Hello community,
here is the log from the commit of package xorg-x11-server.4594 for openSUSE:13.2:Update checked in at 2016-02-04 12:39:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.2:Update/xorg-x11-server.4594 (Old)
and /work/SRC/openSUSE:13.2:Update/.xorg-x11-server.4594.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xorg-x11-server.4594"
Changes:
--------
New Changes file:
--- /dev/null 2016-01-27 19:41:03.648095915 +0100
+++ /work/SRC/openSUSE:13.2:Update/.xorg-x11-server.4594.new/xorg-x11-server.changes 2016-02-04 12:39:55.000000000 +0100
@@ -0,0 +1,3994 @@
+-------------------------------------------------------------------
+Wed Jan 20 19:38:55 UTC 2016 - eich@suse.com
+
+- n_RandR-Disable-rotation-for-GPU-screens.patch
+ Disable rotation and other transformation from GPU screens
+ (boo#962295).
+
+-------------------------------------------------------------------
+Fri Jan 15 16:32:27 UTC 2016 - eich@suse.com
+
+- u_Panning-Set-panning-state-in-xf86RandR12ScreenSetSize.patch
+ Fix panning when configured in xorg.conf* (boo#771521).
+
+-------------------------------------------------------------------
+Mon Jan 11 21:54:42 UTC 2016 - eich@suse.com
+
+- u_busfault_sigaction-Only-initialize-pointer-when-matched.patch
+ Only initialize pointer when matched (boo#961439).
+
+-------------------------------------------------------------------
+Tue Nov 24 15:26:45 UTC 2015 - eich@suse.com
+
+- U_Xephyr-Fix-screen-image-draw-for-the-non-Glamor-non-XHSM-case.patch
+ * Redraw correctly when neither Glamor nor XSHM is in use (bsc#925019).
+- u_kdrive-UnregisterFd-Fix-off-by-one.patch
+ * Copy open file table correctly by avoiding an off-by-one error
+ (boo#867483).
+
+-------------------------------------------------------------------
+Tue Nov 10 12:55:58 UTC 2015 - eich@suse.com
+
+- U_os-Teach-vpnprintf-how-to-handle-.-s.patch:
+ Add support for %*.*s formats to the async safe *printf functions
+ (bsc#948713).
+
+-------------------------------------------------------------------
+Fri Jun 12 11:58:43 UTC 2015 - msrb@suse.com
+
+- U_os-support-new-implicit-local-user-access-mode.patch,
+ U_xwayland-default-to-local-user-if-no-xauth-file-given.patch,
+ U_xwayland-enable-access-control-on-open-socket.patch
+ * Prevent unauthorized local access. (bnc#934102, CVE-2015-3164)
+
+-------------------------------------------------------------------
+Fri Apr 24 10:39:45 UTC 2015 - eich@suse.com
+
+- U_dix-Allow-zero-height-PutImage-requests.patch
+ * Fix a regression introduced by CVE-2014-8092: PutImage
+ crashes when called with 0 height (bnc#928513).
+
+-------------------------------------------------------------------
+Thu Feb 19 13:18:11 UTC 2015 - msrb@suse.com
+
+- u_xorg-expose-getmaster-to-modules.patch
+ * Export GetMaster to allow VNC to work as a module. (bnc#918628)
+
+-------------------------------------------------------------------
+Thu Feb 12 11:54:54 UTC 2015 - msrb@suse.com
+
+- U_xkb-check-strings-length-against-request-size.patch
+ * Check string lenghts in XkbSetGeometry request.
+ (bnc#915810, CVE-2015-0255)
+
+-------------------------------------------------------------------
+Wed Dec 17 12:20:20 UTC 2014 - msrb@suse.com
+
+- Add and update security patches. (bnc#907268, CVE-2014-8091,
+ CVE-2014-8092, CVE-2014-8093, CVE-2014-8094, CVE-2014-8095,
+ CVE-2014-8096, CVE-2014-8097, CVE-2014-8098, CVE-2014-8099,
+ CVE-2014-8100, CVE-2014-8101, CVE-2014-8102, CVE-2014-8103)
+ + U_Xi_unvalidated_lengths_in_Xinput_extension.patch
+ + U_Xv_unvalidated_lengths_in_XVideo_extension_swapped_procs.patch
+ + U_dbe_unvalidated_lengths_in_DbeSwapBuffers_calls.patch
+ + U_dix_integer_overflow_in_GetHosts.patch
+ + U_dix_integer_overflow_in_ProcPutImage.patch
+ + U_dix_integer_overflow_in_REQUEST_FIXED_SIZE.patch
+ + U_dix_integer_overflow_in_RegionSizeof.patch
+ + U_dri2_integer_overflow_in_ProcDRI2GetBuffers.patch
+ + U_dri3_unvalidated_lengths_in_DRI3_extension_swapped_procs.patch
+ + U_glx_Add_safe__add_mul_pad.patch
+ + U_glx_Additional_paranoia_in___glXGetAnswerBuffer___GLX_GET_ANSWER_BUFFER.patch
+ + U_glx_Be_more_paranoid_about_variable_length_requests.patch
+ + U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch
+ + U_glx_Fix_image_size_computation_for_EXT_texture_integer.patch
+ + U_glx_Fix_mask_truncation_in___glXGetAnswerBuffer.patch
+ + U_glx_Integer_overflow_protection_for_non_generated_render_requests.patch
+ + U_glx_Length_checking_for_GLXRender_requests.patch
+ + U_glx_Length_checking_for_RenderLarge_requests.patch
+ + U_glx_Length_checking_for_non_generated_single_request.patch
+ + U_glx_Length_checking_for_non_generated_vendor_private_requests.patch
+ + U_glx_Pass_remaining_request_length_into_varsize.patch
+ + U_glx_Request_length_checks_for_SetClientInfoARB.patch
+ + U_glx_Top_level_length_checking_for_swapped_VendorPrivate_requests.patch
+ + U_present_unvalidated_lengths_in_Present_extension_procs.patch
+ + U_randr_unvalidated_lengths_in_RandR_extension_swapped_procs.patch
+ + U_render_check_request_size_before_reading_it.patch
+ + U_render_unvalidated_lengths_in_Render_extn_swapped_procs.patch
+ + U_unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver.patch
+ + U_xcmisc_unvalidated_length_in_SProcXCMiscGetXIDList.patch
+ + U_xfixes_unvalidated_length_in_SProcXFixesSelectSelectionInput.patch
+ + U_dbe_Call_to_DDX_SwapBuffers_requires_address_of_int_not_unsigned_int.patch
+ + U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch
+ + U_dix_Missing_parens_in_REQUEST_FIXED_SIZE_macro.patch
+
+- U_fb_Fix_Bresenham_algorithms_for_commonly_used_small_segments.patch
+ * Fixes rendering of some icewm and xfwm themes. (bnc#908258, bnc#856931)
+
+-------------------------------------------------------------------
+Mon Sep 29 14:53:45 UTC 2014 - lbsousajr@gmail.com
+
+- Backport upstream patches to enable Xephyr window placement
+ via new "-output" option or new "-screen WxH+X+Y" syntax.
+ * U_kdrive_extend_screen_option_syntax.patch
+ * U_ephyr_enable_screen_window_placement.patch
+ * U_ephyr_add_output_option_support.patch
+
+-------------------------------------------------------------------
+Sun Sep 21 17:31:53 UTC 2014 - tobias.johannes.klausmann@mni.thm.de
+
+- Update to version 1.16.1:
+ + mieq: Fix a crash regression in mieqProcessDeviceEvent
+ + ListenOnOpenFD: Remove Resets since this is intended to be for hotplugging connections
+ + XQuartz: Better support turning off "Displays have separate Spaces" on OS X Mavericks
+ + glamor: Fix temp picture coordinates in glamor_composite_clipped_region
+ + glx/present: Only send GLX_BufferSwapComplete for PresentCompleteKindPixmap
+ + xfree86: Fallback to first platform device as primary
+ + xfree86: Allow non-PCI devices as primary
+ + xwayland: always include drm.xml in tarballs
+
+-------------------------------------------------------------------
+Mon Aug 18 17:33:34 CEST 2014 - tiwai@suse.de
+
+- A better fix for 24bpp graphics problem with cirrus KMS
+ (bnc#890599); Adding a new patch:
+ U_fb-Fix-invalid-bpp-for-24bit-depth-window.patch
+ while obsoleting two patches:
+ u_render-Don-t-generate-invalid-pixman-format-when-using-a-24bpp-framebuffer-with-a-32bit-depth-visual.patch
+ u_fb-Correctly-implement-CopyArea-when-using-a-window-with-depth-32-and-24bpp.patch
+
+-------------------------------------------------------------------
+Fri Aug 15 12:09:12 UTC 2014 - sndirsch@suse.com
+
+- no longer add /usr/lib[64]/xorg/modules/updates to module path
+ (FATE#317822)
+
+-------------------------------------------------------------------
+Wed Aug 13 12:39:39 UTC 2014 - sndirsch@suse.com
+
+- only add /etc/alternatives/libglx.so as ghost on suse >= 1315
+
+-------------------------------------------------------------------
+Wed Aug 13 08:13:21 UTC 2014 - sndirsch@suse.com
+
+- added /etc/alternatives/libglx.so as ghost
+- moved libglx-xorg.so to xorg/xorg-libglx.so to avoid messup in case
+ anybody runs ldconfig in modules/extensions
+
+-------------------------------------------------------------------
+Tue Aug 12 12:26:52 UTC 2014 - sndirsch@suse.com
+
+- make use of update-alternatives for libglx.so (FATE#317822)
+
+-------------------------------------------------------------------
+Thu Aug 7 17:35:12 UTC 2014 - eich@suse.com
+
+- Change U_ to u_ as these patches are not upstream yet:
+ * U_render-Don-t-generate-invalid-pixman-format-when-using-a-24bpp-framebuffer-with-a-32bit-depth-visual.patch
+ --> u_render-Don-t-generate-invalid-pixman-format-when-using-a-24bpp-framebuffer-with-a-32bit-depth-visual.patch
+ * U_fb-Correctly-implement-CopyArea-when-using-a-window-with-depth-32-and-24bpp.patch
+ --> u_fb-Correctly-implement-CopyArea-when-using-a-window-with-depth-32-and-24bpp.patch
+ (bnc#890599).
+
+-------------------------------------------------------------------
+Thu Aug 7 14:50:55 CEST 2014 - tiwai@suse.de
+
+- Fix corrupted graphics with 24bpp on cirrus KMS (bnc#890599)
+ two patches added:
+ U_render-Don-t-generate-invalid-pixman-format-when-using-a-24bpp-framebuffer-with-a-32bit-depth-visual.patch
+ U_fb-Correctly-implement-CopyArea-when-using-a-window-with-depth-32-and-24bpp.patch
+
+-------------------------------------------------------------------
+Tue Aug 5 06:19:04 UTC 2014 - eich@suse.com
+
+- U_BellProc-Send-bell-event-on-core-protocol-bell-when-requested.patch
+ Send XKB bell event on core protocol bell if such an event is requested.
+ This allows to override the system beep by a desktop provided sound
+ instead of silently ignore it (bnc#890323).
+
+-------------------------------------------------------------------
+Thu Jul 17 15:50:10 UTC 2014 - tobias.johannes.klausmann@mni.thm.de
+
+- Update to version 1.16.0 (final):
+ + Glamor integration. This GL-based X acceleration subsystem now
+ offers reasonable performance that avoids software fall backs much
+ of the time.
+ + XWayland. This provides an X server integrated into a Wayland
+ window system. It uses Glamor for rendering, and so avoids most of
++++ 3797 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:13.2:Update/.xorg-x11-server.4594.new/xorg-x11-server.changes
New:
----
N_default-module-path.diff
N_driver-autoconfig.diff
N_fix-dpi-values.diff
N_fix_fglrx_screendepth_issue.patch
N_xorg-x11-server-rpmmacros.patch
N_zap_warning_xserver.diff
README.updates
U_BellProc-Send-bell-event-on-core-protocol-bell-when-requested.patch
U_Xephyr-Fix-screen-image-draw-for-the-non-Glamor-non-XHSM-case.patch
U_Xi_unvalidated_lengths_in_Xinput_extension.patch
U_Xv_unvalidated_lengths_in_XVideo_extension_swapped_procs.patch
U_dbe_Call_to_DDX_SwapBuffers_requires_address_of_int_not_unsigned_int.patch
U_dbe_unvalidated_lengths_in_DbeSwapBuffers_calls.patch
U_dix-Allow-zero-height-PutImage-requests.patch
U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch
U_dix_Missing_parens_in_REQUEST_FIXED_SIZE_macro.patch
U_dix_integer_overflow_in_GetHosts.patch
U_dix_integer_overflow_in_ProcPutImage.patch
U_dix_integer_overflow_in_REQUEST_FIXED_SIZE.patch
U_dix_integer_overflow_in_RegionSizeof.patch
U_dri2-Use-the-PrimeScreen-when-creating-reusing-buffe.patch
U_dri2_integer_overflow_in_ProcDRI2GetBuffers.patch
U_dri3_unvalidated_lengths_in_DRI3_extension_swapped_procs.patch
U_ephyr_add_output_option_support.patch
U_ephyr_enable_screen_window_placement.patch
U_fb-Fix-invalid-bpp-for-24bit-depth-window.patch
U_fb_Fix_Bresenham_algorithms_for_commonly_used_small_segments.patch
U_glx_Add_safe__add_mul_pad.patch
U_glx_Additional_paranoia_in___glXGetAnswerBuffer___GLX_GET_ANSWER_BUFFER.patch
U_glx_Be_more_paranoid_about_variable_length_requests.patch
U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch
U_glx_Fix_image_size_computation_for_EXT_texture_integer.patch
U_glx_Fix_mask_truncation_in___glXGetAnswerBuffer.patch
U_glx_Integer_overflow_protection_for_non_generated_render_requests.patch
U_glx_Length_checking_for_GLXRender_requests.patch
U_glx_Length_checking_for_RenderLarge_requests.patch
U_glx_Length_checking_for_non_generated_single_request.patch
U_glx_Length_checking_for_non_generated_vendor_private_requests.patch
U_glx_Pass_remaining_request_length_into_varsize.patch
U_glx_Request_length_checks_for_SetClientInfoARB.patch
U_glx_Top_level_length_checking_for_swapped_VendorPrivate_requests.patch
U_kdrive_extend_screen_option_syntax.patch
U_os-Teach-vpnprintf-how-to-handle-.-s.patch
U_os-support-new-implicit-local-user-access-mode.patch
U_present_unvalidated_lengths_in_Present_extension_procs.patch
U_randr_unvalidated_lengths_in_RandR_extension_swapped_procs.patch
U_render_check_request_size_before_reading_it.patch
U_render_unvalidated_lengths_in_Render_extn_swapped_procs.patch
U_unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver.patch
U_xcmisc_unvalidated_length_in_SProcXCMiscGetXIDList.patch
U_xfixes_unvalidated_length_in_SProcXFixesSelectSelectionInput.patch
U_xkb-check-strings-length-against-request-size.patch
U_xwayland-default-to-local-user-if-no-xauth-file-given.patch
U_xwayland-enable-access-control-on-open-socket.patch
b_0001-Prevent-XSync-Alarms-from-senslessly-calling-CheckTr.patch
b_cache-xkbcomp-output-for-fast-start-up.patch
b_sync-fix.patch
n_RandR-Disable-rotation-for-GPU-screens.patch
n_xserver-optimus-autoconfig-hack.patch
pre_checkin.sh
sysconfig.displaymanager.template
u_CloseConsole-Don-t-report-FatalError-when-shutting-down.patch
u_Panning-Set-panning-state-in-xf86RandR12ScreenSetSize.patch
u_busfault_sigaction-Only-initialize-pointer-when-matched.patch
u_confine_to_shape.diff
u_connection-avoid-crash-when-CloseWellKnownConnections-gets-called-twice.patch
u_exa-only-draw-valid-trapezoids.patch
u_fbdevhw.diff
u_kdrive-UnregisterFd-Fix-off-by-one.patch
u_randr_allow_rrselectinput_for_providerchange_and_resourcechange_events.patch
u_render-Cast-color-masks-to-unsigned-long-before-shifting-them.patch
u_x86emu-include-order.patch
u_xorg-expose-getmaster-to-modules.patch
u_xorg-server-xdmcp.patch
ux_xserver_xvfb-randr.patch
xorg-backtrace
xorg-server-1.16.1.tar.bz2
xorg-server-provides
xorg-x11-server.changes
xorg-x11-server.macros.in
xorg-x11-server.spec
xorgcfg.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xorg-x11-server.spec ++++++
