Bug 33892

Summary: Xorg crash with SIGSEGV in uxa_solid_rects() with NULL solid
Product: xorg Reporter: Bryce Harrington <bryce>
Component: Driver/intelAssignee: Chris Wilson <chris>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium    
Version: git   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
0001-Check-return-value-of-uxa_acquire_solid-since-it-can.patch none

Description Bryce Harrington 2011-02-04 00:18:35 UTC 
Created attachment 42915 [details] [review]
0001-Check-return-value-of-uxa_acquire_solid-since-it-can.patch

Program received signal SIGSEGV, Segmentation fault.
0x00228004 in uxa_solid_rects (op=<value optimized out>, dst=0xbe38080, color=0xbdb73c0, num_rects=4, rects=0xbdb73c8) at ../../uxa/uxa-render.c:1070
1070 ../../uxa/uxa-render.c: No such file or directory.
 in ../../uxa/uxa-render.c
(gdb) backtrace full
#0 0x00228004 in uxa_solid_rects (op=<value optimized out>, dst=0xbe38080, color=0xbdb73c0, num_rects=4, rects=0xbdb73c8) at ../../uxa/uxa-render.c:1070
        solid = 0x0
        src_off_x = 135352438
        src_off_y = -1075839992
        error = 199458944
        screen = <value optimized out>
        dst_pixmap = 0xbe37f88
        src_pixmap = 0x0
        region = {extents = {x1 = 28, y1 = 102, x2 = 313, y2 = 143}, data = 0xbe37cd0}
        boxes = 0xbe37cd8
        extents = <value optimized out>
        src = 0x0
        dst_x = 0
        dst_y = 0
        num_boxes = 4
#1 0x081183f8 in CompositeRects (op=3 '\003', pDst=0xbe38080, color=0xbdb73c0, nRect=4, rects=0xbdb73c8) at ../../render/picture.c:1734
        ps = <value optimized out>
#2 0x0811c690 in ProcRenderFillRectangles (client=0xb22e528) at ../../render/render.c:1475
        pDst = 0xbe38080
        things = <value optimized out>
        stuff = 0xbdb73b4
#3 0x08118a33 in ProcRenderDispatch (client=0xb22e528) at ../../render/render.c:2051
        stuff = <value optimized out>
#4 0x0806f6c7 in Dispatch () at ../../dix/dispatch.c:432
        clientReady = 0xb3fa048
        result = <value optimized out>
        client = 0xb22e528
        nready = 0
        icheck = 0x8204138
        start_tick = 30960
#5 0x0806264c in main (argc=8, argv=0xbfdffe54, envp=0xbfdffe78) at ../../dix/main.c:291
        i = <value optimized out>
        alwaysCheckForInput = {0, 1}

Cause of the crash is due to unchecked return value from uxa_acquire_solid():


                        solid = uxa_acquire_solid(screen, src->pSourcePict);
                        FreePicture(src, 0);

                        src = solid;
                        src_pixmap = uxa_get_offscreen_pixmap(src->pDrawable,
                                                              &src_off_x, &src_off_y);

uxa_acquire_solid returns NULL under a variety of (valid) error conditions.  Thus the value of solid must be checked before dereferencing it in the uxa_get_offscreen() call.
Comment 1 Chris Wilson 2011-02-04 00:58:11 UTC 
Just a minor quibble over the wording, since it under OOM it will fail.
Many thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.