Commit graph

3568 commits

Author SHA1 Message Date
Dominique Martinet
e5348ad7d3 backend autocreate: fix leak when WLR_BACKENDS is set
Found through static analysis
2018-06-30 11:45:57 +09:00
Dominique Martinet
1940c6bbd9 wayland backend: fix width/height == 0 check
We cannot handle just one of the two being NULL later down the road
(e.g. divide by zero in matrix projection code),
just ignore any such configure request.

Found through static analysis
2018-06-30 11:38:21 +09:00
Dominique Martinet
4cc4412481 wlr_renderer_destroy: fix renderer NULL check
renderer is checked for NULL, but was dereferenced before that.

Found through static analysis
2018-06-30 11:38:21 +09:00
Dominique Martinet
b3313b7f39 wlr_output: fix scope for 'now'
'when' points to now that was defined in the if, so compiler could reuse
that memory area by the time 'when' is called

Found through static analysis.
2018-06-30 11:38:21 +09:00
Dominique Martinet
399de4d11b util/create_tmpfile: set restrictive umask for these files
Even if the file is removed right away, a race with someone using inotify
is definitely possible, so play safe and restrict umask for our tmpfiles

Found through static analysis.
2018-06-30 11:38:21 +09:00
Dominique Martinet
efef54ccf5 wlr_keyboard: fix mmap leak + logic on close for keymap_fd
mmap leak found through static analysis
2018-06-30 11:38:21 +09:00
Dominique Martinet
266898ca1f direct session backend: fix closing -1 on error
Found through static analysis
2018-06-30 11:38:21 +09:00
Dominique Martinet
1e17f4deb6 rootston: fix leak in handle_layer_shell_surface
Found through static analysis
2018-06-30 11:38:21 +09:00
Dominique Martinet
bcc2c64c1e x11 backend init: fix leak on failed XOpenDisplay
Found through static analysis
2018-06-30 11:38:21 +09:00
Dominique Martinet
4f7b1382d4 wayland backend seat: fix NULL output check
The test was done after dereferencing output in pointer_handle_enter,
just move it up one line.
No reason pointer_handle_leave would not need the check if enter needs
it, add it there.

Found through static analysis.
2018-06-30 11:38:21 +09:00
Dominique Martinet
f0d455f088 drm backend: overflow fixes
These operations are done in 32-bit arithmetics before being casted to 64-bit,
thus can overflow before the cast.
Casting early fixes the issue.

Found through static analysis
2018-06-30 11:21:22 +09:00
emersion
63eb720871
Merge pull request #1100 from apreiml/fix-awt-focus-failure
do not send focus request to a window that doesn't allow it
2018-06-29 19:34:20 +01:00
Armin Preiml
f93234d6f5 fix: tabs instead of spaces 2018-06-29 19:25:20 +02:00
Armin Preiml
d0b3aed584 do not send focus request to a window that doesn't allow this 2018-06-29 17:58:47 +02:00
Drew DeVault
f3a5d5dbd7
Merge pull request #1097 from emersion/contributing-inert-destroy-order
contributing: move wl_resource_set_user_data() right before free()
2018-06-28 06:40:18 -07:00
emersion
ec7d4a0971
Merge pull request #1092 from martinetd/idle_inhibit
Idle inhibit cleanup
2018-06-28 14:33:07 +01:00
emersion
64665200fa
contributing: move wl_resource_set_user_data() right before free() 2018-06-28 14:28:42 +01:00
Dominique Martinet
93a75769f0 wlr_idle_inhibit_v1: cleanup destroy handlers
- Rename handlers to <type>_handle_resource_destroy and
<type>_handle_destroy to be coherent
 - Make sure we never destroy wl_resources when we shouldn't

Updates #999
2018-06-28 22:04:28 +09:00
emersion
f01896c9d5
Merge pull request #1093 from martinetd/xdg_popup
xdg_shell popup: fix potential segv in handle_destroy
2018-06-28 13:30:28 +01:00
Dominique Martinet
0ced9df350 wlr_idle_inhibit_v1: add *data pointer to wlr structs 2018-06-28 20:29:44 +09:00
Dominique Martinet
a3e2a77734 xdg_popup: fix call to to handle_grab for inert popup 2018-06-28 20:28:15 +09:00
Dominique Martinet
970687a01c xdg_shell popup: fix potential segv in handle_destroy
surface could be NULL there if the popup had been made
inert before
2018-06-28 13:54:35 +09:00
emersion
9f1d6c58ed
Merge pull request #1091 from martinetd/idle
wlr_idle: add helper to enable/disable all timers
2018-06-27 15:17:40 +01:00
Dominique Martinet
d0b902b962 wlr_idle: add helper to enable/disable all timers
There was no way to tell wlr_idle to stop processing input events
and rearm timers all the time, such an API is required to have
some form of idle inhibitor.
2018-06-27 22:47:05 +09:00
emersion
159835de24
Merge pull request #1089 from ascent12/hwcontext_drm
Check for libavutil/hwcontext_drm.h
2018-06-26 10:13:48 +01:00
Scott Anderson
0e19b024c6 Add minimum version for ffmpeg 4.0 libraries 2018-06-26 20:14:08 +12:00
Scott Anderson
86942d8a6a Check for libavutil/hwcontext_drm.h
This is an optional feature of libavutil, so this will cause a build
failure if it's not present (e.g. on Debian/Ubuntu).
2018-06-26 17:25:29 +12:00
Drew DeVault
4852010f29
Merge pull request #1081 from atomnuker/master
examples/dmabuf-capture: move encoding to a separate thread
2018-06-25 14:20:20 -07:00
Tony Crisci
e51829ff7c
Merge pull request #1084 from martinetd/use-after-free
use-after-free fixes (xdg_shell popups, primary selection source, xwm parents)
2018-06-25 11:03:07 -04:00
Dominique Martinet
ffd37b664f xdg_shell: destroy children popups with parent surface
popups have a link in parent's surface->popups list and needs
to be freed before:

