wh.y
  -- are these guarded somewhere else?

- glamor_create_composite_fs() appears to have an unguarded division in
  rel_sampler that might result in divide-by-zero, wh.xy -- is this
  guarded somewhere else?

- glamor_pixmap_attach_fbo() has a switch statement that uses
  fall-through after a block of code, but there's no comment nearby to
  assure the reader that it is intentional. Is it intentional? :)

There are several unchecked memory allocations:
  - glamor_compile_glsl_prog() unchecked malloc() return value
  - glamor_egl_init() unchecked calloc() return value glamor_egl
  - glamor_compute_clipped_regions_ext() unchecked calloc() return value
    result_regions
  - __glamor_compute_clipped_regions() unchecked calloc() return value
    clipped_regions
  - glamor_composite_largepixmap_region() unchecked malloc() return value
    source_pixmap_priv

(While it's true malloc() will almost never return NULL, someone may
someday wish to run this code with overcommit turned off, and it'd be
better to be safe.)

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.x.org/archives/xorg-devel/attachments/20130925/5248b3f9/attachment.pgp>

More information about the xorg-devel mailing list