Hello, I recently gave glamor-egl a very quick audit, and found some issues that I wanted to run past someone who would know the code better than I do.
- _glamor_poly_lines():
- unchecked malloc() return value
- if n = 1 is passed to the function, the malloc might allocate zero
bytes:
rects = malloc(sizeof(xRectangle) * (n - 1));
Can n = 1 be a realistic input to this function? It appears to be
callable from outside the library with arbitrary inputs.
Is this safe?
- _pixman_region_init_clipped_rectangles()
- The unsigned int num_rects argument is passed, unchecked, to
boxes = malloc(sizeof(pixman_box16_t) * num_rects);
-- can a large-enough value of num_rects cause a multiplication
overflow here, allocating less memory than necessary?
It appears to be callable from outside the library with arbitrary
inputs. Is this safe?
- glamor_create_composite_fs() appears to have two unguarded divisions
in relocate_texture that might result in divide-by-zero, wh.x and wh.y
-- are these guarded somewhere else?
- glamor_create_composite_fs() appears to have an unguarded division in
rel_sampler that might result in divide-by-zero, wh.xy -- is this
guarded somewhere else?
- glamor_pixmap_attach_fbo() has a switch statement that uses
fall-through after a block of code, but there's no comment nearby to
assure the reader that it is intentional. Is it intentional? :)
There are several unchecked memory allocations:
- glamor_compile_glsl_prog() unchecked malloc() return value
- glamor_egl_init() unchecked calloc() return value glamor_egl
- glamor_compute_clipped_regions_ext() unchecked calloc() return value
result_regions
- __glamor_compute_clipped_regions() unchecked calloc() return value
clipped_regions
- glamor_composite_largepixmap_region() unchecked malloc() return value
source_pixmap_priv
(While it's true malloc() will almost never return NULL, someone may
someday wish to run this code with overcommit turned off, and it'd be
better to be safe.)
Thanks
signature.asc
Description: Digital signature
_______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
