Bug 33892 - Xorg crash with SIGSEGV in uxa_solid_rects() with NULL solid
Summary: Xorg crash with SIGSEGV in uxa_solid_rects() with NULL solid
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Driver/intel (show other bugs)
Version: git
Hardware: Other All
: medium normal
Assignee: Chris Wilson
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-04 00:18 UTC by Bryce Harrington
Modified: 2011-02-04 00:58 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
0001-Check-return-value-of-uxa_acquire_solid-since-it-can.patch (1.56 KB, patch)
2011-02-04 00:18 UTC, Bryce Harrington 		no flags Details | Splinter Review
View All

Description Bryce Harrington 2011-02-04 00:18:35 UTC 
Created attachment 42915 [details] [review]
0001-Check-return-value-of-uxa_acquire_solid-since-it-can.patch

Program received signal SIGSEGV, Segmentation fault.
0x00228004 in uxa_solid_rects (op=<value optimized out>, dst=0xbe38080, color=0xbdb73c0, num_rects=4, rects=0xbdb73c8) at ../../uxa/uxa-render.c:1070
1070 ../../uxa/uxa-render.c: No such file or directory.
 in ../../uxa/uxa-render.c
(gdb) backtrace full
#0 0x00228004 in uxa_solid_rects (op=<value optimized out>, dst=0xbe38080, color=0xbdb73c0, num_rects=4, rects=0xbdb73c8) at ../../uxa/uxa-render.c:1070
        solid = 0x0
        src_off_x = 135352438
        src_off_y = -1075839992
        error = 199458944
        screen = <value optimized out>
        dst_pixmap = 0xbe37f88
        src_pixmap = 0x0
        region = {extents = {x1 = 28, y1 = 102, x2 = 313, y2 = 143}, data = 0xbe37cd0}
        boxes = 0xbe37cd8
        extents = <value optimized out>
        src = 0x0
        dst_x = 0
        dst_y = 0
        num_boxes = 4
#1 0x081183f8 in CompositeRects (op=3 '\003', pDst=0xbe38080, color=0xbdb73c0, nRect=4, rects=0xbdb73c8) at ../../render/picture.c:1734
        ps = <value optimized out>
#2 0x0811c690 in ProcRenderFillRectangles (client=0xb22e528) at ../../render/render.c:1475
        pDst = 0xbe38080
        things = <value optimized out>
        stuff = 0xbdb73b4
#3 0x08118a33 in ProcRenderDispatch (client=0xb22e528) at ../../render/render.c:2051
        stuff = <value optimized out>
#4 0x0806f6c7 in Dispatch () at ../../dix/dispatch.c:432
        clientReady = 0xb3fa048
        result = <value optimized out>
        client = 0xb22e528
        nready = 0
        icheck = 0x8204138
        start_tick = 30960
#5 0x0806264c in main (argc=8, argv=0xbfdffe54, envp=0xbfdffe78) at ../../dix/main.c:291
        i = <value optimized out>
        alwaysCheckForInput = {0, 1}

Cause of the crash is due to unchecked return value from uxa_acquire_solid():


                        solid = uxa_acquire_solid(screen, src->pSourcePict);
                        FreePicture(src, 0);

                        src = solid;
                        src_pixmap = uxa_get_offscreen_pixmap(src->pDrawable,
                                                              &src_off_x, &src_off_y);

uxa_acquire_solid returns NULL under a variety of (valid) error conditions.  Thus the value of solid must be checked before dereferencing it in the uxa_get_offscreen() call.
Comment 1 Chris Wilson 2011-02-04 00:58:11 UTC 
Just a minor quibble over the wording, since it under OOM it will fail.
Many thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.