[mutter] wayland: Seal SHM buffers before access



commit b6d070b06f895c57dc6eae05934acd73b86e22c8
Author: Marek Chalupa <mchqwerty gmail com>
Date:   Fri Jan 9 16:09:23 2015 +0100

    wayland: Seal SHM buffers before access
    
    If wayland client lies about size of given buffer, compositor could touch bad
    memory and get SIGBUS. Wayland provides simple API to fix it - so fix it!
    
    [1] http://cgit.freedesktop.org/wayland/wayland/tree/src/wayland-server.h#n416
    [2] http://lists.freedesktop.org/archives/wayland-devel/2013-November/012159.html
    
    Signed-off-by: Marek Chalupa <mchqwerty gmail com>
    
    https://bugzilla.gnome.org/show_bug.cgi?id=727893

 src/backends/meta-cursor.c        |    4 ++++
 src/wayland/meta-wayland-buffer.c |   14 ++++++++++++++
 2 files changed, 18 insertions(+), 0 deletions(-)
---
diff --git a/src/backends/meta-cursor.c b/src/backends/meta-cursor.c
index edab7d9..7c51ef0 100644
--- a/src/backends/meta-cursor.c
+++ b/src/backends/meta-cursor.c
@@ -317,6 +317,8 @@ meta_cursor_image_load_from_buffer (MetaCursorImage    *image,
         {
           int rowstride = wl_shm_buffer_get_stride (shm_buffer);
 
+          wl_shm_buffer_begin_access (shm_buffer);
+
           switch (wl_shm_buffer_get_format (shm_buffer))
             {
 #if G_BYTE_ORDER == G_BIG_ENDIAN
@@ -344,6 +346,8 @@ meta_cursor_image_load_from_buffer (MetaCursorImage    *image,
                                              (uint8_t *) wl_shm_buffer_get_data (shm_buffer),
                                              width, height, rowstride,
                                              gbm_format);
+
+          wl_shm_buffer_end_access (shm_buffer);
         }
       else
         {
diff --git a/src/wayland/meta-wayland-buffer.c b/src/wayland/meta-wayland-buffer.c
index 40db3b0..f2cf1e7 100644
--- a/src/wayland/meta-wayland-buffer.c
+++ b/src/wayland/meta-wayland-buffer.c
@@ -91,13 +91,23 @@ meta_wayland_buffer_ensure_texture (MetaWaylandBuffer *buffer)
   CoglContext *ctx = clutter_backend_get_cogl_context (clutter_get_default_backend ());
   CoglError *catch_error = NULL;
   CoglTexture *texture;
+  struct wl_shm_buffer *shm_buffer;
 
   if (buffer->texture)
     goto out;
 
+  shm_buffer = wl_shm_buffer_get (buffer->resource);
+
+  if (shm_buffer)
+    wl_shm_buffer_begin_access (shm_buffer);
+
   texture = COGL_TEXTURE (cogl_wayland_texture_2d_new_from_buffer (ctx,
                                                                    buffer->resource,
                                                                    &catch_error));
+
+  if (shm_buffer)
+    wl_shm_buffer_end_access (shm_buffer);
+
   if (!texture)
     {
       cogl_error_free (catch_error);
@@ -124,6 +134,8 @@ meta_wayland_buffer_process_damage (MetaWaylandBuffer *buffer,
 
       n_rectangles = cairo_region_num_rectangles (region);
 
+      wl_shm_buffer_begin_access (shm_buffer);
+
       for (i = 0; i < n_rectangles; i++)
         {
           cairo_rectangle_int_t rect;
@@ -133,5 +145,7 @@ meta_wayland_buffer_process_damage (MetaWaylandBuffer *buffer,
                                                            shm_buffer,
                                                            rect.x, rect.y, 0, NULL);
         }
+
+      wl_shm_buffer_end_access (shm_buffer);
     }
 }


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]