Bug 53018 - Unguarded derefs in wayland-client.c can cause segfaults
Summary: Unguarded derefs in wayland-client.c can cause segfaults
Status: VERIFIED NOTABUG
Alias: None
Product: Wayland
Classification: Unclassified
Component: wayland (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium critical
Assignee: Wayland bug list
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-31 17:53 UTC by Joe Konno
Modified: 2012-11-09 18:34 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Joe Konno 2012-07-31 17:53:24 UTC 
If wayland/src/wayland-client.c:wl_proxy_get_user_data(), or a like function, is called with a NULL actual param, Wayland will segfault and kill the compositor and any running programs.

The segfaults were originally seen with an EFL test application that, programatically, opened/closed windows and switched back and forth between the shared memory and EGL backends. This test application reproduced the issue in 1 of 6 executions.

This behavior is most easily reproduced with the aid of well-placed gdb breakpoints and overwriting the value (0x0) of the actual param.
Comment 1 Joe Konno 2012-08-01 17:30:54 UTC 
Raising severity as this issue is hindering test development and execution.
Comment 2 Kristian Høgsberg 2012-08-01 17:34:54 UTC 
tHIS IS
Comment 3 Kristian Høgsberg 2012-08-01 17:36:42 UTC 
This is not a bug, passing NULL to wl_proxy_get_user_data() is not valid input and results in undefined behavior (ie crash).  strlen(), for example, has the same behaviour.
Comment 4 Joe Konno 2012-08-01 17:55:19 UTC 
Thanks for the input, Kristian!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.