Bug#1032260: unblock: mutter/43.3-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1032260: unblock: mutter/43.3-4
From: Simon McVittie <smcv@debian.org>
Date: Thu, 2 Mar 2023 13:28:09 +0000
Message-id: <[🔎] ZACkadi1v81zKg9k@momentum.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 1032260@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: mutter@packages.debian.org
Control: affects -1 + src:mutter

Please unblock package mutter

[ Reason ]
Fix a crash when plugging in a Lenovo Thunderbolt dock (#1031847)

[ Impact ]
Desktop environment crash when connecting certain Thunderbolt docks
(maybe also monitors) that have an invalid ICC profile in their EDID data

[ Tests ]
Bug reporter confirmed that an earlier test-build of the patched package
resolves their crash.

The uploaded version is functionally very similar, but logs an error
message instead of crashing in a related "can't happen" situation,
as requested in the upstream merge request. I've installed it on my
laptop and it works normally, but I don't have the necessary hardware
to reproduce the crash.

[ Risks ]
This is a highly visible component of our default desktop environment,
but the change is straightforward. If it introduces a bug, the bug should
be minor (a memory leak, once per device connected).

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock mutter/43.3-4

diffstat for mutter-43.3 mutter-43.3

 debian/changelog                                                               |   10 ++
 debian/patches/color-device-Don-t-close-lcms-profile-on-error-from-cd_ic.patch |   47 ++++++++++
 debian/patches/color-device-Make-sure-lcms_context-is-not-NULL.patch           |   44 +++++++++
 debian/patches/series                                                          |    2 
 src/backends/meta-color-device.c                                               |   17 ++-
 5 files changed, 114 insertions(+), 6 deletions(-)

diff -Nru mutter-43.3/debian/changelog mutter-43.3/debian/changelog
--- mutter-43.3/debian/changelog	2023-02-18 18:44:12.000000000 +0000
+++ mutter-43.3/debian/changelog	2023-03-02 08:50:50.000000000 +0000
@@ -1,3 +1,13 @@
+mutter (43.3-4) unstable; urgency=medium
+
+  * Team upload
+  * d/p/color-device-Make-sure-lcms_context-is-not-NULL.patch,
+    d/p/color-device-Don-t-close-lcms-profile-on-error-from-cd_ic.patch:
+    Fix a double-free when loading the ICC profile from a device's EDID
+    fails (Closes: #1031847)
+
+ -- Simon McVittie <smcv@debian.org>  Thu, 02 Mar 2023 08:50:50 +0000
+
 mutter (43.3-3) unstable; urgency=medium
 