#
# spec file for package xorg-x11-server
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: xorg-x11-server
%define dirsuffix 1.16.1
Summary: X
License: MIT
Group: System/X11/Servers/XF86_4
# Source URL: http://xorg.freedesktop.org/archive/individual/xserver/
Source0: xorg-server-%{dirsuffix}.tar.bz2
Source1: sysconfig.displaymanager.template
Source2: README.updates
Source3: xorgcfg.tar.bz2
Source4: xorg-backtrace
# RPM Macros to be installed. The ABI Versions will be injected by configure.
Source90: xorg-x11-server.macros.in
# Source91 and Source99 are used to ensure proper ABI provides.
Source91: xorg-server-provides
Source92: pre_checkin.sh
BuildRequires: Mesa-devel
BuildRequires: bison
BuildRequires: flex
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: pkgconfig(bigreqsproto) >= 1.1.0
BuildRequires: pkgconfig(compositeproto)
BuildRequires: pkgconfig(damageproto) >= 1.1
BuildRequires: pkgconfig(dmx) >= 1.0.99.1
BuildRequires: pkgconfig(dri2proto)
BuildRequires: pkgconfig(dri3proto)
BuildRequires: pkgconfig(epoxy) >= 1.1
BuildRequires: pkgconfig(fixesproto) >= 4.1
BuildRequires: pkgconfig(fontconfig)
BuildRequires: pkgconfig(fontenc)
BuildRequires: pkgconfig(fontsproto)
BuildRequires: pkgconfig(fontutil)
BuildRequires: pkgconfig(freetype2)
BuildRequires: pkgconfig(glproto)
BuildRequires: pkgconfig(ice)
BuildRequires: pkgconfig(inputproto) >= 1.9.99.902
BuildRequires: pkgconfig(kbproto) >= 1.0.3
BuildRequires: pkgconfig(libdrm)
BuildRequires: pkgconfig(openssl)
BuildRequires: pkgconfig(pciaccess) >= 0.8.0
BuildRequires: pkgconfig(pixman-1) >= 0.24
BuildRequires: pkgconfig(presentproto)
BuildRequires: pkgconfig(randrproto) >= 1.2.99.3
BuildRequires: pkgconfig(renderproto) >= 0.11
BuildRequires: pkgconfig(resourceproto)
BuildRequires: pkgconfig(scrnsaverproto)
BuildRequires: pkgconfig(sm)
BuildRequires: pkgconfig(x11)
BuildRequires: pkgconfig(xau)
BuildRequires: pkgconfig(xaw7)
BuildRequires: pkgconfig(xcb-aux)
BuildRequires: pkgconfig(xcb-icccm)
BuildRequires: pkgconfig(xcb-image)
BuildRequires: pkgconfig(xcb-keysyms)
BuildRequires: pkgconfig(xcmiscproto) >= 1.2.0
BuildRequires: pkgconfig(xdmcp)
BuildRequires: pkgconfig(xext) >= 1.0.99.4
BuildRequires: pkgconfig(xextproto) >= 7.1.99
BuildRequires: pkgconfig(xf86dgaproto)
BuildRequires: pkgconfig(xf86driproto)
BuildRequires: pkgconfig(xfixes)
BuildRequires: pkgconfig(xfont) >= 1.4.2
BuildRequires: pkgconfig(xi) >= 1.2.99.1
BuildRequires: pkgconfig(xineramaproto)
BuildRequires: pkgconfig(xkbfile)
BuildRequires: pkgconfig(xmu)
BuildRequires: pkgconfig(xorg-macros)
BuildRequires: pkgconfig(xp)
BuildRequires: pkgconfig(xpm)
BuildRequires: pkgconfig(xprintutil)
BuildRequires: pkgconfig(xproto) >= 7.0.17
BuildRequires: pkgconfig(xrender)
BuildRequires: pkgconfig(xres)
BuildRequires: pkgconfig(xshmfence)
BuildRequires: pkgconfig(xt)
BuildRequires: pkgconfig(xtrans) >= 1.3.1
BuildRequires: pkgconfig(xtst) >= 1.0.99.2
BuildRequires: pkgconfig(xv)
### udev support (broken on openSUSE 11.2, see also bnc #589997)
%if 0%{?suse_version} >= 1130
BuildRequires: pkgconfig(libudev) >= 143
%endif
Version: 7.6_%{dirsuffix}
Release: 0
Url: http://xorg.freedesktop.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%ifnarch s390 s390x
Requires(pre): %fillup_prereq
%endif
Requires: pkgconfig
Requires: xkbcomp
Requires: xorg-x11-fonts-core
%ifnarch s390 s390x
Requires: libpixman-1-0 >= 0.24
%(cat %{SOURCE91})
%endif
Requires: Mesa
%if 0%{?suse_version} >= 1315
Requires(post): update-alternatives
Requires(postun): update-alternatives
%endif
Provides: xorg-x11-Xvfb
Provides: xorg-x11-server-glx
Obsoletes: xorg-x11-Xvfb
Obsoletes: xorg-x11-server-glx
Provides: glamor = %{version}
Provides: glamor-egl = %{version}
Obsoletes: glamor < %{version}
Obsoletes: glamor-egl < %{version}
# Xvfb requires keyboard files as well (bnc#797124)
Requires: xkeyboard-config
# PATCH-FEATURE-OPENSUSE n_xorg-x11-server-rpmmacros.patch dimstar@opensuse.org -- Provide RPM macros to require correct ABI Versions.
Patch0: N_xorg-x11-server-rpmmacros.patch
Patch1: N_default-module-path.diff
Patch2: N_zap_warning_xserver.diff
Patch3: N_driver-autoconfig.diff
Patch4: N_fix_fglrx_screendepth_issue.patch
Patch6: N_fix-dpi-values.diff
Patch100: u_fbdevhw.diff
Patch101: u_confine_to_shape.diff
# PATCH-FIX-UPSTREAM u_x86emu-include-order.patch schwab@suse.de -- Change include order to avoid conflict with system header, remove duplicate definitions
Patch102: u_x86emu-include-order.patch
Patch103: u_randr_allow_rrselectinput_for_providerchange_and_resourcechange_events.patch
Patch104: u_xorg-server-xdmcp.patch
Patch105: ux_xserver_xvfb-randr.patch
# PATCH-FIX-UPSTREAM u_exa-only-draw-valid-trapezoids.patch bnc#853846 msrb@suse.com -- Fixes possible crash of server using invalid trapezoids. 2013-12-12 patch is waiting in mailing list to be upstreamed.
Patch106: u_exa-only-draw-valid-trapezoids.patch
Patch110: u_connection-avoid-crash-when-CloseWellKnownConnections-gets-called-twice.patch
Patch111: u_CloseConsole-Don-t-report-FatalError-when-shutting-down.patch
Patch112: u_render-Cast-color-masks-to-unsigned-long-before-shifting-them.patch
Patch130: U_BellProc-Send-bell-event-on-core-protocol-bell-when-requested.patch
Patch131: U_fb-Fix-invalid-bpp-for-24bit-depth-window.patch
Patch132: U_unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver.patch
Patch133: U_dix_integer_overflow_in_ProcPutImage.patch
Patch134: U_dix_integer_overflow_in_GetHosts.patch
Patch135: U_dix_integer_overflow_in_RegionSizeof.patch
Patch136: U_dix_integer_overflow_in_REQUEST_FIXED_SIZE.patch
Patch137: U_dri2_integer_overflow_in_ProcDRI2GetBuffers.patch
Patch138: U_dbe_unvalidated_lengths_in_DbeSwapBuffers_calls.patch
Patch139: U_Xi_unvalidated_lengths_in_Xinput_extension.patch
Patch140: U_xcmisc_unvalidated_length_in_SProcXCMiscGetXIDList.patch
Patch141: U_Xv_unvalidated_lengths_in_XVideo_extension_swapped_procs.patch
Patch142: U_dri3_unvalidated_lengths_in_DRI3_extension_swapped_procs.patch
Patch143: U_present_unvalidated_lengths_in_Present_extension_procs.patch
Patch144: U_randr_unvalidated_lengths_in_RandR_extension_swapped_procs.patch
Patch145: U_render_check_request_size_before_reading_it.patch
Patch146: U_render_unvalidated_lengths_in_Render_extn_swapped_procs.patch
Patch147: U_xfixes_unvalidated_length_in_SProcXFixesSelectSelectionInput.patch
Patch148: U_glx_Be_more_paranoid_about_variable_length_requests.patch
Patch149: U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch
Patch150: U_glx_Additional_paranoia_in___glXGetAnswerBuffer___GLX_GET_ANSWER_BUFFER.patch
Patch151: U_glx_Fix_image_size_computation_for_EXT_texture_integer.patch
Patch152: U_glx_Add_safe__add_mul_pad.patch
Patch153: U_glx_Length_checking_for_GLXRender_requests.patch
Patch154: U_glx_Integer_overflow_protection_for_non_generated_render_requests.patch
Patch155: U_glx_Length_checking_for_RenderLarge_requests.patch
Patch156: U_glx_Top_level_length_checking_for_swapped_VendorPrivate_requests.patch
Patch157: U_glx_Request_length_checks_for_SetClientInfoARB.patch
Patch158: U_glx_Length_checking_for_non_generated_vendor_private_requests.patch
Patch159: U_glx_Length_checking_for_non_generated_single_request.patch
Patch160: U_glx_Pass_remaining_request_length_into_varsize.patch
Patch161: U_glx_Fix_mask_truncation_in___glXGetAnswerBuffer.patch
Patch162: U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch
Patch163: U_dix_Missing_parens_in_REQUEST_FIXED_SIZE_macro.patch
Patch164: U_dbe_Call_to_DDX_SwapBuffers_requires_address_of_int_not_unsigned_int.patch
Patch165: U_fb_Fix_Bresenham_algorithms_for_commonly_used_small_segments.patch
Patch166: U_xkb-check-strings-length-against-request-size.patch
Patch167: u_xorg-expose-getmaster-to-modules.patch
# PATCH-FIX-UPSTREAM U_xwayland-enable-access-control-on-open-socket.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164
Patch168: U_xwayland-enable-access-control-on-open-socket.patch
# PATCH-FIX-UPSTREAM U_os-support-new-implicit-local-user-access-mode.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164
Patch169: U_os-support-new-implicit-local-user-access-mode.patch
# PATCH-FIX-UPSTREAM U_xwayland-default-to-local-user-if-no-xauth-file-given.patch bnc#934102 msrb@suse.com -- Fix CVE-2015-3164
Patch170: U_xwayland-default-to-local-user-if-no-xauth-file-given.patch
Patch171: U_Xephyr-Fix-screen-image-draw-for-the-non-Glamor-non-XHSM-case.patch
Patch172: u_kdrive-UnregisterFd-Fix-off-by-one.patch
Patch173: u_busfault_sigaction-Only-initialize-pointer-when-matched.patch
Patch174: u_Panning-Set-panning-state-in-xf86RandR12ScreenSetSize.patch
Patch200: U_kdrive_extend_screen_option_syntax.patch
Patch201: U_ephyr_enable_screen_window_placement.patch
Patch202: U_ephyr_add_output_option_support.patch
Patch203: U_dix-Allow-zero-height-PutImage-requests.patch
Patch204: U_os-Teach-vpnprintf-how-to-handle-.-s.patch
Patch205: n_RandR-Disable-rotation-for-GPU-screens.patch
Patch1000: n_xserver-optimus-autoconfig-hack.patch
Patch1162: b_cache-xkbcomp-output-for-fast-start-up.patch
Patch1211: b_0001-Prevent-XSync-Alarms-from-senslessly-calling-CheckTr.patch
Patch1222: b_sync-fix.patch
%description
This package contains the X.Org Server.
%package extra
Summary: Additional Xservers (Xdmx, Xephyr, Xnest)
Group: System/X11/Servers/XF86_4
Requires: Mesa
Requires: xkbcomp
Requires: xkeyboard-config
Requires: xorg-x11-fonts-core
Provides: xorg-x11-Xnest
Obsoletes: xorg-x11-Xnest
%description extra
This package contains additional Xservers (Xdmx, Xephyr, Xnest).
%package sdk
Summary: X
Group: System/Libraries
Requires: xorg-x11-server
Requires: pkgconfig(fontconfig)
Requires: pkgconfig(fontenc)
Requires: pkgconfig(freetype2)
Requires: pkgconfig(ice)
Requires: pkgconfig(libdrm)
Requires: pkgconfig(sm)
Requires: pkgconfig(x11)
Requires: pkgconfig(xau)
Requires: pkgconfig(xdmcp)
Requires: pkgconfig(xext)
Requires: pkgconfig(xfixes)
Requires: pkgconfig(xkbfile)
Requires: pkgconfig(xmu)
Requires: pkgconfig(xp)
Requires: pkgconfig(xpm)
Requires: pkgconfig(xprintutil)
Requires: pkgconfig(xrender)
Requires: pkgconfig(xt)
Requires: pkgconfig(xtrans)
Requires: pkgconfig(xv)
Provides: xorg-x11-sdk
Obsoletes: xorg-x11-sdk
Provides: glamor-devel = %{version}
Obsoletes: glamor-devel < %{version}
%description sdk
This package contains the X.Org Server SDK.
%prep
%setup -q -n xorg-server-%{dirsuffix} -a3
# Early verification if the ABI Defines are correct. Let's not waste build cycles if the Provides are wrong at the end.
sh %{SOURCE92} --verify . %{SOURCE91}
cp %{SOURCE90} .
%patch0 -p1
%if 0%{?suse_version} < 1315
%patch1
%endif
%patch2 -p1
%patch3 -p0
%patch4 -p0
%patch6 -p0
#
%patch100
%patch101
%patch102 -p1
%patch103 -p1
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch110 -p1
%patch111 -p1
%patch112 -p1
%patch130 -p1
%patch131 -p1
%patch132 -p1
%patch133 -p1
%patch134 -p1
%patch135 -p1
%patch136 -p1
%patch137 -p1
%patch138 -p1
%patch139 -p1
%patch140 -p1
%patch141 -p1
%patch142 -p1
%patch143 -p1
%patch144 -p1
%patch145 -p1
%patch146 -p1
%patch147 -p1
%patch148 -p1
%patch149 -p1
%patch150 -p1
%patch151 -p1
%patch152 -p1
%patch153 -p1
%patch154 -p1
%patch155 -p1
%patch156 -p1
%patch157 -p1
%patch158 -p1
%patch159 -p1
%patch160 -p1
%patch161 -p1
%patch162 -p1
%patch163 -p1
%patch164 -p1
%patch165 -p1
%patch166 -p1
%patch167 -p1
%patch168 -p1
%patch169 -p1
%patch170 -p1
%patch171 -p1
%patch172 -p1
%patch173 -p1
%patch174 -p1
%patch1000 -p1
### disabled for now
#%patch1162 -p1
### disabled for now
#%patch1211 -p1
### patch222 might not be applicable anymore
#%patch1222 -p1
%patch200 -p1
%patch201 -p1
%patch202 -p1
%patch203 -p1
%patch204 -p1
%patch205 -p1
%build
autoreconf -fi
%configure CFLAGS="%{optflags} -fno-strict-aliasing" \
--sysconfdir=/etc \
--enable-xdmcp \
--enable-xdm-auth-1 \
--enable-dri \
--enable-dri2 \
--enable-dri3 \
--enable-glamor \
--enable-dmx \
--enable-xnest \
--enable-kdrive \
--enable-kdrive-evdev \
--enable-xephyr \
--disable-xfake \
--disable-xfbdev \
--enable-record \
--enable-xcsecurity \
--with-sha1=libcrypto \
--disable-linux-acpi \
--disable-linux-apm \
%if 0%{?suse_version} > 1310
--enable-xwayland \
%else
--disable-xwayland \
%endif
%ifarch s390 s390x
--disable-xorg \
--disable-aiglx \
%else
--enable-xorg \
%if 0%{?suse_version} > 1120
--enable-config-udev \
%endif
%endif
--with-log-dir="/var/log" \
--with-os-name="openSUSE" \
--with-os-vendor="SUSE LINUX" \
--with-fontrootdir="/usr/share/fonts" \
--with-xkb-path="/usr/share/X11/xkb" \
--with-xkb-output="/var/lib/xkb/compiled" \
--with-default-font-path="/usr/share/fonts/misc:unscaled,\
/usr/share/fonts/Type1/,/usr/share/fonts/100dpi:unscaled,\
%if 0%{?suse_version} > 1210
/usr/share/fonts/75dpi:unscaled,/usr/share/fonts/ghostscript/,\
%else
/usr/share/fonts/75dpi:unscaled,/usr/share/fonts/URW/,\
%endif
/usr/share/fonts/cyrillic:unscaled,\
/usr/share/fonts/misc/sgi:unscaled,\
/usr/share/fonts/truetype/,built-ins"
make %{?_smp_mflags}
make -C hw/kdrive %{?_smp_mflags}
%install
%make_install
make -C hw/kdrive install DESTDIR=%{buildroot}
%ifnarch s390 s390x
# remove .la files
find %{buildroot}%{_libdir}/xorg/modules/ -name "*.la" | \
xargs rm
install -m 644 hw/xfree86/parser/{xf86Parser.h,xf86Optrec.h} \
%{buildroot}%{_includedir}/xorg
# bnc #632737
chmod u-s %{buildroot}%{_bindir}/Xorg
mkdir -p %{buildroot}%{_localstatedir}/lib/X11
ln -snf ../../../usr/bin/Xorg %{buildroot}%{_localstatedir}/lib/X11/X
ln -snf ../../var/lib/X11/X %{buildroot}%{_bindir}/X
%if 0%{?suse_version} > 1120
%ifnarch s390 s390x
mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d
cp %{buildroot}/%{_datadir}/X11/xorg.conf.d/10-evdev.conf %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/
%endif
%endif
%if 0%{?suse_version} < 1315
mkdir -p %{buildroot}%{_libdir}/xorg/modules/updates/{fonts,input,linux,drivers,multimedia,extensions}
install -m 644 $RPM_SOURCE_DIR/README.updates %{buildroot}%{_libdir}/xorg/modules/updates
%endif
%else
rm -f %{buildroot}%{_datadir}/aclocal/*.m4
%endif
%ifarch s390 s390x
rm -f %{buildroot}%{_sysconfdir}/X11/10-evdev.conf
make -C hw/xfree86/parser
mkdir -p %{buildroot}%{_includedir}/xorg \
%{buildroot}%{_libdir}
install -m 644 hw/xfree86/parser/{xf86Parser.h,xf86Optrec.h} \
%{buildroot}%{_includedir}/xorg
install -m 644 include/list.h \
%{buildroot}%{_includedir}/xorg
%endif
%ifnarch s390 s390x
mkdir -p %{buildroot}%{_localstatedir}/adm/fillup-templates
install -m 644 %_sourcedir/sysconfig.displaymanager.template \
%{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.displaymanager-%{name}
%endif
install -m 755 $RPM_SOURCE_DIR/xorg-backtrace %{buildroot}%{_bindir}/xorg-backtrace
install -D xorg-x11-server.macros %{buildroot}%{_sysconfdir}/rpm/macros.xorg-server
%ifnarch s390 s390x
%if 0%{?suse_version} >= 1315
mkdir -p %{buildroot}%{_libdir}/xorg/modules/extensions/xorg
mv %{buildroot}%{_libdir}/xorg/modules/extensions/libglx.so \
%{buildroot}%{_libdir}/xorg/modules/extensions/xorg/xorg-libglx.so
ln -snf %{_sysconfdir}/alternatives/libglx.so %{buildroot}%{_libdir}/xorg/modules/extensions/libglx.so
