From f0d455f088510bf8a79aaccb2c67fc2a926b5b1a Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Sat, 30 Jun 2018 09:59:44 +0900 Subject: drm backend: overflow fixes These operations are done in 32-bit arithmetics before being casted to 64-bit, thus can overflow before the cast. Casting early fixes the issue. Found through static analysis --- backend/drm/atomic.c | 4 ++-- backend/drm/drm.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'backend') diff --git a/backend/drm/atomic.c b/backend/drm/atomic.c index acc56e65..41b6424c 100644 --- a/backend/drm/atomic.c +++ b/backend/drm/atomic.c @@ -83,8 +83,8 @@ static void set_plane_props(struct atomic *atom, struct wlr_drm_plane *plane, // The src_* properties are in 16.16 fixed point atomic_add(atom, id, props->src_x, 0); atomic_add(atom, id, props->src_y, 0); - atomic_add(atom, id, props->src_w, plane->surf.width << 16); - atomic_add(atom, id, props->src_h, plane->surf.height << 16); + atomic_add(atom, id, props->src_w, (uint64_t)plane->surf.width << 16); + atomic_add(atom, id, props->src_h, (uint64_t)plane->surf.height << 16); atomic_add(atom, id, props->crtc_w, plane->surf.width); atomic_add(atom, id, props->crtc_h, plane->surf.height); atomic_add(atom, id, props->fb_id, fb_id); diff --git a/backend/drm/drm.c b/backend/drm/drm.c index c5db480e..f4a971a2 100644 --- a/backend/drm/drm.c +++ b/backend/drm/drm.c @@ -973,7 +973,7 @@ int handle_drm_event(int fd, uint32_t mask, void *data) { } void restore_drm_outputs(struct wlr_drm_backend *drm) { - uint64_t to_close = (1 << wl_list_length(&drm->outputs)) - 1; + uint64_t to_close = (1L << wl_list_length(&drm->outputs)) - 1; struct wlr_drm_connector *conn; wl_list_for_each(conn, &drm->outputs, link) { -- cgit v1.2.3 From 4f7b1382d4ceb1ed308563809d485ea6c047f077 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Sat, 30 Jun 2018 10:03:26 +0900 Subject: wayland backend seat: fix NULL output check The test was done after dereferencing output in pointer_handle_enter, just move it up one line. No reason pointer_handle_leave would not need the check if enter needs it, add it there. Found through static analysis. --- backend/wayland/wl_seat.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'backend') diff --git a/backend/wayland/wl_seat.c b/backend/wayland/wl_seat.c index 8ed61409..d5001a51 100644 --- a/backend/wayland/wl_seat.c +++ b/backend/wayland/wl_seat.c @@ -38,10 +38,8 @@ static void pointer_handle_enter(void *data, struct wl_pointer *wl_pointer, } struct wlr_wl_output *output = wl_surface_get_user_data(surface); + assert(output); struct wlr_wl_pointer *pointer = output_get_pointer(output); - if (output == NULL) { - return; - } output->enter_serial = serial; backend->current_pointer = pointer; @@ -56,6 +54,7 @@ static void pointer_handle_leave(void *data, struct wl_pointer *wl_pointer, } struct wlr_wl_output *output = wl_surface_get_user_data(surface); + assert(output); output->enter_serial = 0; if (backend->current_pointer == NULL || -- cgit v1.2.3 From bcc2c64c1e1a4562699a94deb6f9d57e1e072ed8 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Sat, 30 Jun 2018 10:17:36 +0900 Subject: x11 backend init: fix leak on failed XOpenDisplay Found through static analysis --- backend/x11/backend.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'backend') diff --git a/backend/x11/backend.c b/backend/x11/backend.c index d4793b9c..e35cbed7 100644 --- a/backend/x11/backend.c +++ b/backend/x11/backend.c @@ -245,13 +245,13 @@ struct wlr_backend *wlr_x11_backend_create(struct wl_display *display, x11->xlib_conn = XOpenDisplay(x11_display); if (!x11->xlib_conn) { wlr_log(L_ERROR, "Failed to open X connection"); - return NULL; + goto error_x11; } x11->xcb_conn = XGetXCBConnection(x11->xlib_conn); if (!x11->xcb_conn || xcb_connection_has_error(x11->xcb_conn)) { wlr_log(L_ERROR, "Failed to open xcb connection"); - goto error_x11; + goto error_display; } XSetEventQueueOwner(x11->xlib_conn, XCBOwnsEventQueue); @@ -262,7 +262,7 @@ struct wlr_backend *wlr_x11_backend_create(struct wl_display *display, x11->event_source = wl_event_loop_add_fd(ev, fd, events, x11_event, x11); if (!x11->event_source) { wlr_log(L_ERROR, "Could not create event source"); - goto error_x11; + goto error_display; } x11->screen = xcb_setup_roots_iterator(xcb_get_setup(x11->xcb_conn)).data; @@ -291,8 +291,9 @@ struct wlr_backend *wlr_x11_backend_create(struct wl_display *display, error_event: wl_event_source_remove(x11->event_source); -error_x11: +error_display: XCloseDisplay(x11->xlib_conn); +error_x11: free(x11); return NULL; } -- cgit v1.2.3 From 266898ca1f1eeabaaff3f951a17e612147153ce5 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Sat, 30 Jun 2018 10:28:41 +0900 Subject: direct session backend: fix closing -1 on error Found through static analysis --- backend/session/direct-ipc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'backend') diff --git a/backend/session/direct-ipc.c b/backend/session/direct-ipc.c index f8ba07f7..2dd777c8 100644 --- a/backend/session/direct-ipc.c +++ b/backend/session/direct-ipc.c @@ -159,7 +159,9 @@ static void communicate(int sock) { } error: send_msg(sock, ret ? -1 : fd, &ret, sizeof(ret)); - close(fd); + if (fd >= 0) { + close(fd); + } break; -- cgit v1.2.3 From 1940c6bbd9c0a8867e40a36f27b69c7069213cf0 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Sat, 30 Jun 2018 11:08:49 +0900 Subject: wayland backend: fix width/height == 0 check We cannot handle just one of the two being NULL later down the road (e.g. divide by zero in matrix projection code), just ignore any such configure request. Found through static analysis --- backend/wayland/output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'backend') diff --git a/backend/wayland/output.c b/backend/wayland/output.c index 42b41508..6aa59537 100644 --- a/backend/wayland/output.c +++ b/backend/wayland/output.c @@ -220,7 +220,7 @@ static void xdg_toplevel_handle_configure(void *data, struct zxdg_toplevel_v6 *x struct wlr_wl_output *output = data; assert(output && output->xdg_toplevel == xdg_toplevel); - if (width == 0 && height == 0) { + if (width == 0 || height == 0) { return; } // loop over states for maximized etc? -- cgit v1.2.3 From e5348ad7d374713d4e1a386849b15fb0d68de31c Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Sat, 30 Jun 2018 11:11:06 +0900 Subject: backend autocreate: fix leak when WLR_BACKENDS is set Found through static analysis --- backend/backend.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'backend') diff --git a/backend/backend.c b/backend/backend.c index 07c171bc..07e05fca 100644 --- a/backend/backend.c +++ b/backend/backend.c @@ -203,6 +203,7 @@ struct wlr_backend *wlr_backend_autocreate(struct wl_display *display, wlr_log(L_ERROR, "failed to start backend '%s'", name); wlr_backend_destroy(backend); wlr_session_destroy(session); + free(names); return NULL; } @@ -210,12 +211,14 @@ struct wlr_backend *wlr_backend_autocreate(struct wl_display *display, wlr_log(L_ERROR, "failed to add backend '%s'", name); wlr_backend_destroy(backend); wlr_session_destroy(session); + free(names); return NULL; } name = strtok_r(NULL, ",", &saveptr); } + free(names); return backend; } -- cgit v1.2.3 From 0c2a64df18f8740ab795fb2970d1954a8aac34b1 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Sat, 30 Jun 2018 11:18:42 +0900 Subject: headless add_input_device: fix leak on error Found through static analysis --- backend/headless/input_device.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'backend') diff --git a/backend/headless/input_device.c b/backend/headless/input_device.c index a1e18428..63d28e8e 100644 --- a/backend/headless/input_device.c +++ b/backend/headless/input_device.c @@ -39,7 +39,7 @@ struct wlr_input_device *wlr_headless_add_input_device( wlr_device->keyboard = calloc(1, sizeof(struct wlr_keyboard)); if (wlr_device->keyboard == NULL) { wlr_log(L_ERROR, "Unable to allocate wlr_keyboard"); - return NULL; + goto error; } wlr_keyboard_init(wlr_device->keyboard, NULL); break; @@ -47,7 +47,7 @@ struct wlr_input_device *wlr_headless_add_input_device( wlr_device->pointer = calloc(1, sizeof(struct wlr_pointer)); if (wlr_device->pointer == NULL) { wlr_log(L_ERROR, "Unable to allocate wlr_pointer"); - return NULL; + goto error; } wlr_pointer_init(wlr_device->pointer, NULL); break; @@ -55,7 +55,7 @@ struct wlr_input_device *wlr_headless_add_input_device( wlr_device->touch = calloc(1, sizeof(struct wlr_touch)); if (wlr_device->touch == NULL) { wlr_log(L_ERROR, "Unable to allocate wlr_touch"); - return NULL; + goto error; } wlr_touch_init(wlr_device->touch, NULL); break; @@ -63,7 +63,7 @@ struct wlr_input_device *wlr_headless_add_input_device( wlr_device->tablet_tool = calloc(1, sizeof(struct wlr_tablet_tool)); if (wlr_device->tablet_tool == NULL) { wlr_log(L_ERROR, "Unable to allocate wlr_tablet_tool"); - return NULL; + goto error; } wlr_tablet_tool_init(wlr_device->tablet_tool, NULL); break; @@ -71,7 +71,7 @@ struct wlr_input_device *wlr_headless_add_input_device( wlr_device->tablet_pad = calloc(1, sizeof(struct wlr_tablet_pad)); if (wlr_device->tablet_pad == NULL) { wlr_log(L_ERROR, "Unable to allocate wlr_tablet_pad"); - return NULL; + goto error; } wlr_tablet_pad_init(wlr_device->tablet_pad, NULL); break; @@ -84,4 +84,7 @@ struct wlr_input_device *wlr_headless_add_input_device( } return wlr_device; +error: + free(device); + return NULL; } -- cgit v1.2.3