xwayland: Avoid a crash on pointer enter with a grab (!196) · Merge requests · xorg / xserver

Olivier Fourdan requested to merge ofourdan/xserver:rhbz1708119 into master May 09, 2019

On pointer enter notification, Xwayland checks for an existing pointer warp with a NULL sprite.

In turn, xwl_pointer_warp_emulator_maybe_lock() checks for an existing grab and the destination window using XYToWindow() which does not check for the actual sprite not being NULL.

So, in some cases, when the pointer enters the surface and there is an existing X11 grab which is not an ownerEvents grab, Xwayland would crash trying to dereference the NULL sprite pointer:

#0 __GI_raise () #1 (closed) __GI_abort () at abort.c:79 #2 OsAbort () at utils.c:1351 #3 (closed) AbortServer () at log.c:879 #4 (closed) FatalError () at log.c:1017 #5 (closed) OsSigHandler () at osinit.c:156 #6 (closed) OsSigHandler () at osinit.c:110 #7 (closed) #8 (closed) XYToWindow (pSprite=0x0, x=0, y=0) at events.c:2880 #9 xwl_pointer_warp_emulator_maybe_lock () at xwayland-input.c:2673 #10 (closed) pointer_handle_enter () at xwayland-input.c:434

Avoid the crash by simply checking for the sprite being not NULL in xwl_pointer_warp_emulator_maybe_lock()

Signed-off-by: Olivier Fourdan ofourdan@redhat.com Bugzilla: https://bugzilla.redhat.com/1708119

Admin message

xwayland: Avoid a crash on pointer enter with a grab

Merge request reports