Bug 53018

Summary: Unguarded derefs in wayland-client.c can cause segfaults
Product: Wayland Reporter: Joe Konno <joe.konno>
Component: waylandAssignee: Wayland bug list <wayland-bugs>
Status: VERIFIED NOTABUG QA Contact:
Severity: critical    
Priority: medium CC: brian.j.lovin, ullysses.a.eoff
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Joe Konno 2012-07-31 17:53:24 UTC 
If wayland/src/wayland-client.c:wl_proxy_get_user_data(), or a like function, is called with a NULL actual param, Wayland will segfault and kill the compositor and any running programs.

The segfaults were originally seen with an EFL test application that, programatically, opened/closed windows and switched back and forth between the shared memory and EGL backends. This test application reproduced the issue in 1 of 6 executions.

This behavior is most easily reproduced with the aid of well-placed gdb breakpoints and overwriting the value (0x0) of the actual param.
Comment 1 Joe Konno 2012-08-01 17:30:54 UTC 
Raising severity as this issue is hindering test development and execution.
Comment 2 Kristian Høgsberg 2012-08-01 17:34:54 UTC 
tHIS IS
Comment 3 Kristian Høgsberg 2012-08-01 17:36:42 UTC 
This is not a bug, passing NULL to wl_proxy_get_user_data() is not valid input and results in undefined behavior (ie crash).  strlen(), for example, has the same behaviour.
Comment 4 Joe Konno 2012-08-01 17:55:19 UTC 
Thanks for the input, Kristian!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.