%endif
%endif
%post
%ifnarch s390 s390x
%{fillup_only -an displaymanager}
# Move SaX2 generated xorg.conf file to xorg.conf.sle11
#
# Only in very rare cases a static X configuration is still
# required on sle12. And, in some cases the migration from a
# static sle11 X configuration to a static sle12 X configuration
# is not possible at all, e.g. some video and input drivers
# are no longer available on sle12. In short, trying to migrate
# will result in more harm than benefit.
if [ -f etc/X11/xorg.conf -a ! -f etc/X11/xorg.conf.sle11 ]; then
echo "xorg.conf exists and xorg.conf.sle11 does not"
if grep -q "SaX generated X11 config file" etc/X11/xorg.conf; then
echo "move SaX generated xorg.conf to xorg.conf.sle11"
mv etc/X11/xorg.conf{,.sle11}
# remove dangling link (bnc#879360, comment#15)
rm -f etc/X11/XF86Config
# prevent %postun of NVIDIA/fglrx driver packages from restoring xorg.conf
# backup or running sax2 as fallback to create a new xorg.conf (bcn#877315)
rm -f etc/X11/xorg.conf.nvidia-post \
etc/X11/xorg.conf.fglrx-post
chmod -x usr/sbin/sax2
fi
fi
%if 0%{?suse_version} >= 1315
%_sbindir/update-alternatives \
--force --install %{_libdir}/xorg/modules/extensions/libglx.so libglx.so %{_libdir}/xorg/modules/extensions/xorg/xorg-libglx.so 50
%endif
%endif
exit 0
%ifnarch s390 s390x
%if 0%{?suse_version} >= 1315
%postun
if [ "$1" = 0 ] ; then
"%_sbindir/update-alternatives" --remove libglx.so %{_libdir}/xorg/modules/extensions/xorg/xorg-libglx.so
fi
%endif
%endif
%files
%defattr(-,root,root)
%ifnarch s390 s390x
%if 0%{?suse_version} > 1120
%dir %{_sysconfdir}/X11/xorg.conf.d
%config(noreplace) %{_sysconfdir}/X11/xorg.conf.d/10-evdev.conf
%dir %{_datadir}/X11/xorg.conf.d
%{_datadir}/X11/xorg.conf.d/10-*.conf
%endif
%dir %{_localstatedir}/lib/X11
%endif
%dir %{_localstatedir}/lib/xkb
%dir %{_localstatedir}/lib/xkb/compiled
%dir %{_libdir}/xorg
%{_libdir}/xorg/protocol.txt
%{_mandir}/man1/*
%exclude %{_mandir}/man1/Xdmx.1*
%exclude %{_mandir}/man1/Xephyr.1*
%exclude %{_mandir}/man1/Xnest.1*
%{_localstatedir}/lib/xkb/compiled/README.compiled
%ifnarch s390 s390x
%{_bindir}/Xorg
%{_bindir}/X
%if 0%{?suse_version} > 1310
%{_bindir}/Xwayland
%endif
%{_bindir}/cvt
%{_bindir}/gtf
%{_libdir}/xorg/modules/
%{_mandir}/man4/*
%{_mandir}/man5/*
%{_localstatedir}/adm/fillup-templates/sysconfig.displaymanager-%{name}
%{_localstatedir}/lib/X11/X
%if 0%{?suse_version} >= 1315
%ghost %{_sysconfdir}/alternatives/libglx.so
%endif
%endif
%{_bindir}/Xvfb
%{_bindir}/xorg-backtrace
%files extra
%defattr(-,root,root)
%{_bindir}/Xephyr
%{_bindir}/Xnest
%{_bindir}/Xdmx
%{_bindir}/dmxaddinput
%{_bindir}/dmxaddscreen
%{_bindir}/dmxinfo
%{_bindir}/dmxreconfig
%{_bindir}/dmxresize
%{_bindir}/dmxrminput
%{_bindir}/dmxrmscreen
%{_bindir}/dmxtodmx
%{_bindir}/dmxwininfo
%{_bindir}/vdltodmx
%{_bindir}/xdmxconfig
%{_mandir}/man1/Xdmx.1*
%{_mandir}/man1/Xephyr.1*
%{_mandir}/man1/Xnest.1*
%files sdk
%defattr(-,root,root)
%{_includedir}/xorg/
%ifnarch s390 s390x
%{_libdir}/pkgconfig/*.pc
%{_datadir}/aclocal/*.m4
%endif
%{_sysconfdir}/rpm/macros.xorg-server
%changelog
++++++ N_default-module-path.diff ++++++
From: Stefan Dirsch
Add /usr/lib[64]/xorg/modules/updates to the module path.
Make sure this path is considered first.
Index: hw/xfree86/common/xf86Globals.c
===================================================================
--- hw/xfree86/common/xf86Globals.c.orig
+++ hw/xfree86/common/xf86Globals.c
@@ -135,7 +135,7 @@ xf86InfoRec xf86Info = {
const char *xf86ConfigFile = NULL;
const char *xf86ConfigDir = NULL;
-const char *xf86ModulePath = DEFAULT_MODULE_PATH;
+const char *xf86ModulePath = DEFAULT_MODULE_PATH "/updates," DEFAULT_MODULE_PATH;
MessageType xf86ModPathFrom = X_DEFAULT;
const char *xf86LogFile = DEFAULT_LOGDIR "/" DEFAULT_LOGPREFIX;
MessageType xf86LogFileFrom = X_DEFAULT;
++++++ N_driver-autoconfig.diff ++++++
From: Stefan Dirsch
Modify driver fallback list for automatic configuration
such that the proprietary ATI, NVIDIA and VIA drivers are
considered first.
Index: hw/xfree86/common/xf86pciBus.c
===================================================================
--- hw/xfree86/common/xf86pciBus.c.orig
+++ hw/xfree86/common/xf86pciBus.c
@@ -1107,7 +1107,8 @@ videoPtrToDriverList(struct pci_device *
driverList[0] = "ast";
break;
case 0x1002:
- driverList[0] = "ati";
+ driverList[0] = "fglrx";
+ driverList[1] = "ati";
break;
case 0x102c:
driverList[0] = "chips";
@@ -1139,6 +1141,13 @@ videoPtrToDriverList(struct pci_device *
driverList[0] = "neomagic";
break;
case 0x10de:
+ driverList[0] = "nvidia";
+ driverList[1] = "nouveau";
+ /* GeForce 6150SE support broken (bnc #465190/544674) */
+ if (dev->device_id != 0x03D0) {
+ driverList[2] = "nv";
+ }
+ break;
case 0x12d2:
{
int idx = 0;
@@ -1150,7 +1159,8 @@ videoPtrToDriverList(struct pci_device *
break;
}
case 0x1106:
- driverList[0] = "openchrome";
+ driverList[0] = "via";
+ driverList[1] = "openchrome";
break;
case 0x1b36:
driverList[0] = "qxl";
++++++ N_fix-dpi-values.diff ++++++
From: Egbert Eich
Fix calculation of DPI using mode data if present.
Index: hw/xfree86/common/xf86Helper.c
===================================================================
--- hw/xfree86/common/xf86Helper.c.orig
+++ hw/xfree86/common/xf86Helper.c
@@ -922,12 +922,22 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int
else if (pScrn->widthmm > 0 || pScrn->heightmm > 0) {
from = X_CONFIG;
if (pScrn->widthmm > 0) {
- pScrn->xDpi =
- (int) ((double) pScrn->virtualX * MMPERINCH / pScrn->widthmm);
+ if (pScrn->modes && pScrn->modes->HDisplay > 0) {
+ pScrn->xDpi =
+ (int)((double) pScrn->modes->HDisplay * MMPERINCH / pScrn->widthmm);
+ } else {
+ pScrn->xDpi =
+ (int)((double)pScrn->virtualX * MMPERINCH / pScrn->widthmm);
+ }
}
if (pScrn->heightmm > 0) {
- pScrn->yDpi =
- (int) ((double) pScrn->virtualY * MMPERINCH / pScrn->heightmm);
+ if (pScrn->modes && pScrn->modes->VDisplay > 0) {
+ pScrn->yDpi =
+ (int)((double)pScrn->modes->VDisplay * MMPERINCH / pScrn->heightmm);
+ } else {
+ pScrn->yDpi =
+ (int)((double)pScrn->virtualY * MMPERINCH / pScrn->heightmm);
+ }
}
if (pScrn->xDpi > 0 && pScrn->yDpi <= 0)
pScrn->yDpi = pScrn->xDpi;
@@ -966,12 +976,22 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int
pScrn->widthmm = ddcWidthmm;
pScrn->heightmm = ddcHeightmm;
if (pScrn->widthmm > 0) {
- pScrn->xDpi =
- (int) ((double) pScrn->virtualX * MMPERINCH / pScrn->widthmm);
+ if (pScrn->modes && pScrn->modes->HDisplay > 0) {
+ pScrn->xDpi =
+ (int)((double) pScrn->modes->HDisplay * MMPERINCH / pScrn->widthmm);
+ } else {
+ pScrn->xDpi =
+ (int)((double)pScrn->virtualX * MMPERINCH / pScrn->widthmm);
+ }
}
if (pScrn->heightmm > 0) {
- pScrn->yDpi =
- (int) ((double) pScrn->virtualY * MMPERINCH / pScrn->heightmm);
+ if (pScrn->modes && pScrn->modes->VDisplay > 0) {
+ pScrn->yDpi =
+ (int)((double)pScrn->modes->VDisplay * MMPERINCH / pScrn->heightmm);
+ } else {
+ pScrn->yDpi =
+ (int)((double)pScrn->virtualY * MMPERINCH / pScrn->heightmm);
+ }
}
if (pScrn->xDpi > 0 && pScrn->yDpi <= 0)
pScrn->yDpi = pScrn->xDpi;
++++++ N_fix_fglrx_screendepth_issue.patch ++++++
From: Stefan Dirsch
Set DefaultDepth for implicite screen section when using FGLRX driver
The binary only AMD FGLRX driver doesn't set the default depth in the
driver. Do it for it in the server.
Index: hw/xfree86/common/xf86AutoConfig.c
===================================================================
--- hw/xfree86/common/xf86AutoConfig.c.orig
+++ hw/xfree86/common/xf86AutoConfig.c
@@ -75,6 +75,13 @@
"\tDevice\t" BUILTIN_DEVICE_NAME "\n" \
"EndSection\n\n"
+#define BUILTIN_SCREEN_SECTION_FOR_FGLRX \
+ "Section \"Screen\"\n" \
+ "\tIdentifier\t" BUILTIN_SCREEN_NAME "\n" \
+ "\tDevice\t" BUILTIN_DEVICE_NAME "\n" \
+ "\tDefaultDepth\t24\n" \
+ "EndSection\n\n"
+
#define BUILTIN_LAYOUT_SECTION_PRE \
"Section \"ServerLayout\"\n" \
"\tIdentifier\t\"Builtin Default Layout\"\n"
@@ -153,7 +160,10 @@ xf86AutoConfig(void)
for (p = deviceList; *p; p++) {
snprintf(buf, sizeof(buf), BUILTIN_DEVICE_SECTION, *p, 0, *p);
AppendToConfig(buf);
- snprintf(buf, sizeof(buf), BUILTIN_SCREEN_SECTION, *p, 0, *p, 0);
+ if( strcmp(*p, "fglrx") == 0 )
+ snprintf(buf, sizeof(buf), BUILTIN_SCREEN_SECTION_FOR_FGLRX, *p, 0, *p, 0);
+ else
+ snprintf(buf, sizeof(buf), BUILTIN_SCREEN_SECTION, *p, 0, *p, 0);
AppendToConfig(buf);
}
++++++ N_xorg-x11-server-rpmmacros.patch ++++++
From: dimstar@opensuse.org
Provide RPM macros to require correct ABI Versions.
Index: xorg-server-1.12.1/configure.ac
===================================================================
--- xorg-server-1.12.1.orig/configure.ac
+++ xorg-server-1.12.1/configure.ac
@@ -2232,5 +2232,6 @@ test/Makefile
test/xi2/Makefile
xserver.ent
xorg-server.pc
+xorg-x11-server.macros
])
AC_OUTPUT
++++++ N_zap_warning_xserver.diff ++++++
From: Luc Verhaegen
Handle 'Zap' - Ctrl-Alt-Backspace more gracefully
To avoid accidental zapping of the Xserver warn after
the first ctrl-alt-backspace by emitting a beep. Only
Zap the server if a second ctrl-alt-backspace is sent
within 2 seconds.
This can be enabled with a new option flag "ZapWarning"
Index: xorg-server-1.12.1/hw/xfree86/common/xf86Config.c
===================================================================
--- xorg-server-1.12.1.orig/hw/xfree86/common/xf86Config.c
+++ xorg-server-1.12.1/hw/xfree86/common/xf86Config.c
@@ -680,6 +680,7 @@ typedef enum {
FLAG_NOTRAPSIGNALS,
FLAG_DONTVTSWITCH,
FLAG_DONTZAP,
+ FLAG_ZAPWARNING,
FLAG_DONTZOOM,
FLAG_DISABLEVIDMODE,
FLAG_ALLOWNONLOCAL,
@@ -717,6 +718,8 @@ static OptionInfoRec FlagOptions[] = {
{0}, FALSE},
{FLAG_DONTZAP, "DontZap", OPTV_BOOLEAN,
{0}, FALSE},
+ { FLAG_ZAPWARNING, "ZapWarning", OPTV_BOOLEAN,
+ {0}, FALSE },
{FLAG_DONTZOOM, "DontZoom", OPTV_BOOLEAN,
{0}, FALSE},
{FLAG_DISABLEVIDMODE, "DisableVidModeExtension", OPTV_BOOLEAN,
@@ -805,6 +805,7 @@ configServerFlags(XF86ConfFlagsPtr flags
xf86GetOptValBool(FlagOptions, FLAG_NOTRAPSIGNALS, &xf86Info.notrapSignals);
xf86GetOptValBool(FlagOptions, FLAG_DONTVTSWITCH, &xf86Info.dontVTSwitch);
xf86GetOptValBool(FlagOptions, FLAG_DONTZAP, &xf86Info.dontZap);
+ xf86GetOptValBool(FlagOptions, FLAG_ZAPWARNING, &xf86Info.ZapWarning);
xf86GetOptValBool(FlagOptions, FLAG_DONTZOOM, &xf86Info.dontZoom);
xf86GetOptValBool(FlagOptions, FLAG_IGNORE_ABI, &xf86Info.ignoreABI);
Index: xorg-server-1.12.1/hw/xfree86/common/xf86Events.c
===================================================================
--- xorg-server-1.12.1.orig/hw/xfree86/common/xf86Events.c
+++ xorg-server-1.12.1/hw/xfree86/common/xf86Events.c
@@ -182,13 +182,25 @@ xf86ProcessActionEvent(ActionEvent actio
DebugF("ProcessActionEvent(%d,%x)\n", (int) action, arg);
switch (action) {
case ACTION_TERMINATE:
- if (!xf86Info.dontZap) {
- xf86Msg(X_INFO, "Server zapped. Shutting down.\n");
+ if (xf86Info.dontZap)
+ break;
+
+ if (xf86Info.ZapWarning) {
+ static struct timeval LastZap = { 0, 0};
+ struct timeval NewZap;
+
+ gettimeofday(&NewZap, NULL);
+
+ if ((NewZap.tv_sec - LastZap.tv_sec) >= 2) {
+ xf86OSRingBell(30, 1000, 50);
+ LastZap = NewZap;
+ break;
+ }
+ }
#ifdef XFreeXDGA
- DGAShutdown();
+ DGAShutdown();
#endif
- GiveUp(0);
- }
+ GiveUp(0);
break;
case ACTION_NEXT_MODE:
if (!xf86Info.dontZoom)
Index: xorg-server-1.12.1/hw/xfree86/common/xf86Globals.c
===================================================================
--- xorg-server-1.12.1.orig/hw/xfree86/common/xf86Globals.c
+++ xorg-server-1.12.1/hw/xfree86/common/xf86Globals.c
@@ -108,6 +108,7 @@ xf86InfoRec xf86Info = {
.autoVTSwitch = TRUE,
.ShareVTs = FALSE,
.dontZap = FALSE,
+ .ZapWarning = TRUE,
.dontZoom = FALSE,
.notrapSignals = FALSE,
.caughtSignal = FALSE,
Index: xorg-server-1.12.1/hw/xfree86/common/xf86Privstr.h
===================================================================
--- xorg-server-1.12.1.orig/hw/xfree86/common/xf86Privstr.h
+++ xorg-server-1.12.1/hw/xfree86/common/xf86Privstr.h
@@ -70,6 +70,7 @@ typedef struct {
Bool autoVTSwitch;
Bool ShareVTs;
Bool dontZap;
+ Bool ZapWarning;
Bool dontZoom;
Bool notrapSignals; /* don't exit cleanly - die at fault */
Bool caughtSignal;
++++++ README.updates ++++++
Xserver module update mechanism
-------------------------------
If any corresponding Xserver module is found below
"/usr/lib/xorg/modules/updates/" ("/usr/lib64/xorg/modules/updates/"
on biarch 32/64 bit platforms) it will be favored over the one in
"/usr/lib/xorg/modules/" ("/usr/lib64/xorg/modules/" on biarch 32/64
bit platforms).
++++++ U_BellProc-Send-bell-event-on-core-protocol-bell-when-requested.patch ++++++
From: Egbert Eich
Date: Mon Aug 4 19:16:30 2014 +0200
Subject: [PATCH] BellProc: Send bell event on core protocol bell when requested
Patch-mainline: Upstream
Git-commit: e6c8c7e46c79b2837a7d0b12079a47734eff1eb7
Git-repo: git://anongit.freedesktop.org/git/xorg/xserver
References: bnc#890323
Signed-off-by: Egbert Eich
XKB allows to override the BellProc() ringing the 'keyboard bell':
instead an event is sent to an X client which can perform an
appropriate action.
In most cases this effectively prevents the core protocol bell
from ringing: if no BellProc() is set for the device, no attempt
is made to ring a bell.
This patch ensures that an XKB bell event is sent also when
the core protocol bell is rung end thus an appropriate action
can be taken by a client.
Signed-off-by: Egbert Eich
Acked-by: Peter Hutterer
Signed-off-by: Keith Packard
---
dix/devices.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dix/devices.c b/dix/devices.c
index 7f079ff..5d26fae 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2257,7 +2257,7 @@ ProcBell(ClientPtr client)
for (dev = inputInfo.devices; dev; dev = dev->next) {
if ((dev == keybd ||
(!IsMaster(dev) && GetMaster(dev, MASTER_KEYBOARD) == keybd)) &&
- dev->kbdfeed && dev->kbdfeed->BellProc) {
+ ((dev->kbdfeed && dev->kbdfeed->BellProc) || dev->xkb_interest)) {
rc = XaceHook(XACE_DEVICE_ACCESS, client, dev, DixBellAccess);
if (rc != Success)
++++++ U_Xephyr-Fix-screen-image-draw-for-the-non-Glamor-non-XHSM-case.patch ++++++
From: Egbert Eich
Date: Tue Mar 31 09:14:28 2015 +0200
Subject: [PATCH]Xephyr: Fix screen image draw for the non-Glamor & non-XHSM case
Patch-mainline: xorg-server-1.17.2
Git-commit: f775f247731d368c76d9bda3672fbdda7ba21223
Git-repo: git://anongit.freedesktop.org/git/xorg/xserver
References: bsc#925019
Signed-off-by: Egbert Eich
xcb_image_put() prints the entire image, therefore don't use an offset.
Signed-off-by: Egbert Eich
Reviewed-by: Keith Packard
Signed-off-by: Keith Packard
(cherry picked from commit c65eda5e6676d942e80eaf2650a670174c8bd84a)
---
hw/kdrive/ephyr/hostx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/kdrive/ephyr/hostx.c b/hw/kdrive/ephyr/hostx.c
index 992930d..2279315 100644
--- a/hw/kdrive/ephyr/hostx.c
+++ b/hw/kdrive/ephyr/hostx.c
@@ -1035,7 +1035,7 @@ hostx_paint_rect(KdScreenInfo *screen,
}
else {
xcb_image_put(HostX.conn, scrpriv->win, HostX.gc, scrpriv->ximg,
- dx, dy, 0);
+ 0, 0, 0);
}
xcb_aux_sync(HostX.conn);
++++++ U_Xi_unvalidated_lengths_in_Xinput_extension.patch ++++++
Subject: Xi: unvalidated lengths in Xinput extension
References: bnc#907268, CVE-2014-8095
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Multiple functions in the Xinput extension handling of requests from
clients failed to check that the length of the request sent by the
client was large enough to perform all the required operations and
thus could read or write to memory outside the bounds of the request
buffer.
This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
macro in include/dix.h for the common case of needing to ensure a
request is large enough to include both the request itself and a
minimum amount of extra data following the request header.
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
Xi/chgdctl.c | 8 ++++++--
Xi/chgfctl.c | 2 ++
Xi/sendexev.c | 3 +++
Xi/xiallowev.c | 2 ++
Xi/xichangecursor.c | 2 +-
Xi/xichangehierarchy.c | 35 ++++++++++++++++++++++++++++++++---
Xi/xigetclientpointer.c | 1 +
Xi/xigrabdev.c | 9 ++++++++-
Xi/xipassivegrab.c | 12 ++++++++++--
Xi/xiproperty.c | 14 ++++++--------
Xi/xiquerydevice.c | 1 +
Xi/xiquerypointer.c | 2 ++
Xi/xiselectev.c | 8 ++++++++
Xi/xisetclientpointer.c | 3 ++-
Xi/xisetdevfocus.c | 4 ++++
Xi/xiwarppointer.c | 2 ++
include/dix.h | 4 ++++
17 files changed, 94 insertions(+), 18 deletions(-)
diff --git a/Xi/chgdctl.c b/Xi/chgdctl.c
index d078aa2..b3ee867 100644
--- a/Xi/chgdctl.c
+++ b/Xi/chgdctl.c
@@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client)
REQUEST(xChangeDeviceControlReq);
swaps(&stuff->length);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
swaps(&stuff->control);
ctl = (xDeviceCtl *) &stuff[1];
swaps(&ctl->control);
@@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client)
xDeviceEnableCtl *e;
REQUEST(xChangeDeviceControlReq);
- REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq);
+ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl));
len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq));
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess);
@@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr client)
break;
case DEVICE_ENABLE:
e = (xDeviceEnableCtl *) &stuff[1];
+ if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) {
+ ret = BadLength;
+ goto out;
+ }
if (IsXTestDevice(dev, NULL))
status = !Success;
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
index 6dcf60c..224c2ba 100644
--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
@@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client)
xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]);
if (client->swapped) {
+ if (len < bytes_to_int32(sizeof(xStringFeedbackCtl)))
+ return BadLength;
swaps(&f->num_keysyms);
}
if (len !=
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index 3c21386..183f88d 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client)
if (ret != Success)
return ret;
+ if (stuff->num_events == 0)
+ return ret;
+
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) &stuff[1]);
diff --git a/Xi/xiallowev.c b/Xi/xiallowev.c
index ebef233..ca263ef 100644
--- a/Xi/xiallowev.c
+++ b/Xi/xiallowev.c
@@ -48,6 +48,7 @@ int
SProcXIAllowEvents(ClientPtr client)
{
REQUEST(xXIAllowEventsReq);
+ REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client)
if (stuff->length > 3) {
xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff;
+ REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq);
swapl(&req_xi22->touchid);
swapl(&req_xi22->grab_window);
}
diff --git a/Xi/xichangecursor.c b/Xi/xichangecursor.c
index 7a1bb7a..8e6255b 100644
--- a/Xi/xichangecursor.c
+++ b/Xi/xichangecursor.c
@@ -57,11 +57,11 @@ int
SProcXIChangeCursor(ClientPtr client)
{
REQUEST(xXIChangeCursorReq);
+ REQUEST_SIZE_MATCH(xXIChangeCursorReq);
swaps(&stuff->length);
swapl(&stuff->win);
swapl(&stuff->cursor);
swaps(&stuff->deviceid);
- REQUEST_SIZE_MATCH(xXIChangeCursorReq);
return (ProcXIChangeCursor(client));
}
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index 9e36354..2732445 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -411,7 +411,7 @@ int
ProcXIChangeHierarchy(ClientPtr client)
{
xXIAnyHierarchyChangeInfo *any;
- int required_len = sizeof(xXIChangeHierarchyReq);
+ size_t len; /* length of data remaining in request */
int rc = Success;
int flags[MAXDEVICES] = { 0 };
@@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client)
if (!stuff->num_changes)
return rc;
+ if (stuff->length > (INT_MAX >> 2))
+ return BadAlloc;
+ len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo);
+
any = (xXIAnyHierarchyChangeInfo *) &stuff[1];
while (stuff->num_changes--) {
+ if (len < sizeof(xXIAnyHierarchyChangeInfo)) {
+ rc = BadLength;
+ goto unwind;
+ }
+
SWAPIF(swaps(&any->type));
SWAPIF(swaps(&any->length));
- required_len += any->length;
- if ((stuff->length * 4) < required_len)
+ if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2)))
return BadLength;
+#define CHANGE_SIZE_MATCH(type) \
+ do { \
+ if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \
+ rc = BadLength; \
+ goto unwind; \
+ } \
+ } while(0)
+
switch (any->type) {
case XIAddMaster:
{
xXIAddMasterInfo *c = (xXIAddMasterInfo *) any;
+ /* Variable length, due to appended name string */
+ if (len < sizeof(xXIAddMasterInfo)) {
+ rc = BadLength;
+ goto unwind;
+ }
SWAPIF(swaps(&c->name_len));
+ if (c->name_len > (len - sizeof(xXIAddMasterInfo))) {
+ rc = BadLength;
+ goto unwind;
+ }
rc = add_master(client, c, flags);
if (rc != Success)
@@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client)
{
xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
+ CHANGE_SIZE_MATCH(xXIRemoveMasterInfo);
rc = remove_master(client, r, flags);
if (rc != Success)
goto unwind;
@@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client)
{
xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
+ CHANGE_SIZE_MATCH(xXIDetachSlaveInfo);
rc = detach_slave(client, c, flags);
if (rc != Success)
goto unwind;
@@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client)
{
xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
+ CHANGE_SIZE_MATCH(xXIAttachSlaveInfo);
rc = attach_slave(client, c, flags);
if (rc != Success)
goto unwind;
@@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client)
break;
}
+ len -= any->length * 4;
any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
}
diff --git a/Xi/xigetclientpointer.c b/Xi/xigetclientpointer.c
index 3c90d58..306dd39 100644
--- a/Xi/xigetclientpointer.c
+++ b/Xi/xigetclientpointer.c
@@ -50,6 +50,7 @@ int
SProcXIGetClientPointer(ClientPtr client)
{
REQUEST(xXIGetClientPointerReq);
+ REQUEST_SIZE_MATCH(xXIGetClientPointerReq);
swaps(&stuff->length);
swapl(&stuff->win);
diff --git a/Xi/xigrabdev.c b/Xi/xigrabdev.c
index 63d95bc..e2a2ae3 100644
--- a/Xi/xigrabdev.c
+++ b/Xi/xigrabdev.c
@@ -47,6 +47,11 @@ int
SProcXIGrabDevice(ClientPtr client)
{
REQUEST(xXIGrabDeviceReq);
+ /*
+ * Check here for at least the length of the struct we swap, then
+ * let ProcXIGrabDevice check the full size after we swap mask_len.
