Possible SEGV (null pointer deref) in init_randr15() from gdkscreen-x11.c
There is a possible SEGV (null pointer deref) in init_randr15()
from gdkscreen-x11.c
(see here). The relevant snippet is:
static gboolean
init_randr15 (GdkX11Screen *x11_screen)
{
...
crtc = XRRGetCrtcInfo (x11_screen->xdisplay, resources, // XRRGetCrtcInfo() may return NULL
output_info->crtc);
...
for (j = 0; j < resources->nmode; j++)
{
if (xmode->id == crtc->mode) // <---- Possible NULL pointer deref
{
...
}
}
}
The problem is that the XRRGetCrtcInfo()
function may return NULL
under some rare conditions (see here). If this occurs, then a null pointer derefence will result. The init_randr13()
function is also likely affected.
Steps to reproduce
This is difficult to reproduce. One way is to send a corrupt X11 message that will cause XRRGetCrtcInfo()
to fail. It is unlikely this SEGV would occur with "normal" usage.
Version information
Checked on Ubuntu 23.04 (shipped libs) and the latest git head.
Backtrace
Thread 1 "gedit" received signal SIGSEGV, Segmentation fault.
init_randr15.constprop.0 (screen=screen@entry=0x5555555bb350, changed=changed@entry=0x7fffffffd550)
at ../../../gdk/x11/gdkscreen-x11.c:586
586 if (xmode->id == crtc->mode)
(gdb) bt
#0 init_randr15.constprop.0 (screen=screen@entry=0x5555555bb350, changed=changed@entry=0x7fffffffd550)
at ../../../gdk/x11/gdkscreen-x11.c:586
#1 0x00007ffde859e669 in init_multihead (screen=0x5555555bb350) at ../../../gdk/x11/gdkscreen-x11.c:1035
#2 _gdk_x11_screen_new (display=<optimized out>, screen_number=0) at ../../../gdk/x11/gdkscreen-x11.c:1101
#3 0x00007ffde858eee5 in _gdk_x11_display_open (display_name=<optimized out>) at ../../../gdk/x11/gdkdisplay-x11.c:1606
#4 0x00007ffde853c9a7 in gdk_display_manager_open_display (manager=<optimized out>, name=0x0)
at ../../../gdk/gdkdisplaymanager.c:462
#5 0x00007ffde88d2aa5 in gtk_init_check (argc=0x0, argv=0x0) at ../../../gtk/gtkmain.c:1110
#6 0x00007ffde88d2af5 in gtk_init (argc=0x0, argv=0x0) at ../../../gtk/gtkmain.c:1167
#7 0x00007ffde86dbd17 in gtk_application_startup (g_application=0x555555583200) at ../../../gtk/gtkapplication.c:304
#8 0x00007ffff7f50074 in gedit_app_startup (application=0x555555583200) at ../gedit/gedit-app.c:667
#9 0x00007ffff7ec2010 in g_closure_invoke
(closure=0x55555557eb20, return_value=0x0, n_param_values=1, param_values=0x7fffffffd9d0, invocation_hint=0x7fffffffd950) at ../../../gobject/gclosure.c:832
#10 0x00007ffff7eef08d in signal_emit_unlocked_R.isra.0
(node=node@entry=0x55555557eb50, detail=detail@entry=0, instance=instance@entry=0x555555583200, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffd9d0) at ../../../gobject/gsignal.c:3732
#11 0x00007ffff7edf69a in g_signal_emit_valist
(instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffdb70)
at ../../../gobject/gsignal.c:3555
#12 0x00007ffff7edf923 in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>)
at ../../../gobject/gsignal.c:3612
#13 0x00007ffde913013f in g_application_register (application=0x555555583200, cancellable=0x0, error=0x7fffffffdce0)
at ../../../gio/gapplication.c:2213
#14 0x00007ffde912e00f in g_application_real_local_command_line
(application=0x555555583200, arguments=0x7fffffffdd80, exit_status=0x7fffffffdd70) at ../../../gio/gapplication.c:1115
#15 0x00007ffde86dbeb4 in gtk_application_local_command_line
(application=0x555555583200, arguments=0x7fffffffdd80, exit_status=0x7fffffffdd70)
at ../../../gtk/gtkapplication.c:343
#16 0x00007ffde91308f9 in g_application_run (application=0x555555583200, argc=2, argv=0x7fffffffdf28)
at ../../../gio/gapplication.c:2542
#17 0x0000555555555400 in main (argc=2, argv=0x7fffffffdf28) at ../gedit/gedit.c:175