==6902==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120001a0300 at pc 0x7fc1447acb50 bp 0x7fffd396e680 sp 0x7fffd396e670
WRITE of size 8 at 0x6120001a0300 thread T0
    #0 0x7fc1447acb4f in wl_list_remove ../util/signal.c:55
    #1 0x7fc14477d206 in destroy_xdg_popup_v6 ../types/xdg_shell_v6/wlr_xdg_popup_v6.c:162
    #2 0x7fc1447816e0 in destroy_xdg_surface_v6 ../types/xdg_shell_v6/wlr_xdg_surface_v6.c:108
    #3 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688
    #4 0x7fc144a1c091 in wl_resource_destroy src/wayland-server.c:705
    #5 0x7fc14477fd6f in xdg_client_v6_handle_resource_destroy ../types/xdg_shell_v6/wlr_xdg_shell_v6.c:72
    #6 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688
    #7 0x7fc144a20851  (/lib64/libwayland-server.so.0+0xc851)
    #8 0x7fc144a20d92  (/lib64/libwayland-server.so.0+0xcd92)
    #9 0x7fc144a1c140 in wl_client_destroy src/wayland-server.c:847
    #10 0x7fc144a1c21c in destroy_client_with_error src/wayland-server.c:307
    #11 0x7fc144a1c21c in wl_client_connection_data src/wayland-server.c:330
    #12 0x7fc144a1df01 in wl_event_loop_dispatch src/event-loop.c:641
    #13 0x7fc144a1c601 in wl_display_run src/wayland-server.c:1260
    #14 0x40a2f4 in main ../sway/main.c:433
    #15 0x7fc143ef718a in __libc_start_main ../csu/libc-start.c:308
    #16 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

0x6120001a0300 is located 64 bytes inside of 264-byte region [0x6120001a02c0,0x6120001a03c8)
freed by thread T0 here:
    #0 0x7fc14690d880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7fc1447acce8 in wlr_signal_emit_safe ../util/signal.c:29
    #2 0x7fc1447a3cac in surface_handle_resource_destroy ../types/wlr_surface.c:576
    #3 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688

previously allocated by thread T0 here:
    #0 0x7fc14690de50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7fc144781d38 in create_xdg_surface_v6 ../types/xdg_shell_v6/wlr_xdg_surface_v6.c:415
    #2 0x7fc14147503d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d)

Alternative would be to have popups listen to the parent's surface
destroy event and remove themselves from the list at this point OR on
their own destroy, whichever happens first, but that seems more
complicated for little benefit.
2018-06-25 17:54:25 +09:00
Dominique Martinet
4a1c9a1925 xwm: fix use-after-free involving parents/children
Happens when e.g. closing gimp.

==24039==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150001a7a78 at pc 0x7f09b09f1bb2 bp 0x7ffcf0237bf0 sp 0x7ffcf0237be0
WRITE of size 8 at 0x6150001a7a78 thread T0
    #0 0x7f09b09f1bb1 in wl_list_remove ../util/signal.c:55
    #1 0x7f09b094cf03 in xwayland_surface_destroy ../xwayland/xwm.c:295
    #2 0x7f09b0950245 in xwm_handle_destroy_notify ../xwayland/xwm.c:717
    #3 0x7f09b095304a in x11_event_handler ../xwayland/xwm.c:1149
    #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

0x6150001a7a78 is located 120 bytes inside of 496-byte region [0x6150001a7a00,0x6150001a7bf0)
freed by thread T0 here:
    #0 0x7f09b2b58880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7f09b094d1a1 in xwayland_surface_destroy ../xwayland/xwm.c:315
    #2 0x7f09b0950245 in xwm_handle_destroy_notify ../xwayland/xwm.c:717
    #3 0x7f09b095304a in x11_event_handler ../xwayland/xwm.c:1149
    #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

previously allocated by thread T0 here:
    #0 0x7f09b2b58e50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7f09b094b585 in xwayland_surface_create ../xwayland/xwm.c:119
    #2 0x7f09b0950151 in xwm_handle_create_notify ../xwayland/xwm.c:706
    #3 0x7f09b0953032 in x11_event_handler ../xwayland/xwm.c:1146
    #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)
2018-06-25 17:28:44 +09:00
Dominique Martinet
954969698a wlr_primary_selection: fix use-after-free when cancelling source
seat->primary_election_source_destroy points to the source that just got
freed by the cancel.