+ */
+ REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client)
unsigned int pointer_mode;
REQUEST(xXIGrabDeviceReq);
- REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4);
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
if (ret != Success)
@@ -131,6 +136,7 @@ int
SProcXIUngrabDevice(ClientPtr client)
{
REQUEST(xXIUngrabDeviceReq);
+ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -148,6 +154,7 @@ ProcXIUngrabDevice(ClientPtr client)
TimeStamp time;
REQUEST(xXIUngrabDeviceReq);
+ REQUEST_SIZE_MATCH(xXIUngrabDeviceReq);
ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess);
if (ret != Success)
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index 700622d..9241ffd 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr client)
uint32_t *mods;
REQUEST(xXIPassiveGrabDeviceReq);
+ REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr client)
swaps(&stuff->mask_len);
swaps(&stuff->num_modifiers);
+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+ ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4);
mods = (uint32_t *) &stuff[1] + stuff->mask_len;
for (i = 0; i < stuff->num_modifiers; i++, mods++) {
@@ -92,7 +95,8 @@ ProcXIPassiveGrabDevice(ClientPtr client)
int mask_len;
REQUEST(xXIPassiveGrabDeviceReq);
- REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+ ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4);
if (stuff->deviceid == XIAllDevices)
dev = inputInfo.all_devices;
@@ -252,6 +256,7 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
uint32_t *modifiers;
REQUEST(xXIPassiveUngrabDeviceReq);
+ REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
swaps(&stuff->length);
swapl(&stuff->grab_window);
@@ -259,6 +264,8 @@ SProcXIPassiveUngrabDevice(ClientPtr client)
swapl(&stuff->detail);
swaps(&stuff->num_modifiers);
+ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
+ ((uint32_t) stuff->num_modifiers) << 2);
modifiers = (uint32_t *) &stuff[1];
for (i = 0; i < stuff->num_modifiers; i++, modifiers++)
@@ -277,7 +284,8 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
int i, rc;
REQUEST(xXIPassiveUngrabDeviceReq);
- REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq,
+ ((uint32_t) stuff->num_modifiers) << 2);
if (stuff->deviceid == XIAllDevices)
dev = inputInfo.all_devices;
diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
index 463607d..8e8e4b0 100644
--- a/Xi/xiproperty.c
+++ b/Xi/xiproperty.c
@@ -1013,10 +1013,9 @@ int
SProcXListDeviceProperties(ClientPtr client)
{
REQUEST(xListDevicePropertiesReq);
+ REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
swaps(&stuff->length);
-
- REQUEST_SIZE_MATCH(xListDevicePropertiesReq);
return (ProcXListDeviceProperties(client));
}
@@ -1037,10 +1036,10 @@ int
SProcXDeleteDeviceProperty(ClientPtr client)
{
REQUEST(xDeleteDevicePropertyReq);
+ REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
swaps(&stuff->length);
swapl(&stuff->property);
- REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq);
return (ProcXDeleteDeviceProperty(client));
}
@@ -1048,13 +1047,13 @@ int
SProcXGetDeviceProperty(ClientPtr client)
{
REQUEST(xGetDevicePropertyReq);
+ REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
swaps(&stuff->length);
swapl(&stuff->property);
swapl(&stuff->type);
swapl(&stuff->longOffset);
swapl(&stuff->longLength);
- REQUEST_SIZE_MATCH(xGetDevicePropertyReq);
return (ProcXGetDeviceProperty(client));
}
@@ -1253,11 +1252,10 @@ int
SProcXIListProperties(ClientPtr client)
{
REQUEST(xXIListPropertiesReq);
+ REQUEST_SIZE_MATCH(xXIListPropertiesReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
-
- REQUEST_SIZE_MATCH(xXIListPropertiesReq);
return (ProcXIListProperties(client));
}
@@ -1279,11 +1277,11 @@ int
SProcXIDeleteProperty(ClientPtr client)
{
REQUEST(xXIDeletePropertyReq);
+ REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
swapl(&stuff->property);
- REQUEST_SIZE_MATCH(xXIDeletePropertyReq);
return (ProcXIDeleteProperty(client));
}
@@ -1291,6 +1289,7 @@ int
SProcXIGetProperty(ClientPtr client)
{
REQUEST(xXIGetPropertyReq);
+ REQUEST_SIZE_MATCH(xXIGetPropertyReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
@@ -1298,7 +1297,6 @@ SProcXIGetProperty(ClientPtr client)
swapl(&stuff->type);
swapl(&stuff->offset);
swapl(&stuff->len);
- REQUEST_SIZE_MATCH(xXIGetPropertyReq);
return (ProcXIGetProperty(client));
}
diff --git a/Xi/xiquerydevice.c b/Xi/xiquerydevice.c
index 4e544f0..67a9a4f 100644
--- a/Xi/xiquerydevice.c
+++ b/Xi/xiquerydevice.c
@@ -54,6 +54,7 @@ int
SProcXIQueryDevice(ClientPtr client)
{
REQUEST(xXIQueryDeviceReq);
+ REQUEST_SIZE_MATCH(xXIQueryDeviceReq);
swaps(&stuff->length);
swaps(&stuff->deviceid);
diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
index e9bdd42..7ec0c85 100644
--- a/Xi/xiquerypointer.c
+++ b/Xi/xiquerypointer.c
@@ -63,6 +63,8 @@ int
SProcXIQueryPointer(ClientPtr client)
{
REQUEST(xXIQueryPointerReq);
+ REQUEST_SIZE_MATCH(xXIQueryPointerReq);
+
swaps(&stuff->length);
swaps(&stuff->deviceid);
swapl(&stuff->win);
diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
index 45a996e..168579f 100644
--- a/Xi/xiselectev.c
+++ b/Xi/xiselectev.c
@@ -114,6 +114,7 @@ int
SProcXISelectEvents(ClientPtr client)
{
int i;
+ int len;
xXIEventMask *evmask;
REQUEST(xXISelectEventsReq);
@@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client)
swapl(&stuff->win);
swaps(&stuff->num_masks);
+ len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq));
evmask = (xXIEventMask *) &stuff[1];
for (i = 0; i < stuff->num_masks; i++) {
+ if (len < bytes_to_int32(sizeof(xXIEventMask)))
+ return BadLength;
+ len -= bytes_to_int32(sizeof(xXIEventMask));
swaps(&evmask->deviceid);
swaps(&evmask->mask_len);
+ if (len < evmask->mask_len)
+ return BadLength;
+ len -= evmask->mask_len;
evmask =
(xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4);
}
diff --git a/Xi/xisetclientpointer.c b/Xi/xisetclientpointer.c
index 38ff51e..24d4a53 100644
--- a/Xi/xisetclientpointer.c
+++ b/Xi/xisetclientpointer.c
@@ -51,10 +51,11 @@ int
SProcXISetClientPointer(ClientPtr client)
{
REQUEST(xXISetClientPointerReq);
+ REQUEST_SIZE_MATCH(xXISetClientPointerReq);
+
swaps(&stuff->length);
swapl(&stuff->win);
swaps(&stuff->deviceid);
- REQUEST_SIZE_MATCH(xXISetClientPointerReq);
return (ProcXISetClientPointer(client));
}
diff --git a/Xi/xisetdevfocus.c b/Xi/xisetdevfocus.c
index 372ec24..96a9a16 100644
--- a/Xi/xisetdevfocus.c
+++ b/Xi/xisetdevfocus.c
@@ -44,6 +44,8 @@ int
SProcXISetFocus(ClientPtr client)
{
REQUEST(xXISetFocusReq);
+ REQUEST_AT_LEAST_SIZE(xXISetFocusReq);
+
swaps(&stuff->length);
swaps(&stuff->deviceid);
swapl(&stuff->focus);
@@ -56,6 +58,8 @@ int
SProcXIGetFocus(ClientPtr client)
{
REQUEST(xXIGetFocusReq);
+ REQUEST_AT_LEAST_SIZE(xXIGetFocusReq);
+
swaps(&stuff->length);
swaps(&stuff->deviceid);
diff --git a/Xi/xiwarppointer.c b/Xi/xiwarppointer.c
index 3f051f7..780758a 100644
--- a/Xi/xiwarppointer.c
+++ b/Xi/xiwarppointer.c
@@ -56,6 +56,8 @@ int
SProcXIWarpPointer(ClientPtr client)
{
REQUEST(xXIWarpPointerReq);
+ REQUEST_SIZE_MATCH(xXIWarpPointerReq);
+
swaps(&stuff->length);
swapl(&stuff->src_win);
swapl(&stuff->dst_win);
diff --git a/include/dix.h b/include/dix.h
index e0c6ed8..21176a8 100644
--- a/include/dix.h
+++ b/include/dix.h
@@ -74,6 +74,10 @@ SOFTWARE.
if ((sizeof(req) >> 2) > client->req_len )\
return(BadLength)
+#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \
+ if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \
+ return(BadLength)
+
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
((n >> 2) >= client->req_len) || \
--
1.7.9.2
++++++ U_Xv_unvalidated_lengths_in_XVideo_extension_swapped_procs.patch ++++++
Subject: Xv: unvalidated lengths in XVideo extension swapped procs
References: bnc#907268, CVE-2014-8099
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
Xext/xvdisp.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
index 86f982a..c2d0fc9 100644
--- a/Xext/xvdisp.c
+++ b/Xext/xvdisp.c
@@ -1121,6 +1121,7 @@ static int
SProcXvQueryExtension(ClientPtr client)
{
REQUEST(xvQueryExtensionReq);
+ REQUEST_SIZE_MATCH(xvQueryExtensionReq);
swaps(&stuff->length);
return XvProcVector[xv_QueryExtension] (client);
}
@@ -1129,6 +1130,7 @@ static int
SProcXvQueryAdaptors(ClientPtr client)
{
REQUEST(xvQueryAdaptorsReq);
+ REQUEST_SIZE_MATCH(xvQueryAdaptorsReq);
swaps(&stuff->length);
swapl(&stuff->window);
return XvProcVector[xv_QueryAdaptors] (client);
@@ -1138,6 +1140,7 @@ static int
SProcXvQueryEncodings(ClientPtr client)
{
REQUEST(xvQueryEncodingsReq);
+ REQUEST_SIZE_MATCH(xvQueryEncodingsReq);
swaps(&stuff->length);
swapl(&stuff->port);
return XvProcVector[xv_QueryEncodings] (client);
@@ -1147,6 +1150,7 @@ static int
SProcXvGrabPort(ClientPtr client)
{
REQUEST(xvGrabPortReq);
+ REQUEST_SIZE_MATCH(xvGrabPortReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->time);
@@ -1157,6 +1161,7 @@ static int
SProcXvUngrabPort(ClientPtr client)
{
REQUEST(xvUngrabPortReq);
+ REQUEST_SIZE_MATCH(xvUngrabPortReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->time);
@@ -1167,6 +1172,7 @@ static int
SProcXvPutVideo(ClientPtr client)
{
REQUEST(xvPutVideoReq);
+ REQUEST_SIZE_MATCH(xvPutVideoReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1186,6 +1192,7 @@ static int
SProcXvPutStill(ClientPtr client)
{
REQUEST(xvPutStillReq);
+ REQUEST_SIZE_MATCH(xvPutStillReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1205,6 +1212,7 @@ static int
SProcXvGetVideo(ClientPtr client)
{
REQUEST(xvGetVideoReq);
+ REQUEST_SIZE_MATCH(xvGetVideoReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1224,6 +1232,7 @@ static int
SProcXvGetStill(ClientPtr client)
{
REQUEST(xvGetStillReq);
+ REQUEST_SIZE_MATCH(xvGetStillReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1243,6 +1252,7 @@ static int
SProcXvPutImage(ClientPtr client)
{
REQUEST(xvPutImageReq);
+ REQUEST_AT_LEAST_SIZE(xvPutImageReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1266,6 +1276,7 @@ static int
SProcXvShmPutImage(ClientPtr client)
{
REQUEST(xvShmPutImageReq);
+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1293,6 +1304,7 @@ static int
SProcXvSelectVideoNotify(ClientPtr client)
{
REQUEST(xvSelectVideoNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
return XvProcVector[xv_SelectVideoNotify] (client);
@@ -1302,6 +1314,7 @@ static int
SProcXvSelectPortNotify(ClientPtr client)
{
REQUEST(xvSelectPortNotifyReq);
+ REQUEST_SIZE_MATCH(xvSelectPortNotifyReq);
swaps(&stuff->length);
swapl(&stuff->port);
return XvProcVector[xv_SelectPortNotify] (client);
@@ -1311,6 +1324,7 @@ static int
SProcXvStopVideo(ClientPtr client)
{
REQUEST(xvStopVideoReq);
+ REQUEST_SIZE_MATCH(xvStopVideoReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->drawable);
@@ -1321,6 +1335,7 @@ static int
SProcXvSetPortAttribute(ClientPtr client)
{
REQUEST(xvSetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvSetPortAttributeReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->attribute);
@@ -1332,6 +1347,7 @@ static int
SProcXvGetPortAttribute(ClientPtr client)
{
REQUEST(xvGetPortAttributeReq);
+ REQUEST_SIZE_MATCH(xvGetPortAttributeReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->attribute);
@@ -1342,6 +1358,7 @@ static int
SProcXvQueryBestSize(ClientPtr client)
{
REQUEST(xvQueryBestSizeReq);
+ REQUEST_SIZE_MATCH(xvQueryBestSizeReq);
swaps(&stuff->length);
swapl(&stuff->port);
swaps(&stuff->vid_w);
@@ -1355,6 +1372,7 @@ static int
SProcXvQueryPortAttributes(ClientPtr client)
{
REQUEST(xvQueryPortAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryPortAttributesReq);
swaps(&stuff->length);
swapl(&stuff->port);
return XvProcVector[xv_QueryPortAttributes] (client);
@@ -1364,6 +1382,7 @@ static int
SProcXvQueryImageAttributes(ClientPtr client)
{
REQUEST(xvQueryImageAttributesReq);
+ REQUEST_SIZE_MATCH(xvQueryImageAttributesReq);
swaps(&stuff->length);
swapl(&stuff->port);
swapl(&stuff->id);
@@ -1376,6 +1395,7 @@ static int
SProcXvListImageFormats(ClientPtr client)
{
REQUEST(xvListImageFormatsReq);
+ REQUEST_SIZE_MATCH(xvListImageFormatsReq);
swaps(&stuff->length);
swapl(&stuff->port);
return XvProcVector[xv_ListImageFormats] (client);
--
1.7.9.2
++++++ U_dbe_Call_to_DDX_SwapBuffers_requires_address_of_int_not_unsigned_int.patch ++++++
Subject: dbe: Call to DDX SwapBuffers requires address of int, not unsigned int
References: bnc#907268, CVE-2014-8097
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
When the local types used to walk the DBE request were changed, this
changed the type of the parameter passed to the DDX SwapBuffers API,
but there wasn't a matching change in the API definition.
At this point, with the API frozen, I just stuck a new variable in
with the correct type. Because we've already bounds-checked nStuff to
be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
fit in a signed int without overflow.
Signed-off-by: Keith Packard
Signed-off-by: Alan Coopersmith
---
dbe/dbe.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/dbe/dbe.c b/dbe/dbe.c
index df2ad5c..e5d928d 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client)
int error;
unsigned int i, j;
unsigned int nStuff;
+ int nStuff_i; /* DDX API requires int for nStuff */
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
nStuff = stuff->n; /* use local variable for performance. */
@@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
* could deal with cross-screen synchronization.
*/
- while (nStuff > 0) {
+ nStuff_i = nStuff;
+ while (nStuff_i > 0) {
pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
- error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
+ error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
if (error != Success) {
free(swapInfo);
return error;
--
1.8.4.5
++++++ U_dbe_unvalidated_lengths_in_DbeSwapBuffers_calls.patch ++++++
Subject: dbe: unvalidated lengths in DbeSwapBuffers calls
References: bnc#907268, CVE-2014-8097
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
from a buffer. The length is never validated, which can lead to out of
bound reads, and possibly returning the data read from out of bounds to
the misbehaving client via an X Error packet.
SProcDbeSwapBuffers() swaps data (for correct endianness) before
handing it off to the real proc. While doing the swapping, the
length field is not validated, which can cause memory corruption.
v2: reorder checks to avoid compilers optimizing out checks for overflow
that happen after we'd already have done the overflowing multiplications.
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
dbe/dbe.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/dbe/dbe.c b/dbe/dbe.c
index 527588c..df2ad5c 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client)
DbeSwapInfoPtr swapInfo;
xDbeSwapInfo *dbeSwapInfo;
int error;
- register int i, j;
- int nStuff;
+ unsigned int i, j;
+ unsigned int nStuff;
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
nStuff = stuff->n; /* use local variable for performance. */
if (nStuff == 0) {
+ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
return Success;
}
if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
return BadAlloc;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
/* Get to the swap info appended to the end of the request. */
dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
@@ -914,13 +916,16 @@ static int
SProcDbeSwapBuffers(ClientPtr client)
{
REQUEST(xDbeSwapBuffersReq);
- register int i;
+ unsigned int i;
xDbeSwapInfo *pSwapInfo;
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
swapl(&stuff->n);
+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0) {
pSwapInfo = (xDbeSwapInfo *) stuff + 1;
--
1.7.9.2
++++++ U_dix-Allow-zero-height-PutImage-requests.patch ++++++
From: Keith Packard
Date: Sat Jan 3 08:46:45 2015 -0800
Subject: [PATCH]dix: Allow zero-height PutImage requests
Patch-mainline: Upstream
Git-commit: dc777c346d5d452a53b13b917c45f6a1bad2f20b
Git-repo: git://anongit.freedesktop.org/git/xorg/xserver
References: bnc#928513
Signed-off-by: Egbert Eich
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
Signed-off-by: Keith Packard
Reviewed-by: Alan Coopersmith
---
dix/dispatch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 55b978d..9044ac7 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client)
tmpImage = (char *) &stuff[1];
lengthProto = length;
- if (lengthProto >= (INT32_MAX / stuff->height))
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
return BadLength;
if ((bytes_to_int32(lengthProto * stuff->height) +
++++++ U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch ++++++
Subject: dix: GetHosts bounds check using wrong pointer value
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.
Signed-off-by: Keith Packard
Reviewed-by: Alan Coopersmith
Signed-off-by: Alan Coopersmith
---
os/access.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/os/access.c b/os/access.c
index f393c8d..28f2d32 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
}
for (host = validhosts; host; host = host->next) {
len = host->len;
- if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+ if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
break;
((xHostEntry *) ptr)->family = host->family;
((xHostEntry *) ptr)->length = len;
--
1.8.4.5
++++++ U_dix_Missing_parens_in_REQUEST_FIXED_SIZE_macro.patch ++++++
Subject: Missing parens in REQUEST_FIXED_SIZE macro
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
The 'n' parameter must be surrounded by parens in both places to
prevent precedence from mis-computing things.
Signed-off-by: Keith Packard
Reviewed-by: Alan Coopersmith
Signed-off-by: Alan Coopersmith
---
include/dix.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/dix.h b/include/dix.h
index 21176a8..921156b 100644
--- a/include/dix.h
+++ b/include/dix.h
@@ -80,7 +80,7 @@ SOFTWARE.
