wayland: Seal SHM buffers before access
If wayland client lies about size of given buffer, compositor could touch bad memory and get SIGBUS. Wayland provides simple API to fix it - so fix it! [1] http://cgit.freedesktop.org/wayland/wayland/tree/src/wayland-server.h#n416 [2] http://lists.freedesktop.org/archives/wayland-devel/2013-November/012159.html Signed-off-by: Marek Chalupa <mchqwerty@gmail.com> https://bugzilla.gnome.org/show_bug.cgi?id=727893
This commit is contained in:
parent
87eb5f8632
commit
b6d070b06f
2 changed files with 18 additions and 0 deletions
|
@ -317,6 +317,8 @@ meta_cursor_image_load_from_buffer (MetaCursorImage *image,
|
|||
{
|
||||
int rowstride = wl_shm_buffer_get_stride (shm_buffer);
|
||||
|
||||
wl_shm_buffer_begin_access (shm_buffer);
|
||||
|
||||
switch (wl_shm_buffer_get_format (shm_buffer))
|
||||
{
|
||||
#if G_BYTE_ORDER == G_BIG_ENDIAN
|
||||
|
@ -344,6 +346,8 @@ meta_cursor_image_load_from_buffer (MetaCursorImage *image,
|
|||
(uint8_t *) wl_shm_buffer_get_data (shm_buffer),
|
||||
width, height, rowstride,
|
||||
gbm_format);
|
||||
|
||||
wl_shm_buffer_end_access (shm_buffer);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
|
@ -91,13 +91,23 @@ meta_wayland_buffer_ensure_texture (MetaWaylandBuffer *buffer)
|
|||
CoglContext *ctx = clutter_backend_get_cogl_context (clutter_get_default_backend ());
|
||||
CoglError *catch_error = NULL;
|
||||
CoglTexture *texture;
|
||||
struct wl_shm_buffer *shm_buffer;
|
||||
|
||||
if (buffer->texture)
|
||||
goto out;
|
||||
|
||||
shm_buffer = wl_shm_buffer_get (buffer->resource);
|
||||
|
||||
if (shm_buffer)
|
||||
wl_shm_buffer_begin_access (shm_buffer);
|
||||
|
||||
texture = COGL_TEXTURE (cogl_wayland_texture_2d_new_from_buffer (ctx,
|
||||
buffer->resource,
|
||||
&catch_error));
|
||||
|
||||
if (shm_buffer)
|
||||
wl_shm_buffer_end_access (shm_buffer);
|
||||
|
||||
if (!texture)
|
||||
{
|
||||
cogl_error_free (catch_error);
|
||||
|
@ -124,6 +134,8 @@ meta_wayland_buffer_process_damage (MetaWaylandBuffer *buffer,
|
|||
|
||||
n_rectangles = cairo_region_num_rectangles (region);
|
||||
|
||||
wl_shm_buffer_begin_access (shm_buffer);
|
||||
|
||||
for (i = 0; i < n_rectangles; i++)
|
||||
{
|
||||
cairo_rectangle_int_t rect;
|
||||
|
@ -133,5 +145,7 @@ meta_wayland_buffer_process_damage (MetaWaylandBuffer *buffer,
|
|||
shm_buffer,
|
||||
rect.x, rect.y, 0, NULL);
|
||||
}
|
||||
|
||||
wl_shm_buffer_end_access (shm_buffer);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue