From f05f269f1d5bddafe71cdfb290b118820bf17fdd Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 25 Oct 2025 14:09:39 -0700
Subject: [PATCH] dri: prevent out-of-bounds read in dri3_fd_from_pixmap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported in #1817:

xwayland-24.1.6/redhat-linux-build/../dri3/dri3_screen.c:143:13:
 warning[-Wanalyzer-out-of-bounds]: stack-based buffer over-read
xwayland-24.1.6/redhat-linux-build/../dri3/dri3_screen.c:143:13:
 danger: out-of-bounds read from byte 16 till byte 19
 but ‘fds’ ends at byte 16
141|           int i;
142|           for (i = 0; i < num_fds; i++)
143|->             close(fds[i]);
144|           return -1;
145|       }

Only possible if fds_from_pixmap returns a value > 4, but the analyzer
doesn't know the interface is defined not to do that.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2085>
---
 dri3/dri3_screen.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dri3/dri3_screen.c b/dri3/dri3_screen.c
index ec8d025c4..06a50ec44 100644
--- a/dri3/dri3_screen.c
+++ b/dri3/dri3_screen.c
@@ -138,9 +138,10 @@ dri3_fd_from_pixmap(PixmapPtr pixmap, CARD16 *stride, CARD32 *size)
     num_fds = info->fds_from_pixmap(screen, pixmap, fds, strides, offsets,
                                     &modifier);
     if (num_fds != 1 || offsets[0] != 0) {
-        int i;
-        for (i = 0; i < num_fds; i++)
+        for (int i = 0; i < num_fds; i++) {
+            BUG_RETURN_VAL(i >= ARRAY_SIZE(fds), -1);
             close(fds[i]);
+        }
         return -1;
     }