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
- ((n >> 2) >= client->req_len) || \
+ (((n) >> 2) >= client->req_len) || \
((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
--
1.8.4.5
++++++ U_dix_integer_overflow_in_GetHosts.patch ++++++
Subject: dix: integer overflow in GetHosts()
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
os/access.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/os/access.c b/os/access.c
index 5c510de..f393c8d 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1296,6 +1296,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
for (host = validhosts; host; host = host->next) {
nHosts++;
n += pad_to_int32(host->len) + sizeof(xHostEntry);
+ /* Could check for INT_MAX, but in reality having more than 1mb of
+ hostnames in the access list is ridiculous */
+ if (n >= 1048576)
+ break;
}
if (n) {
*data = ptr = malloc(n);
@@ -1304,6 +1308,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
}
for (host = validhosts; host; host = host->next) {
len = host->len;
+ if ((ptr + sizeof(xHostEntry) + len) > (data + n))
+ break;
((xHostEntry *) ptr)->family = host->family;
((xHostEntry *) ptr)->length = len;
ptr += sizeof(xHostEntry);
--
1.7.9.2
++++++ U_dix_integer_overflow_in_ProcPutImage.patch ++++++
Subject: dix: integer overflow in ProcPutImage()
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
dix/dispatch.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/dix/dispatch.c b/dix/dispatch.c
index d844a09..55b978d 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -2000,6 +2000,9 @@ ProcPutImage(ClientPtr client)
tmpImage = (char *) &stuff[1];
lengthProto = length;
+ if (lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
+
if ((bytes_to_int32(lengthProto * stuff->height) +
bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
return BadLength;
--
1.7.9.2
++++++ U_dix_integer_overflow_in_REQUEST_FIXED_SIZE.patch ++++++
Subject: dix: integer overflow in REQUEST_FIXED_SIZE()
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Force use of 64-bit integers when evaluating data provided by clients
in 32-bit fields which can overflow when added or multiplied during
checks.
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
include/dix.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/dix.h b/include/dix.h
index 991a3ce..e0c6ed8 100644
--- a/include/dix.h
+++ b/include/dix.h
@@ -76,7 +76,8 @@ SOFTWARE.
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
+ ((n >> 2) >= client->req_len) || \
+ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
#define LEGAL_NEW_RESOURCE(id,client)\
--
1.7.9.2
++++++ U_dix_integer_overflow_in_RegionSizeof.patch ++++++
Subject: dix: integer overflow in RegionSizeof()
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
RegionSizeof contains several integer overflows if a large length
value is passed in. Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition
v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
Reviewed-by: Julien Cristau
---
dix/region.c | 20 +++++++++++++-------
include/regionstr.h | 10 +++++++---
2 files changed, 20 insertions(+), 10 deletions(-)
Index: xorg-server-1.15.2/dix/region.c
===================================================================
--- xorg-server-1.15.2.orig/dix/region.c
+++ xorg-server-1.15.2/dix/region.c
@@ -169,7 +169,6 @@ Equipment Corporation.
((r1)->y1 <= (r2)->y1) && \
((r1)->y2 >= (r2)->y2) )
-#define xallocData(n) malloc(RegionSizeof(n))
#define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
#define RECTALLOC_BAIL(pReg,n,bail) \
@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->num
#define DOWNSIZE(reg,numRects) \
if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
{ \
- RegDataPtr NewData; \
- NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \
+ size_t NewSize = RegionSizeof(numRects); \
+ RegDataPtr NewData = \
+ (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \
if (NewData) \
{ \
NewData->size = (numRects); \
@@ -345,17 +345,20 @@ Bool
RegionRectAlloc(RegionPtr pRgn, int n)
{
RegDataPtr data;
+ size_t rgnSize;
if (!pRgn->data) {
n++;
- pRgn->data = xallocData(n);
+ rgnSize = RegionSizeof(n);
+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
if (!pRgn->data)
return RegionBreak(pRgn);
pRgn->data->numRects = 1;
*RegionBoxptr(pRgn) = pRgn->extents;
}
else if (!pRgn->data->size) {
- pRgn->data = xallocData(n);
+ rgnSize = RegionSizeof(n);
+ pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
if (!pRgn->data)
return RegionBreak(pRgn);
pRgn->data->numRects = 0;
@@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
n = 250;
}
n += pRgn->data->numRects;
- data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
+ rgnSize = RegionSizeof(n);
+ data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
if (!data)
return RegionBreak(pRgn);
pRgn->data = data;
@@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *
{
RegionPtr pRgn;
+ size_t rgnSize;
RegDataPtr pData;
BoxPtr pBox;
int i;
@@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *
}
return pRgn;
}
- pData = xallocData(nrects);
+ rgnSize = RegionSizeof(nrects);
+ pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
if (!pData) {
RegionBreak(pRgn);
return pRgn;
Index: xorg-server-1.15.2/include/regionstr.h
===================================================================
--- xorg-server-1.15.2.orig/include/regionstr.h
+++ xorg-server-1.15.2/include/regionstr.h
@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
static inline size_t
RegionSizeof(int n)
{
- return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+ if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
+ return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
+ else
+ return 0;
}
static inline void
@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect
(_pReg)->data = (RegDataPtr) NULL;
}
else {
+ size_t rgnSize;
(_pReg)->extents = RegionEmptyBox;
- if (((_size) > 1) && ((_pReg)->data =
- (RegDataPtr) malloc(RegionSizeof(_size)))) {
+ if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
+ (((_pReg)->data = malloc(rgnSize)) != NULL)) {
(_pReg)->data->size = (_size);
(_pReg)->data->numRects = 0;
}
++++++ U_dri2-Use-the-PrimeScreen-when-creating-reusing-buffe.patch ++++++
From 4d92fab39c4225e89f2d157a1f559cb0618a6eaa Mon Sep 17 00:00:00 2001
From: Chris Wilson
Date: Wed, 18 Jun 2014 11:14:43 +0100
Subject: [PATCH] dri2: Use the PrimeScreen when creating/reusing buffers
This fixes a segfault when we attempt to call ds->ReuseBufferNotify()
passing a Prime DRI2BufferPtr to the master backend.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=80001
Signed-off-by: Chris Wilson
Reviewed-by: Dave Airlie
Signed-off-by: Keith Packard
---
hw/xfree86/dri2/dri2.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
index 6dd7796..5705baa 100644
--- a/hw/xfree86/dri2/dri2.c
+++ b/hw/xfree86/dri2/dri2.c
@@ -415,18 +415,14 @@ DRI2DrawableGone(void *p, XID id)
}
static DRI2BufferPtr
-create_buffer(DrawablePtr pDraw,
+create_buffer(DRI2ScreenPtr ds, DrawablePtr pDraw,
unsigned int attachment, unsigned int format)
{
- ScreenPtr primeScreen;
- DRI2DrawablePtr pPriv;
- DRI2ScreenPtr ds;
DRI2BufferPtr buffer;
- pPriv = DRI2GetDrawable(pDraw);
- primeScreen = GetScreenPrime(pDraw->pScreen, pPriv->prime_id);
- ds = DRI2GetScreenPrime(pDraw->pScreen, pPriv->prime_id);
if (ds->CreateBuffer2)
- buffer = (*ds->CreateBuffer2)(primeScreen, pDraw, attachment, format);
+ buffer = (*ds->CreateBuffer2)(GetScreenPrime(pDraw->pScreen,
+ DRI2GetDrawable(pDraw)->prime_id),
+ pDraw, attachment, format);
else
buffer = (*ds->CreateBuffer)(pDraw, attachment, format);
return buffer;
@@ -475,7 +471,7 @@ allocate_or_reuse_buffer(DrawablePtr pDraw, DRI2ScreenPtr ds,
if ((old_buf < 0)
|| attachment == DRI2BufferFrontLeft
|| !dimensions_match || (pPriv->buffers[old_buf]->format != format)) {
- *buffer = create_buffer (pDraw, attachment, format);
+ *buffer = create_buffer(ds, pDraw, attachment, format);
return TRUE;
}
@@ -538,7 +534,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
return NULL;
}
- ds = DRI2GetScreen(pDraw->pScreen);
+ ds = DRI2GetScreenPrime(pDraw->pScreen, pPriv->prime_id);
dimensions_match = (pDraw->width == pPriv->width)
&& (pDraw->height == pPriv->height);
--
1.8.4.5
++++++ U_dri2_integer_overflow_in_ProcDRI2GetBuffers.patch ++++++
Subject: dri2: integer overflow in ProcDRI2GetBuffers()
References: bnc#907268, CVE-2014-8094
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
ProcDRI2GetBuffers() tries to validate a length field (count).
There is an integer overflow in the validation. This can cause
out of bound reads and memory corruption later on.
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
Reviewed-by: Julien Cristau
---
hw/xfree86/dri2/dri2ext.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
index ffd66fa..221ec53 100644
--- a/hw/xfree86/dri2/dri2ext.c
+++ b/hw/xfree86/dri2/dri2ext.c
@@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client)
unsigned int *attachments;
REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
+ if (stuff->count > (INT_MAX / 4))
+ return BadLength;
+
if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
&pDrawable, &status))
return status;
--
1.7.9.2
++++++ U_dri3_unvalidated_lengths_in_DRI3_extension_swapped_procs.patch ++++++
Subject: dri3: unvalidated lengths in DRI3 extension swapped procs
References: bnc#907268, CVE-2014-8103
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
dri3/dri3_request.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/dri3/dri3_request.c b/dri3/dri3_request.c
index fe45620..2d75588 100644
--- a/dri3/dri3_request.c
+++ b/dri3/dri3_request.c
@@ -321,6 +321,7 @@ static int
sproc_dri3_query_version(ClientPtr client)
{
REQUEST(xDRI3QueryVersionReq);
+ REQUEST_SIZE_MATCH(xDRI3QueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
@@ -332,6 +333,7 @@ static int
sproc_dri3_open(ClientPtr client)
{
REQUEST(xDRI3OpenReq);
+ REQUEST_SIZE_MATCH(xDRI3OpenReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
@@ -343,6 +345,7 @@ static int
sproc_dri3_pixmap_from_buffer(ClientPtr client)
{
REQUEST(xDRI3PixmapFromBufferReq);
+ REQUEST_SIZE_MATCH(xDRI3PixmapFromBufferReq);
swaps(&stuff->length);
swapl(&stuff->pixmap);
@@ -358,6 +361,7 @@ static int
sproc_dri3_buffer_from_pixmap(ClientPtr client)
{
REQUEST(xDRI3BufferFromPixmapReq);
+ REQUEST_SIZE_MATCH(xDRI3BufferFromPixmapReq);
swaps(&stuff->length);
swapl(&stuff->pixmap);
@@ -368,6 +372,7 @@ static int
sproc_dri3_fence_from_fd(ClientPtr client)
{
REQUEST(xDRI3FenceFromFDReq);
+ REQUEST_SIZE_MATCH(xDRI3FenceFromFDReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
@@ -379,6 +384,7 @@ static int
sproc_dri3_fd_from_fence(ClientPtr client)
{
REQUEST(xDRI3FDFromFenceReq);
+ REQUEST_SIZE_MATCH(xDRI3FDFromFenceReq);
swaps(&stuff->length);
swapl(&stuff->drawable);
--
1.7.9.2
++++++ U_ephyr_add_output_option_support.patch ++++++
From 3a51418b2db353519a1779cf3cebbcc9afba2520 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?La=C3=A9rcio=20de=20Sousa?=
Date: Mon, 18 Aug 2014 08:45:43 -0300
Subject: ephyr: set screen size & origin from host X server output's CRTC
geometry
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If a given output is passed via new -output option, Xephyr will query
host X server for its info. If the following conditions are met:
a. RandR extension is enabled in host X server;
b. supported RandR version in host X server is 1.2 or newer;
c. the given output name is valid;
d. the given output is connected;
then Xephyr will get output's CRTC geometry and use it to set its own
screen size and origin. It's just like starting Xephyr in fullscreen mode,
but restricted to the given output's CRTC geometry (fake "Zaphod mode").
This is the main feature needed for Xephyr-based single-card multiseat
setups where we don't have separate screens to start Xephyr in fullscreen
mode safely.
Signed-off-by: Laércio de Sousa
Reviewed-by: Keith Packard
Signed-off-by: Keith Packard
diff --git a/configure.ac b/configure.ac
index f3d9654..cba7d24 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2364,7 +2364,7 @@ if test "$KDRIVE" = yes; then
AC_DEFINE(KDRIVE_MOUSE, 1, [Enable KDrive mouse driver])
fi
- XEPHYR_REQUIRED_LIBS="xau xdmcp xcb xcb-shape xcb-aux xcb-image xcb-icccm xcb-shm xcb-keysyms"
+ XEPHYR_REQUIRED_LIBS="xau xdmcp xcb xcb-shape xcb-aux xcb-image xcb-icccm xcb-shm xcb-keysyms xcb-randr"
if test "x$XV" = xyes; then
XEPHYR_REQUIRED_LIBS="$XEPHYR_REQUIRED_LIBS xcb-xv"
fi
diff --git a/hw/kdrive/ephyr/ephyr.c b/hw/kdrive/ephyr/ephyr.c
index b039c68..85d4193 100644
--- a/hw/kdrive/ephyr/ephyr.c
+++ b/hw/kdrive/ephyr/ephyr.c
@@ -111,13 +111,16 @@ Bool
ephyrScreenInitialize(KdScreenInfo *screen)
{
EphyrScrPriv *scrpriv = screen->driver;
+ int x = 0, y = 0;
int width = 640, height = 480;
CARD32 redMask, greenMask, blueMask;
- if (hostx_want_screen_size(screen, &width, &height)
+ if (hostx_want_screen_geometry(screen, &width, &height, &x, &y)
|| !screen->width || !screen->height) {
screen->width = width;
screen->height = height;
+ screen->x = x;
+ screen->y = y;
}
if (EphyrWantGrayScale)
diff --git a/hw/kdrive/ephyr/ephyr.h b/hw/kdrive/ephyr/ephyr.h
index 5c4936b..4e753f1 100644
--- a/hw/kdrive/ephyr/ephyr.h
+++ b/hw/kdrive/ephyr/ephyr.h
@@ -74,8 +74,10 @@ typedef struct _ephyrScrPriv {
xcb_window_t peer_win; /* Used for GL; should be at most one */
xcb_image_t *ximg;
Bool win_explicit_position;
+ int win_x, win_y;
int win_width, win_height;
int server_depth;
+ const char *output; /* Set via -output option */
unsigned char *fb_data; /* only used when host bpp != server bpp */
xcb_shm_segment_info_t shminfo;
diff --git a/hw/kdrive/ephyr/ephyrinit.c b/hw/kdrive/ephyr/ephyrinit.c
index e04c8dc..38acc52 100644
--- a/hw/kdrive/ephyr/ephyrinit.c
+++ b/hw/kdrive/ephyr/ephyrinit.c
@@ -47,6 +47,8 @@ extern KdPointerDriver LinuxEvdevMouseDriver;
extern KdKeyboardDriver LinuxEvdevKeyboardDriver;
#endif
+void processScreenOrOutputArg(const char *screen_size, const char *output, char *parent_id);
+void processOutputArg(const char *output, char *parent_id);
void processScreenArg(const char *screen_size, char *parent_id);
void
@@ -134,6 +136,7 @@ ddxUseMsg(void)
ErrorF("-parent <XID> Use existing window as Xephyr root win\n");
ErrorF("-sw-cursor Render cursors in software in Xephyr\n");
ErrorF("-fullscreen Attempt to run Xephyr fullscreen\n");
+ ErrorF("-output <NAME> Attempt to run Xephyr fullscreen (restricted to given output geometry)\n");
