1
0
Fork 0

wayland: Seal SHM buffers before access

If wayland client lies about size of given buffer, compositor could touch bad
memory and get SIGBUS. Wayland provides simple API to fix it - so fix it!

[1] http://cgit.freedesktop.org/wayland/wayland/tree/src/wayland-server.h#n416
[2] http://lists.freedesktop.org/archives/wayland-devel/2013-November/012159.html

Signed-off-by: Marek Chalupa <mchqwerty@gmail.com>

https://bugzilla.gnome.org/show_bug.cgi?id=727893
This commit is contained in:
Marek Chalupa 2015-01-09 16:09:23 +01:00 committed by Jasper St. Pierre
parent 87eb5f8632
commit b6d070b06f
2 changed files with 18 additions and 0 deletions

View file

@ -317,6 +317,8 @@ meta_cursor_image_load_from_buffer (MetaCursorImage *image,
{
int rowstride = wl_shm_buffer_get_stride (shm_buffer);
wl_shm_buffer_begin_access (shm_buffer);
switch (wl_shm_buffer_get_format (shm_buffer))
{
#if G_BYTE_ORDER == G_BIG_ENDIAN
@ -344,6 +346,8 @@ meta_cursor_image_load_from_buffer (MetaCursorImage *image,
(uint8_t *) wl_shm_buffer_get_data (shm_buffer),
width, height, rowstride,
gbm_format);
wl_shm_buffer_end_access (shm_buffer);
}
else
{

View file

@ -91,13 +91,23 @@ meta_wayland_buffer_ensure_texture (MetaWaylandBuffer *buffer)
CoglContext *ctx = clutter_backend_get_cogl_context (clutter_get_default_backend ());
CoglError *catch_error = NULL;
CoglTexture *texture;
struct wl_shm_buffer *shm_buffer;
if (buffer->texture)
goto out;
shm_buffer = wl_shm_buffer_get (buffer->resource);
if (shm_buffer)
wl_shm_buffer_begin_access (shm_buffer);
texture = COGL_TEXTURE (cogl_wayland_texture_2d_new_from_buffer (ctx,
buffer->resource,
&catch_error));
if (shm_buffer)
wl_shm_buffer_end_access (shm_buffer);
if (!texture)
{
cogl_error_free (catch_error);
@ -124,6 +134,8 @@ meta_wayland_buffer_process_damage (MetaWaylandBuffer *buffer,
n_rectangles = cairo_region_num_rectangles (region);
wl_shm_buffer_begin_access (shm_buffer);
for (i = 0; i < n_rectangles; i++)
{
cairo_rectangle_int_t rect;
@ -133,5 +145,7 @@ meta_wayland_buffer_process_damage (MetaWaylandBuffer *buffer,
shm_buffer,
rect.x, rect.y, 0, NULL);
}
wl_shm_buffer_end_access (shm_buffer);
}
}