==7843==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0004269b0 at pc 0x7fb95bf4ccd0 bp 0x7ffd75013940 s
p 0x7ffd75013930
WRITE of size 8 at 0x60b0004269b0 thread T0
    #0 0x7fb95bf4cccf in wl_list_remove ../util/signal.c:55
    #1 0x7fb95bf3f4c6 in wlr_seat_set_primary_selection ../types/wlr_primary_selection.c:238
    #2 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124
    #3 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139
    #4 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7fb95c1bc601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7fb95b69718a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

0x60b0004269b0 is located 64 bytes inside of 112-byte region [0x60b000426970,0x60b0004269e0)
freed by thread T0 here:
    #0 0x7fb95e0ad880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7fb95bf3f49e in wlr_seat_set_primary_selection ../types/wlr_primary_selection.c:236
    #2 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124
    #3 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139
    #4 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641

previously allocated by thread T0 here:
    #0 0x7fb95e0ade50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7fb95bec7ad6 in xwm_selection_get_targets ../xwayland/selection/incoming.c:355
    #2 0x7fb95bec7ad6 in xwm_handle_selection_notify ../xwayland/selection/incoming.c:402
    #3 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124
    #4 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139
    #5 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641

SUMMARY: AddressSanitizer: heap-use-after-free ../util/signal.c:55 in wl_list_remove
Shadow bytes around the buggy address:
  0x0c168007cce0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c168007ccf0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c168007cd00: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c168007cd10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c168007cd20: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
=>0x0c168007cd30: fd fd fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa
  0x0c168007cd40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c168007cd50: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c168007cd60: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c168007cd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c168007cd80: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
2018-06-25 17:28:44 +09:00
Rostislav Pehlivanov
5707653e85 examples/dmabuf-capture: move encoding to a separate thread
Drop new frames if too slow. Speeds up encoding significantly, even with vaapi.
2018-06-25 06:41:59 +01:00
Drew DeVault
253a88f030
Merge pull request #1086 from acrisci/input-inhibit-emit-safe
input-inhibit: use wlr_signal_emit_safe
2018-06-24 16:44:53 -07:00
Tony Crisci
a2ff144429 input-inhibit: use wlr_signal_emit_safe 2018-06-24 19:33:15 -04:00
Drew DeVault
4c6d80606d
Merge pull request #1085 from acrisci/xdg-popup-grab-fixes
xdg-shell: end pointer and keyboard grab at the same time
2018-06-24 16:07:01 -07:00
Tony Crisci
006edc9dcb xdg-shell: end pointer and keyboard grab at the same time 2018-06-24 18:50:04 -04:00
Tony Crisci
0fa784de0e
Merge pull request #1054 from swaywm/cancel-grab-on-focus-change
rootston: Cancel existing keyboard grab when changing focus
2018-06-24 18:38:52 -04:00
Tony Crisci
356e466d5a use seat function to end grab 2018-06-24 18:18:30 -04:00
Tony Crisci
e8c0996b93 Merge branch 'master' into cancel-grab-on-focus-change 2018-06-24 18:16:42 -04:00
Drew DeVault
e459fe0ec7
Merge pull request #992 from emersion/screencontent
Implement wlr_export_dmabuf_unstable_v1 protocol
2018-06-22 05:37:07 -07:00
Drew DeVault
47c7674a68
Merge pull request #1075 from emersion/fix-xdg-toplevel-compare
xdg-shell{,-v6}: fix compare_xdg_surface_toplevel_state
2018-06-20 18:54:01 -07:00
emersion
0e3b35c87e
Merge pull request #1072 from emersion/surface-remove-matrices
surface: remove matrices
2018-06-20 21:29:17 +01:00
emersion
a59774f364
xdg-shell{,-v6}: fix compare_xdg_surface_toplevel_state 2018-06-20 21:25:01 +01:00
Scott Anderson
df876a7cf8
Merge pull request #1073 from tobiasblass/fix_recvmsg_endless_loop
FIX: Suprocess loops endlessly when the control socket closes.
2018-06-21 08:18:37 +12:00
Drew DeVault
637479ce05
Merge pull request #1071 from emersion/remove-wlr-frame-callback
surface: remove wlr_frame_callback
2018-06-20 13:04:26 -07:00
emersion
831b7297a4
surface: remove matrices
These were unused.
2018-06-20 21:01:35 +01:00
Tobias Blass
482fc48c74 FIX: Suprocess loops endlessly when the control socket closes.
recvmsg(3) returns 0 if the connection partner has shut down its socket.
The communicate function considered 0 a successful message, though, and
keeps calling recvmsg(3) again and again.
2018-06-20 22:00:45 +02:00
emersion
a6c0e25d36
surface: remove wlr_frame_callback
This removes the need to allocate a structure for frame callbacks.
wl_resource_get_link is used instead.
2018-06-20 20:00:23 +01:00
emersion
cc89906ddf
Merge pull request #1067 from emersion/fix-surface-double-release
surface: fix double wl_buffer.release events
2018-06-17 18:24:34 +01:00