ErrorF("-grayscale Simulate 8bit grayscale\n");
ErrorF("-resizeable Make Xephyr windows resizeable\n");
#ifdef GLAMOR
@@ -154,7 +157,7 @@ ddxUseMsg(void)
}
void
-processScreenArg(const char *screen_size, char *parent_id)
+processScreenOrOutputArg(const char *screen_size, const char *output, char *parent_id)
{
KdCardInfo *card;
@@ -178,13 +181,25 @@ processScreenArg(const char *screen_size, char *parent_id)
use_geometry = (strchr(screen_size, '+') != NULL);
EPHYR_DBG("screen number:%d\n", screen->mynum);
- hostx_add_screen(screen, p_id, screen->mynum, use_geometry);
+ hostx_add_screen(screen, p_id, screen->mynum, use_geometry, output);
}
else {
ErrorF("No matching card found!\n");
}
}
+void
+processScreenArg(const char *screen_size, char *parent_id)
+{
+ processScreenOrOutputArg(screen_size, NULL, parent_id);
+}
+
+void
+processOutputArg(const char *output, char *parent_id)
+{
+ processScreenOrOutputArg("100x100+0+0", output, parent_id);
+}
+
int
ddxProcessArgument(int argc, char **argv, int i)
{
@@ -226,6 +241,15 @@ ddxProcessArgument(int argc, char **argv, int i)
UseMsg();
exit(1);
}
+ else if (!strcmp(argv[i], "-output")) {
+ if (i + 1 < argc) {
+ processOutputArg(argv[i + 1], NULL);
+ return 2;
+ }
+
+ UseMsg();
+ exit(1);
+ }
else if (!strcmp(argv[i], "-sw-cursor")) {
hostx_use_sw_cursor();
return 1;
diff --git a/hw/kdrive/ephyr/hostx.c b/hw/kdrive/ephyr/hostx.c
index 92a8ada..2161ad5 100644
--- a/hw/kdrive/ephyr/hostx.c
+++ b/hw/kdrive/ephyr/hostx.c
@@ -51,6 +51,7 @@
#include
#include
#include
+#include
#ifdef XF86DRI
#include
#include
@@ -104,12 +105,15 @@ static void
#define host_depth_matches_server(_vars) (HostX.depth == (_vars)->server_depth)
int
-hostx_want_screen_size(KdScreenInfo *screen, int *width, int *height)
+hostx_want_screen_geometry(KdScreenInfo *screen, int *width, int *height, int *x, int *y)
{
EphyrScrPriv *scrpriv = screen->driver;
if (scrpriv && (scrpriv->win_pre_existing != None ||
+ scrpriv->output != NULL ||
HostX.use_fullscreen == TRUE)) {
+ *x = scrpriv->win_x;
+ *y = scrpriv->win_y;
*width = scrpriv->win_width;
*height = scrpriv->win_height;
return 1;
@@ -119,7 +123,7 @@ hostx_want_screen_size(KdScreenInfo *screen, int *width, int *height)
}
void
-hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Bool use_geometry)
+hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Bool use_geometry, const char *output)
{
EphyrScrPriv *scrpriv = screen->driver;
int index = HostX.n_screens;
@@ -132,6 +136,7 @@ hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Boo
scrpriv->screen = screen;
scrpriv->win_pre_existing = win_id;
scrpriv->win_explicit_position = use_geometry;
+ scrpriv->output = output;
}
void
@@ -211,6 +216,119 @@ hostx_want_preexisting_window(KdScreenInfo *screen)
}
void
+hostx_get_output_geometry(const char *output,
+ int *x, int *y,
+ int *width, int *height)
+{
+ int i, name_len = 0, output_found = FALSE;
+ char *name = NULL;
+ xcb_generic_error_t *error;
+ xcb_randr_query_version_cookie_t version_c;
+ xcb_randr_query_version_reply_t *version_r;
+ xcb_randr_get_screen_resources_cookie_t screen_resources_c;
+ xcb_randr_get_screen_resources_reply_t *screen_resources_r;
+ xcb_randr_output_t *randr_outputs;
+ xcb_randr_get_output_info_cookie_t output_info_c;
+ xcb_randr_get_output_info_reply_t *output_info_r;
+ xcb_randr_get_crtc_info_cookie_t crtc_info_c;
+ xcb_randr_get_crtc_info_reply_t *crtc_info_r;
+
+ /* First of all, check for extension */
+ if (!xcb_get_extension_data(HostX.conn, &xcb_randr_id)->present)
+ {
+ fprintf(stderr, "\nHost X server does not support RANDR extension (or it's disabled).\n");
+ exit(1);
+ }
+
+ /* Check RandR version */
+ version_c = xcb_randr_query_version(HostX.conn, 1, 2);
+ version_r = xcb_randr_query_version_reply(HostX.conn,
+ version_c,
+ &error);
+
+ if (error != NULL || version_r == NULL)
+ {
+ fprintf(stderr, "\nFailed to get RandR version supported by host X server.\n");
+ exit(1);
+ }
+ else if (version_r->major_version < 1 || version_r->minor_version < 2)
+ {
+ free(version_r);
+ fprintf(stderr, "\nHost X server doesn't support RandR 1.2, needed for -output usage.\n");
+ exit(1);
+ }
+
+ free(version_r);
+
+ /* Get list of outputs from screen resources */
+ screen_resources_c = xcb_randr_get_screen_resources(HostX.conn,
+ HostX.winroot);
+ screen_resources_r = xcb_randr_get_screen_resources_reply(HostX.conn,
+ screen_resources_c,
+ NULL);
+ randr_outputs = xcb_randr_get_screen_resources_outputs(screen_resources_r);
+
+ for (i = 0; !output_found && i < screen_resources_r->num_outputs; i++)
+ {
+ /* Get info on the output */
+ output_info_c = xcb_randr_get_output_info(HostX.conn,
+ randr_outputs[i],
+ XCB_CURRENT_TIME);
+ output_info_r = xcb_randr_get_output_info_reply(HostX.conn,
+ output_info_c,
+ NULL);
+
+ /* Get output name */
+ name_len = xcb_randr_get_output_info_name_length(output_info_r);
+ name = malloc(name_len + 1);
+ strncpy(name, (char*)xcb_randr_get_output_info_name(output_info_r), name_len);
+ name[name_len] = '\0';
+
+ if (!strcmp(name, output))
+ {
+ output_found = TRUE;
+
+ /* Check if output is connected */
+ if (output_info_r->crtc == XCB_NONE)
+ {
+ free(name);
+ free(output_info_r);
+ free(screen_resources_r);
+ fprintf(stderr, "\nOutput %s is currently disabled (or not connected).\n", output);
+ exit(1);
+ }
+
+ /* Get CRTC from output info */
+ crtc_info_c = xcb_randr_get_crtc_info(HostX.conn,
+ output_info_r->crtc,
+ XCB_CURRENT_TIME);
+ crtc_info_r = xcb_randr_get_crtc_info_reply(HostX.conn,
+ crtc_info_c,
+ NULL);
+
+ /* Get CRTC geometry */
+ *x = crtc_info_r->x;
+ *y = crtc_info_r->y;
+ *width = crtc_info_r->width;
+ *height = crtc_info_r->height;
+
+ free(crtc_info_r);
+ }
+
+ free(name);
+ free(output_info_r);
+ }
+
+ free(screen_resources_r);
+
+ if (!output_found)
+ {
+ fprintf(stderr, "\nOutput %s not available in host X server.\n", output);
+ exit(1);
+ }
+}
+
+void
hostx_use_fullscreen(void)
{
HostX.use_fullscreen = TRUE;
@@ -359,6 +477,8 @@ hostx_init(void)
scrpriv->win = xcb_generate_id(HostX.conn);
scrpriv->server_depth = HostX.depth;
scrpriv->ximg = NULL;
+ scrpriv->win_x = 0;
+ scrpriv->win_y = 0;
if (scrpriv->win_pre_existing != XCB_WINDOW_NONE) {
xcb_get_geometry_reply_t *prewin_geom;
@@ -416,6 +536,17 @@ hostx_init(void)
hostx_set_fullscreen_hint();
}
+ else if (scrpriv->output) {
+ hostx_get_output_geometry(scrpriv->output,
+ &scrpriv->win_x,
+ &scrpriv->win_y,
+ &scrpriv->win_width,
+ &scrpriv->win_height);
+
+ HostX.use_fullscreen = TRUE;
+ hostx_set_fullscreen_hint();
+ }
+
tmpstr = getenv("RESOURCE_NAME");
if (tmpstr && (!ephyrResNameFromCmd))
@@ -759,6 +890,8 @@ hostx_screen_init(KdScreenInfo *screen,
scrpriv->win_width = width;
scrpriv->win_height = height;
+ scrpriv->win_x = x;
+ scrpriv->win_y = y;
#ifdef GLAMOR
if (ephyr_glamor) {
diff --git a/hw/kdrive/ephyr/hostx.h b/hw/kdrive/ephyr/hostx.h
index c554ca3..80894c8 100644
--- a/hw/kdrive/ephyr/hostx.h
+++ b/hw/kdrive/ephyr/hostx.h
@@ -74,7 +74,7 @@ typedef struct {
} EphyrRect;
int
-hostx_want_screen_size(KdScreenInfo *screen, int *width, int *height);
+hostx_want_screen_geometry(KdScreenInfo *screen, int *width, int *height, int *x, int *y);
int
hostx_want_host_cursor(void);
@@ -83,6 +83,11 @@ void
hostx_use_sw_cursor(void);
void
+ hostx_get_output_geometry(const char *output,
+ int *x, int *y,
+ int *width, int *height);
+
+void
hostx_use_fullscreen(void);
int
@@ -107,7 +112,7 @@ int
hostx_init(void);
void
-hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Bool use_geometry);
+hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Bool use_geometry, const char *output);
void
hostx_set_display_name(char *name);
--
cgit v0.10.2
++++++ U_ephyr_enable_screen_window_placement.patch ++++++
From 84b02469ef97e6f85d074d220a517d752180045f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?La=C3=A9rcio=20de=20Sousa?=
Date: Mon, 18 Aug 2014 08:45:42 -0300
Subject: ephyr: enable screen window placement following kdrive -screen option
extended syntax
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
With this patch, one can launch Xephyr with option "-screen WxH+X+Y"
to place its window origin at (X,Y). This patch relies on a previous
one that extends kdrive -screen option syntax to parse +X+Y substring
as expected.
If +X+Y is not passed in -screen argument string, let the WM place
the window for us, as before.
Signed-off-by: Laércio de Sousa
Reviewed-by: Keith Packard
Signed-off-by: Keith Packard
diff --git a/hw/kdrive/ephyr/ephyr.c b/hw/kdrive/ephyr/ephyr.c
index d57e9f3..b039c68 100644
--- a/hw/kdrive/ephyr/ephyr.c
+++ b/hw/kdrive/ephyr/ephyr.c
@@ -242,7 +242,8 @@ ephyrMapFramebuffer(KdScreenInfo * screen)
buffer_height = ephyrBufferHeight(screen);
priv->base =
- hostx_screen_init(screen, screen->width, screen->height, buffer_height,
+ hostx_screen_init(screen, screen->x, screen->y,
+ screen->width, screen->height, buffer_height,
&priv->bytes_per_line, &screen->fb.bitsPerPixel);
if ((scrpriv->randr & RR_Rotate_0) && !(scrpriv->randr & RR_Reflect_All)) {
diff --git a/hw/kdrive/ephyr/ephyr.h b/hw/kdrive/ephyr/ephyr.h
index dfd93c9..5c4936b 100644
--- a/hw/kdrive/ephyr/ephyr.h
+++ b/hw/kdrive/ephyr/ephyr.h
@@ -73,6 +73,7 @@ typedef struct _ephyrScrPriv {
xcb_window_t win_pre_existing; /* Set via -parent option like xnest */
xcb_window_t peer_win; /* Used for GL; should be at most one */
xcb_image_t *ximg;
+ Bool win_explicit_position;
int win_width, win_height;
int server_depth;
unsigned char *fb_data; /* only used when host bpp != server bpp */
diff --git a/hw/kdrive/ephyr/ephyrinit.c b/hw/kdrive/ephyr/ephyrinit.c
index fc00010..e04c8dc 100644
--- a/hw/kdrive/ephyr/ephyrinit.c
+++ b/hw/kdrive/ephyr/ephyrinit.c
@@ -164,6 +164,7 @@ processScreenArg(const char *screen_size, char *parent_id)
if (card) {
KdScreenInfo *screen;
unsigned long p_id = 0;
+ Bool use_geometry;
screen = KdScreenInfoAdd(card);
KdParseScreen(screen, screen_size);
@@ -174,8 +175,10 @@ processScreenArg(const char *screen_size, char *parent_id)
if (parent_id) {
p_id = strtol(parent_id, NULL, 0);
}
+
+ use_geometry = (strchr(screen_size, '+') != NULL);
EPHYR_DBG("screen number:%d\n", screen->mynum);
- hostx_add_screen(screen, p_id, screen->mynum);
+ hostx_add_screen(screen, p_id, screen->mynum, use_geometry);
}
else {
ErrorF("No matching card found!\n");
diff --git a/hw/kdrive/ephyr/hostx.c b/hw/kdrive/ephyr/hostx.c
index 1c75974..92a8ada 100644
--- a/hw/kdrive/ephyr/hostx.c
+++ b/hw/kdrive/ephyr/hostx.c
@@ -119,7 +119,7 @@ hostx_want_screen_size(KdScreenInfo *screen, int *width, int *height)
}
void
-hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num)
+hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Bool use_geometry)
{
EphyrScrPriv *scrpriv = screen->driver;
int index = HostX.n_screens;
@@ -131,6 +131,7 @@ hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num)
scrpriv->screen = screen;
scrpriv->win_pre_existing = win_id;
+ scrpriv->win_explicit_position = use_geometry;
}
void
@@ -637,6 +638,7 @@ hostx_set_cmap_entry(unsigned char idx,
*/
void *
hostx_screen_init(KdScreenInfo *screen,
+ int x, int y,
int width, int height, int buffer_height,
int *bytes_per_line, int *bits_per_pixel)
{
@@ -648,8 +650,8 @@ hostx_screen_init(KdScreenInfo *screen,
exit(1);
}
- EPHYR_DBG("host_screen=%p wxh=%dx%d, buffer_height=%d",
- host_screen, width, height, buffer_height);
+ EPHYR_DBG("host_screen=%p x=%d, y=%d, wxh=%dx%d, buffer_height=%d",
+ host_screen, x, y, width, height, buffer_height);
if (scrpriv->ximg != NULL) {
/* Free up the image data if previously used
@@ -740,6 +742,19 @@ hostx_screen_init(KdScreenInfo *screen,
xcb_map_window(HostX.conn, scrpriv->win);
+ /* Set explicit window position if it was informed in
+ * -screen option (WxH+X or WxH+X+Y). Otherwise, accept the
+ * position set by WM.
+ * The trick here is putting this code after xcb_map_window() call,
+ * so these values won't be overriden by WM. */
+ if (scrpriv->win_explicit_position)
+ {
+ uint32_t mask = XCB_CONFIG_WINDOW_X | XCB_CONFIG_WINDOW_Y;
+ uint32_t values[2] = {x, y};
+ xcb_configure_window(HostX.conn, scrpriv->win, mask, values);
+ }
+
+
xcb_aux_sync(HostX.conn);
scrpriv->win_width = width;
diff --git a/hw/kdrive/ephyr/hostx.h b/hw/kdrive/ephyr/hostx.h
index e83323a..c554ca3 100644
--- a/hw/kdrive/ephyr/hostx.h
+++ b/hw/kdrive/ephyr/hostx.h
@@ -107,7 +107,7 @@ int
hostx_init(void);
void
-hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num);
+hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Bool use_geometry);
void
hostx_set_display_name(char *name);
@@ -136,6 +136,7 @@ hostx_set_cmap_entry(unsigned char idx,
unsigned char r, unsigned char g, unsigned char b);
void *hostx_screen_init(KdScreenInfo *screen,
+ int x, int y,
int width, int height, int buffer_height,
int *bytes_per_line, int *bits_per_pixel);
--
cgit v0.10.2
++++++ U_fb-Fix-invalid-bpp-for-24bit-depth-window.patch ++++++
From fe5018e0564118a7a8198fa286186fdb9ed818c7 Mon Sep 17 00:00:00 2001
From: Takashi Iwai
Date: Tue, 19 Aug 2014 15:57:22 -0500
Subject: [PATCH] fb: Fix invalid bpp for 24bit depth window
We have a hack in fb layer for a 24bpp screen to use 32bpp images, and
fbCreateWindow() replaces its drawable.bitsPerPixel field
appropriately. But, the problem is that it always replaces when 32bpp
is passed. If the depth is 32, this results in bpp < depth, which is
actually invalid.
Meanwhile, fbCreatePixmap() has a more check and it creates with 24bpp
only when the passed depth <= 24 for avoiding such a problem.
This oneliner patch just adds the similar check in fbCreateWindow().
This (hopefully) fixes the long-standing broken graphics mess of
cirrus KMS with 24bpp.
Signed-off-by: Takashi Iwai
Reviewed-by: Keith Packard
---
fb/fbwindow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fb/fbwindow.c b/fb/fbwindow.c
index 368c4b883b31..c90175faa078 100644
--- a/fb/fbwindow.c
+++ b/fb/fbwindow.c
@@ -33,7 +33,7 @@ fbCreateWindow(WindowPtr pWin)
{
dixSetPrivate(&pWin->devPrivates, fbGetWinPrivateKey(pWin),
fbGetScreenPixmap(pWin->drawable.pScreen));
- if (pWin->drawable.bitsPerPixel == 32)
+ if (pWin->drawable.bitsPerPixel == 32 && pWin->drawable.depth <= 24)
pWin->drawable.bitsPerPixel =
fbGetScreenPrivate(pWin->drawable.pScreen)->win32bpp;
return TRUE;
--
2.0.4
++++++ U_fb_Fix_Bresenham_algorithms_for_commonly_used_small_segments.patch ++++++
Subject: fb: Fix Bresenham algorithms for commonly used small segments.