   * Team upload
diff -Nru mutter-43.3/debian/patches/color-device-Don-t-close-lcms-profile-on-error-from-cd_ic.patch mutter-43.3/debian/patches/color-device-Don-t-close-lcms-profile-on-error-from-cd_ic.patch
--- mutter-43.3/debian/patches/color-device-Don-t-close-lcms-profile-on-error-from-cd_ic.patch	1970-01-01 01:00:00.000000000 +0100
+++ mutter-43.3/debian/patches/color-device-Don-t-close-lcms-profile-on-error-from-cd_ic.patch	2023-03-02 08:50:50.000000000 +0000
@@ -0,0 +1,47 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Wed, 1 Mar 2023 10:12:12 +0000
+Subject: color-device: Don't close lcms profile on error from
+ cd_icc_load_handle
+
+As implemented in colord 1.4.6, cd_icc_load_handle() has three possible
+results:
+
+1. success, taking ownership of the profile;
+2. failure because cmsGetProfileContextID returns NULL, *not* taking
+   ownership of the profile;
+3. failure in cd_icc_load(), taking ownership of the profile.
+
+The previous commit ensures that we are not in case 2.
+
+In case 3 where cd_icc_load() fails, ownership was already given to
+the colord CdIcc object, so it will be freed when the g_autoptr unrefs
+the CdIcc, and we must not free it again: that would be a double-free,
+potentially resulting in memory corruption.
+
+Bug: https://gitlab.gnome.org/GNOME/mutter/-/issues/2659
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031847
+Signed-off-by: Simon McVittie <smcv@debian.org>
+Forwarded: https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2877
+---
+ src/backends/meta-color-device.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/backends/meta-color-device.c b/src/backends/meta-color-device.c
+index ea3b9de..bb87f48 100644
+--- a/src/backends/meta-color-device.c
++++ b/src/backends/meta-color-device.c
+@@ -890,12 +890,9 @@ create_icc_profile_from_edid (MetaColorDevice     *color_device,
+   cmsSetHeaderRenderingIntent (lcms_profile, INTENT_PERCEPTUAL);
+   cmsSetDeviceClass (lcms_profile, cmsSigDisplayClass);
+ 
+-  if (!cd_icc_load_handle (cd_icc, lcms_profile,
++  if (!cd_icc_load_handle (cd_icc, g_steal_pointer (&lcms_profile),
+                            CD_ICC_LOAD_FLAGS_PRIMARIES, error))
+-    {
+-      cmsCloseProfile (lcms_profile);
+-      return NULL;
+-    }
++    return NULL;
+ 
+   cd_icc_add_metadata (cd_icc, CD_PROFILE_PROPERTY_FILENAME, file_path);
+   cd_icc_add_metadata (cd_icc,
diff -Nru mutter-43.3/debian/patches/color-device-Make-sure-lcms_context-is-not-NULL.patch mutter-43.3/debian/patches/color-device-Make-sure-lcms_context-is-not-NULL.patch
--- mutter-43.3/debian/patches/color-device-Make-sure-lcms_context-is-not-NULL.patch	1970-01-01 01:00:00.000000000 +0100
+++ mutter-43.3/debian/patches/color-device-Make-sure-lcms_context-is-not-NULL.patch	2023-03-02 08:50:50.000000000 +0000
@@ -0,0 +1,44 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Wed, 1 Mar 2023 10:12:03 +0000
+Subject: color-device: Make sure lcms_context is not NULL
+
+lcms interprets a NULL context as using a default, non-thread-safe
+context, which is unsuitable for mutter's use. Make sure we're always
+using a non-trivial context.
+
+Bug: https://gitlab.gnome.org/GNOME/mutter/-/issues/2659
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031847
+Signed-off-by: Simon McVittie <smcv@debian.org>
+Forwarded: https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2877
+---
+ src/backends/meta-color-device.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/backends/meta-color-device.c b/src/backends/meta-color-device.c
+index c0a98a4..ea3b9de 100644
+--- a/src/backends/meta-color-device.c
++++ b/src/backends/meta-color-device.c
+@@ -846,6 +846,15 @@ create_icc_profile_from_edid (MetaColorDevice     *color_device,
+       return NULL;
+     }
+ 
++  lcms_context = meta_color_manager_get_lcms_context (color_manager);
++
++  if (!lcms_context)
++    {
++      g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
++                   "Internal error: no LCMS context available");
++      return NULL;
++    }
++
+   cd_icc = cd_icc_new ();
+ 
+   chroma.Red.x = edid_info->red_x;
+@@ -863,7 +872,6 @@ create_icc_profile_from_edid (MetaColorDevice     *color_device,
+   transfer_curve[1] = transfer_curve[0];
+   transfer_curve[2] = transfer_curve[0];
+ 
+-  lcms_context = meta_color_manager_get_lcms_context (color_manager);
+   lcms_profile = cmsCreateRGBProfileTHR (lcms_context,
+                                          &white_point,
+                                          &chroma,
diff -Nru mutter-43.3/debian/patches/series mutter-43.3/debian/patches/series
--- mutter-43.3/debian/patches/series	2023-02-18 18:44:12.000000000 +0000
+++ mutter-43.3/debian/patches/series	2023-03-02 08:50:50.000000000 +0000
@@ -1,4 +1,6 @@
 x11-Avoid-updating-focus-on-wayland-compositor.patch
+color-device-Make-sure-lcms_context-is-not-NULL.patch
+color-device-Don-t-close-lcms-profile-on-error-from-cd_ic.patch
 wayland-Don-t-overwrite-surface-offsets.patch
 tests-Break-up-stacking-installed-tests-into-more-smaller.patch
 meson-add-back-default_driver-option.patch
diff -Nru mutter-43.3/src/backends/meta-color-device.c mutter-43.3/src/backends/meta-color-device.c
--- mutter-43.3/src/backends/meta-color-device.c	2023-02-13 18:12:26.000000000 +0000
+++ mutter-43.3/src/backends/meta-color-device.c	2023-03-02 11:27:42.000000000 +0000
@@ -846,6 +846,15 @@
       return NULL;
     }
 
+  lcms_context = meta_color_manager_get_lcms_context (color_manager);
+
+  if (!lcms_context)
+    {
+      g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+                   "Internal error: no LCMS context available");
+      return NULL;
+    }
+
   cd_icc = cd_icc_new ();
 
   chroma.Red.x = edid_info->red_x;
@@ -863,7 +872,6 @@
   transfer_curve[1] = transfer_curve[0];
   transfer_curve[2] = transfer_curve[0];
 
-  lcms_context = meta_color_manager_get_lcms_context (color_manager);
   lcms_profile = cmsCreateRGBProfileTHR (lcms_context,
                                          &white_point,
                                          &chroma,
@@ -882,12 +890,9 @@
   cmsSetHeaderRenderingIntent (lcms_profile, INTENT_PERCEPTUAL);
   cmsSetDeviceClass (lcms_profile, cmsSigDisplayClass);
 
-  if (!cd_icc_load_handle (cd_icc, lcms_profile,
+  if (!cd_icc_load_handle (cd_icc, g_steal_pointer (&lcms_profile),
                            CD_ICC_LOAD_FLAGS_PRIMARIES, error))
-    {
-      cmsCloseProfile (lcms_profile);
-      return NULL;
-    }
+    return NULL;
 
   cd_icc_add_metadata (cd_icc, CD_PROFILE_PROPERTY_FILENAME, file_path);
   cd_icc_add_metadata (cd_icc,

Reply to:

Follow-Ups:
- Processed: unblock: mutter/43.3-4
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1032260: marked as done (unblock: mutter/43.3-4)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: mutter/43.3-4
Next by Date: Processed: unblock: gnome-shell/43.3-2
Previous by thread: Bug#1026199: release.debian.org: Is the toolchain list updated for bookworm
Next by thread: Processed: unblock: mutter/43.3-4
Index(es):
- Date
- Thread