The old code tried to use a screen pointer that was uninitialized and set to NULL.
This caused it to segfault when this option was set.
When this option was used with the modesetting driver, `glamor_egl_init`
is called indirectly in the driver PreInit proc.
`xf86ScrnToScreen(scrn)` then returns NULL.
This patch moves setting the gl vendor later in the initialization process,
when we already have a non-null pScreen.
Minimal reproducer:
```
$ cat /etc/X11/xorg.conf.d/99-screen.conf
Section "Screen"
Identifier "Default"
Option "GlxVendorLibrary" "Name"
EndSection
```
Backtrace:
```
| #0 in abort ()
| #1 in OsAbort () at os/utils.c:1361
| #2 in AbortServer () at os/log.c:879
| #3 FatalError () at os/log.c:1017
| #4 in OsSigHandler () at os/osinit.c:156
| #5 OsSigHandler () at os/osinit.c:110
| #6 <signal handler called>
| #7 in __pthread_kill_implementation () from /lib64/libc.so.6
| #8 in raise () from /lib64/libc.so.6
| #9 in abort () from /lib64/libc.so.6
| #10 in __assert_fail_base.cold () from /lib64/libc.so.6
| #11 in xf86ScrnToScreen () at hw/xfree86/common/xf86Helper.c:1734
| #12 in glamor_egl_init () at glamor/glamor_egl.c:1108
| #13 in try_enable_glamor () at hw/xfree86/drivers/modesetting/driver.c:984
| #14 PreInit () at hw/xfree86/drivers/modesetting/driver.c:1211
| #15 in InitOutput () at hw/xfree86/common/xf86Init.c:478
| #16 in dix_main () at dix/main.c:190
| #17 main () at dix/stubmain.c:34
```
Fixes: a449bb4c5 - glamor_egl: add support of GlxVendorLibrary option
Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2096>
Provide information on where to report or learn of security bugs,
and what we do or do not consider to be a security bug.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2103>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_render.c:1577:21:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2094>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_dash.c:152:10:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2094>
We know that if gc->tileIsPixel is false, then gc->tile.pixmap must be
a valid pixmap, but gcc's static analyzer doesn't and needs to be told.
Silences false positive reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor_core.c:205:19:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘0’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2094>
Unlike GetPictureScreen(), GetPictureScreenIfSet() checks if the
private key is registered, and returns NULL if it is not.
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../glamor/glamor.c:926:5:
warning[-Wanalyzer-null-dereference]: dereference of NULL ‘ps’
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2094>
Reported in #1817:
xwayland-24.1.6/redhat-linux-build/../dri3/dri3_screen.c:143:13:
warning[-Wanalyzer-out-of-bounds]: stack-based buffer over-read
xwayland-24.1.6/redhat-linux-build/../dri3/dri3_screen.c:143:13:
danger: out-of-bounds read from byte 16 till byte 19
but ‘fds’ ends at byte 16
141| int i;
142| for (i = 0; i < num_fds; i++)
143|-> close(fds[i]);
144| return -1;
145| }
Only possible if fds_from_pixmap returns a value > 4, but the analyzer
doesn't know the interface is defined not to do that.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2085>
The XkbCompatMap structure stores its "num_si" and "size_si" fields
using an unsigned short.
However, the function _XkbSetCompatMap() will store the sum of the
input data "firstSI" and "nSI" in both XkbCompatMap's "num_si" and
"size_si" without first checking if the sum overflows the maximum
unsigned short value, leading to a possible overflow.
To avoid the issue, check whether the sum does not exceed the maximum
unsigned short value, or return a "BadValue" error otherwise.
CVE-2025-62231, ZDI-CAN-27560
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2086>
