From 7279a68cc7ac58f5f191d61a787ddeff93966f3d Mon Sep 17 00:00:00 2001 From: stefan11111 Date: Tue, 25 Nov 2025 01:01:21 +0200 Subject: [PATCH] dri3: prevent out-of-bounds read in dri3_fd_from_pixmap MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Inspired by https://gitlab.freedesktop.org/xorg/xserver/-/commit/f05f269f1d5bddafe71cdfb290b118820bf17fdd Reported in https://gitlab.freedesktop.org/xorg/xserver/-/issues/1817: xwayland-24.1.6/redhat-linux-build/../dri3/dri3_screen.c:143:13: warning[-Wanalyzer-out-of-bounds]: stack-based buffer over-read xwayland-24.1.6/redhat-linux-build/../dri3/dri3_screen.c:143:13: danger: out-of-bounds read from byte 16 till byte 19 but ‘fds’ ends at byte 16 141| int i; 142| for (i = 0; i < num_fds; i++) 143|-> close(fds[i]); 144| return -1; 145| } Only possible if fds_from_pixmap returns a value > 4, but the analyzer doesn't know the interface is defined not to do that. Signed-off-by: Alan Coopersmith Part-of: Signed-off-by: stefan11111 --- dri3/dri3_screen.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dri3/dri3_screen.c b/dri3/dri3_screen.c index 34cd7c2c94..9ae562e712 100644 --- a/dri3/dri3_screen.c +++ b/dri3/dri3_screen.c @@ -28,6 +28,7 @@ #include #include #include +#include int dri3_open(ClientPtr client, ScreenPtr screen, RRProviderPtr provider, int *fd) @@ -139,8 +140,8 @@ dri3_fd_from_pixmap(PixmapPtr pixmap, CARD16 *stride, CARD32 *size) num_fds = info->fds_from_pixmap(screen, pixmap, fds, strides, offsets, &modifier); if (num_fds != 1 || offsets[0] != 0) { - int i; - for (i = 0; i < num_fds; i++) + assert(num_fds <= 4); + for (int i = 0; i < num_fds; i++) close(fds[i]); return -1; }