diff options
| author | Olivier Fourdan <ofourdan@redhat.com> | 2018-09-05 15:20:17 +0200 |
|---|---|---|
| committer | Olivier Fourdan <ofourdan@redhat.com> | 2018-10-04 17:25:13 +0200 |
| commit | 1191b23f942cace785234f5d7fac972251c8f1db (patch) | |
| tree | bb9e6dc41b590b79952823d3a7385add2352dd4d | |
| parent | 1b0db2c74258d20e3f99bd69c2914fd445abe920 (diff) | |
glx: check for indirect context in CreateContextAttribsARB()
Commit 99f0365b "Add a command line argument for disabling indirect GLX"
added a test to check if indirect context are enabled in
`DoCreateContext()` but `__glXDisp_CreateContextAttribsARB()` doesn't
use `DoCreateContext()` and doesn't check if indirect context is
enabled.
As a result, clients can still manage to create indirect contexts using
`glXCreateContextAttribsARB()` even if indirect contexts are disabled,
which can possibly crash Xservers such as Xwayland or Xephyr when the
context is destroyed.
To avoid the issue, check for `enableIndirectGLX` in
`__glXDisp_CreateContextAttribsARB()` as well.
Fixes: 99f0365b "Add a command line argument for disabling indirect GLX"
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107508
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 75448671abe2c6ae3745eb5d2ed2e76df2de9c41)
| -rw-r--r-- | glx/createcontext.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/glx/createcontext.c b/glx/createcontext.c index 7d09c3a1c..24b02ddfb 100644 --- a/glx/createcontext.c +++ b/glx/createcontext.c @@ -28,6 +28,7 @@ #include "glxserver.h" #include "glxext.h" #include "indirect_dispatch.h" +#include "opaque.h" #define ALL_VALID_FLAGS \ (GLX_CONTEXT_DEBUG_BIT_ARB | GLX_CONTEXT_FORWARD_COMPATIBLE_BIT_ARB \ @@ -320,6 +321,17 @@ __glXDisp_CreateContextAttribsARB(__GLXclientState * cl, GLbyte * pc) err = BadAlloc; } else { + /* Only allow creating indirect GLX contexts if allowed by + * server command line. Indirect GLX is of limited use (since + * it's only GL 1.4), it's slower than direct contexts, and + * it's a massive attack surface for buffer overflow type + * errors. + */ + if (!enableIndirectGLX) { + client->errorValue = req->isDirect; + return BadValue; + } + ctx = glxScreen->createContext(glxScreen, config, shareCtx, req->numAttribs, (uint32_t *) attribs, &err); |