Git-commit: 1b94fd77792310c80b0a2bcf4bf6d4e4c4c23bca
Author: Alex Orange
Patch-Mainline: Upstream
References: bnc#908258, bnc#856931, fdo#54168
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=54168
Fix errors introducted in 863d528a9f76d0e8f122aebf19f8564a4c67a938. Said
patch does indeed remove the problematic writes to bad memory, however
it also introduces errors in the algoritm. This patch has the effect of
reverting said patch and adding an if in the proper location to catch
the out of bounds memory write without causing problems to the overall
algorithm.
Signed-off-by: Alex Orange
Reviewed-by: Peter Harris
Tested-by: Peter Harris
Signed-off-by: Keith Packard
---
fb/fbseg.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/fb/fbseg.c b/fb/fbseg.c
index 36b17e3..c3c196a 100644
--- a/fb/fbseg.c
+++ b/fb/fbseg.c
@@ -65,12 +65,6 @@ fbBresSolid(DrawablePtr pDrawable,
if (axis == X_AXIS) {
bits = 0;
while (len--) {
- if (e >= 0) {
- WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, bits));
- bits = 0;
- dst += dstStride;
- e += e3;
- }
bits |= mask;
mask = fbBresShiftMask(mask, signdx, dstBpp);
if (!mask) {
@@ -80,12 +74,23 @@ fbBresSolid(DrawablePtr pDrawable,
mask = mask0;
}
e += e1;
+ if (e >= 0) {
+ if (bits) {
+ WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, bits));
+ bits = 0;
+ }
+ dst += dstStride;
+ e += e3;
+ }
}
if (bits)
WRITE(dst, FbDoMaskRRop(READ(dst), and, xor, bits));
}
else {
while (len--) {
+ WRITE(dst, FbDoMaskRRop(READ(dst), and, xor, mask));
+ dst += dstStride;
+ e += e1;
if (e >= 0) {
e += e3;
mask = fbBresShiftMask(mask, signdx, dstBpp);
@@ -94,9 +99,6 @@ fbBresSolid(DrawablePtr pDrawable,
mask = mask0;
}
}
- WRITE(dst, FbDoMaskRRop(READ(dst), and, xor, mask));
- dst += dstStride;
- e += e1;
}
}
--
1.8.4.5
++++++ U_glx_Add_safe__add_mul_pad.patch ++++++
Subject: glx: Add safe_{add,mul,pad} (v3)
References: bnc#907268, CVE-2014-8093
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
These are paranoid about integer overflow, and will return -1 if their
operation would overflow a (signed) integer or if either argument is
negative.
Note that RenderLarge requests are sized with a uint32_t so in principle
this could be sketchy there, but dix limits bigreqs to 128M so you
shouldn't ever notice, and honestly if you're sending more than 2G of
rendering commands you're already doing something very wrong.
v2: Use INT_MAX for consistency with the rest of the server (jcristau)
v3: Reject negative arguments (anholt)
Reviewed-by: Keith Packard
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/glx/glxserver.h b/glx/glxserver.h
index a324b29..9482601 100644
--- a/glx/glxserver.h
+++ b/glx/glxserver.h
@@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client,
* Routines for computing the size of variably-sized rendering commands.
*/
+static _X_INLINE int
+safe_add(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (INT_MAX - a < b)
+ return -1;
+
+ return a + b;
+}
+
+static _X_INLINE int
+safe_mul(int a, int b)
+{
+ if (a < 0 || b < 0)
+ return -1;
+
+ if (a == 0 || b == 0)
+ return 0;
+
+ if (a > INT_MAX / b)
+ return -1;
+
+ return a * b;
+}
+
+static _X_INLINE int
+safe_pad(int a)
+{
+ int ret;
+
+ if (a < 0)
+ return -1;
+
+ if ((ret = safe_add(a, 3)) < 0)
+ return -1;
+
+ return ret & (GLuint)~3;
+}
+
extern int __glXTypeSize(GLenum enm);
extern int __glXImageSize(GLenum format, GLenum type,
GLenum target, GLsizei w, GLsizei h, GLsizei d,
--
1.7.9.2
++++++ U_glx_Additional_paranoia_in___glXGetAnswerBuffer___GLX_GET_ANSWER_BUFFER.patch ++++++
Subject: glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2)
References: bnc#907268, CVE-2014-8093
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
If the computed reply size is negative, something went wrong, treat it
as an error.
v2: Be more careful about size_t being unsigned (Matthieu Herrb)
v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/indirect_util.c | 7 ++++++-
glx/unpack.h | 3 ++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/glx/indirect_util.c b/glx/indirect_util.c
index 926e57c..de81491 100644
--- a/glx/indirect_util.c
+++ b/glx/indirect_util.c
@@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
const unsigned mask = alignment - 1;
if (local_size < required_size) {
- const size_t worst_case_size = required_size + alignment;
+ size_t worst_case_size;
intptr_t temp_buf;
+ if (required_size < SIZE_MAX - alignment)
+ worst_case_size = required_size + alignment;
+ else
+ return NULL;
+
if (cl->returnBufSize < worst_case_size) {
void *temp = realloc(cl->returnBuf, worst_case_size);
diff --git a/glx/unpack.h b/glx/unpack.h
index 52fba74..2b1ebcf 100644
--- a/glx/unpack.h
+++ b/glx/unpack.h
@@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply;
** pointer.
*/
#define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \
- if ((size) > sizeof(answerBuffer)) { \
+ if (size < 0) return BadLength; \
+ else if ((size) > sizeof(answerBuffer)) { \
int bump; \
if ((cl)->returnBufSize < (size)+(align)) { \
(cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \
--
1.7.9.2
++++++ U_glx_Be_more_paranoid_about_variable_length_requests.patch ++++++
Subject: glx: Be more paranoid about variable-length requests
References: bnc#907268, CVE-2014-8093
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
If the size computation routine returns -1 we should just reject the
request outright. Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.
Reviewed-by: Keith Packard
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/glxcmds.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 8d3fa9f..0521b58 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2060,7 +2060,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
client->swapped);
if (extra < 0) {
- extra = 0;
+ return BadLength;
}
if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
return BadLength;
@@ -2177,7 +2177,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE,
client->swapped);
if (extra < 0) {
- extra = 0;
+ return BadLength;
}
/* large command's header is 4 bytes longer, so add 4 */
if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
--
1.7.9.2
++++++ U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch ++++++
Subject: glx: Be more strict about rejecting invalid image sizes
References: bnc#907268, CVE-2014-8093
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Before this we'd just clamp the image size to 0, which was just
hideously stupid; if the parameters were such that they'd overflow an
integer, you'd allocate a small buffer, then pass huge values into (say)
ReadPixels, and now you're scribbling over arbitrary server memory.
Reviewed-by: Keith Packard
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/singlepix.c | 16 ++++++++--------
glx/singlepixswap.c | 16 ++++++++--------
2 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/glx/singlepix.c b/glx/singlepix.c
index 506fdaa..8b6c261 100644
--- a/glx/singlepix.c
+++ b/glx/singlepix.c
@@ -65,7 +65,7 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
lsbFirst = *(GLboolean *) (pc + 25);
compsize = __glReadPixels_size(format, type, width, height);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -124,7 +124,7 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
compsize =
__glGetTexImage_size(target, level, format, type, width, height, depth);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -218,9 +218,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
if (compsize2 < 0)
- compsize2 = 0;
+ return BadLength;
compsize = __GLX_PAD(compsize);
compsize2 = __GLX_PAD(compsize2);
@@ -296,7 +296,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -365,7 +365,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -426,7 +426,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -491,7 +491,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
index 8469101..8dc304f 100644
--- a/glx/singlepixswap.c
+++ b/glx/singlepixswap.c
@@ -75,7 +75,7 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
lsbFirst = *(GLboolean *) (pc + 25);
compsize = __glReadPixels_size(format, type, width, height);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
glPixelStorei(GL_PACK_LSB_FIRST, lsbFirst);
@@ -144,7 +144,7 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
compsize =
__glGetTexImage_size(target, level, format, type, width, height, depth);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -252,9 +252,9 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
if (compsize2 < 0)
- compsize2 = 0;
+ return BadLength;
compsize = __GLX_PAD(compsize);
compsize2 = __GLX_PAD(compsize2);
@@ -338,7 +338,7 @@ GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -415,7 +415,7 @@ GetHistogram(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -483,7 +483,7 @@ GetMinmax(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
@@ -554,7 +554,7 @@ GetColorTable(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
*/
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
if (compsize < 0)
- compsize = 0;
+ return BadLength;
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
__GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1);
--
1.7.9.2
++++++ U_glx_Fix_image_size_computation_for_EXT_texture_integer.patch ++++++
Subject: glx: Fix image size computation for EXT_texture_integer
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Without this we'd reject the request with BadLength. Note that some old
versions of Mesa had a bug in the same place, and would _send_ zero
bytes of image data; these will now be rejected, correctly.
Reviewed-by: Keith Packard
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/rensize.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/glx/rensize.c b/glx/rensize.c
index ba22d10..9ff73c7 100644
--- a/glx/rensize.c
+++ b/glx/rensize.c
@@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
case GL_ALPHA:
case GL_LUMINANCE:
case GL_INTENSITY:
+ case GL_RED_INTEGER_EXT:
+ case GL_GREEN_INTEGER_EXT:
+ case GL_BLUE_INTEGER_EXT:
+ case GL_ALPHA_INTEGER_EXT:
+ case GL_LUMINANCE_INTEGER_EXT:
elementsPerGroup = 1;
break;
case GL_422_EXT:
@@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
case GL_DEPTH_STENCIL_MESA:
case GL_YCBCR_MESA:
case GL_LUMINANCE_ALPHA:
+ case GL_LUMINANCE_ALPHA_INTEGER_EXT:
elementsPerGroup = 2;
break;
case GL_RGB:
case GL_BGR:
+ case GL_RGB_INTEGER_EXT:
+ case GL_BGR_INTEGER_EXT:
elementsPerGroup = 3;
break;
case GL_RGBA:
case GL_BGRA:
+ case GL_RGBA_INTEGER_EXT:
+ case GL_BGRA_INTEGER_EXT:
case GL_ABGR_EXT:
elementsPerGroup = 4;
break;
--
1.7.9.2
++++++ U_glx_Fix_mask_truncation_in___glXGetAnswerBuffer.patch ++++++
Subject: glx: Fix mask truncation in __glXGetAnswerBuffer
References: bnc#907268, CVE-2014-8093
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
bitwise not operation will result in a mask that clears all high bits
from temp_buf in the expression:
temp_buf = (temp_buf + mask) & ~mask;
Signed-off-by: Robert Morell
Reviewed-by: Alan Coopersmith
Signed-off-by: Alan Coopersmith
---
glx/indirect_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/glx/indirect_util.c b/glx/indirect_util.c
index de81491..9ba2815 100644
--- a/glx/indirect_util.c
+++ b/glx/indirect_util.c
@@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size,
void *local_buffer, size_t local_size, unsigned alignment)
{
void *buffer = local_buffer;
- const unsigned mask = alignment - 1;
+ const intptr_t mask = alignment - 1;
if (local_size < required_size) {
size_t worst_case_size;
--
1.7.9.2
++++++ U_glx_Integer_overflow_protection_for_non_generated_render_requests.patch ++++++
Subject: glx: Integer overflow protection for non-generated render requests (v3)
References: bnc#907268, CVE-2014-8093
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
v2:
Fix constants in __glXMap2fReqSize (Michal Srb)
Validate w/h/d for proxy targets too (Keith Packard)
v3:
Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
Reviewed-by: Keith Packard
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/rensize.c | 77 ++++++++++++++++++++++++++++++---------------------------
1 file changed, 41 insertions(+), 36 deletions(-)
diff --git a/glx/rensize.c b/glx/rensize.c
index 9ff73c7..d46334a 100644
--- a/glx/rensize.c
+++ b/glx/rensize.c
@@ -43,19 +43,11 @@
(((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \
((a & 0xff00U)<<8) | ((a & 0xffU)<<24))
-static int
-Map1Size(GLint k, GLint order)
-{
- if (order <= 0 || k < 0)
- return -1;
- return k * order;
-}
-
int
__glXMap1dReqSize(const GLbyte * pc, Bool swap)
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum *) (pc + 16);
order = *(GLint *) (pc + 20);
@@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap)
target = SWAPL(target);
order = SWAPL(order);
}
- k = __glMap1d_size(target);
- return 8 * Map1Size(k, order);
+ if (order < 1)
+ return -1;
+ return safe_mul(8, safe_mul(__glMap1d_size(target), order));
}
int
__glXMap1fReqSize(const GLbyte * pc, Bool swap)
{
GLenum target;
- GLint order, k;
+ GLint order;
target = *(GLenum *) (pc + 0);
order = *(GLint *) (pc + 12);
@@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap)
target = SWAPL(target);
order = SWAPL(order);
}
- k = __glMap1f_size(target);
- return 4 * Map1Size(k, order);
+ if (order < 1)
+ return -1;
+ return safe_mul(4, safe_mul(__glMap1f_size(target), order));
}
static int
Map2Size(int k, int majorOrder, int minorOrder)
{
- if (majorOrder <= 0 || minorOrder <= 0 || k < 0)
+ if (majorOrder < 1 || minorOrder < 1)
return -1;
- return k * majorOrder * minorOrder;
+ return safe_mul(k, safe_mul(majorOrder, minorOrder));
}
int
__glXMap2dReqSize(const GLbyte * pc, Bool swap)
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *) (pc + 32);
uorder = *(GLint *) (pc + 36);
@@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap)
uorder = SWAPL(uorder);
vorder = SWAPL(vorder);
}
- k = __glMap2d_size(target);
- return 8 * Map2Size(k, uorder, vorder);
+ return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder));
}
int
__glXMap2fReqSize(const GLbyte * pc, Bool swap)
{
GLenum target;
- GLint uorder, vorder, k;
+ GLint uorder, vorder;
target = *(GLenum *) (pc + 0);
uorder = *(GLint *) (pc + 12);
@@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap)
uorder = SWAPL(uorder);
vorder = SWAPL(vorder);
}
- k = __glMap2f_size(target);
- return 4 * Map2Size(k, uorder, vorder);
+ return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder));
}
/**
@@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
GLint bytesPerElement, elementsPerGroup, groupsPerRow;
GLint groupSize, rowSize, padding, imageSize;
+ if (w == 0 || h == 0 || d == 0)
+ return 0;
+
if (w < 0 || h < 0 || d < 0 ||
(type == GL_BITMAP &&
(format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) {
return -1;
}
- if (w == 0 || h == 0 || d == 0)
- return 0;
+ /* proxy targets have no data */
switch (target) {
case GL_PROXY_TEXTURE_1D:
case GL_PROXY_TEXTURE_2D:
@@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
return 0;
}
+ /* real data has to have real sizes */
+ if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0)
+ return -1;
+ if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8)
+ return -1;
+
if (type == GL_BITMAP) {
if (rowLength > 0) {
groupsPerRow = rowLength;
@@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
groupsPerRow = w;
}
rowSize = bits_to_bytes(groupsPerRow);
+ if (rowSize < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- return ((h + skipRows) * rowSize);
+
+ return safe_mul(safe_add(h, skipRows), rowSize);
}
else {
switch (format) {
@@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
default:
return -1;
}
+ /* known safe by the switches above, not checked */
groupSize = bytesPerElement * elementsPerGroup;
if (rowLength > 0) {
groupsPerRow = rowLength;
@@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target,
else {
groupsPerRow = w;
}
- rowSize = groupsPerRow * groupSize;
+
+ if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0)
+ return -1;
padding = (rowSize % alignment);
if (padding) {
rowSize += alignment - padding;
}
- if (imageHeight > 0) {
- imageSize = (imageHeight + skipRows) * rowSize;
- }
- else {
- imageSize = (h + skipRows) * rowSize;
- }
- return ((d + skipImages) * imageSize);
+
+ if (imageHeight > 0)
+ h = imageHeight;
+ h = safe_add(h, skipRows);
+
+ imageSize = safe_mul(h, rowSize);
+
+ return safe_mul(safe_add(d, skipImages), imageSize);
}
}
@@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap)
/* XXX Should rowLength be used for either or both image? */
image1size = __glXImageSize(format, type, 0, w, 1, 1,
0, rowLength, 0, 0, alignment);
- image1size = __GLX_PAD(image1size);
image2size = __glXImageSize(format, type, 0, h, 1, 1,
0, rowLength, 0, 0, alignment);
- return image1size + image2size;
-
+ return safe_add(safe_pad(image1size), image2size);
}
--
1.7.9.2
++++++ U_glx_Length_checking_for_GLXRender_requests.patch ++++++
Subject: glx: Length checking for GLXRender requests (v2)
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
v2:
Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
Reviewed-by: Adam Jackson
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Julien Cristau
Signed-off-by: Alan Coopersmith
---
glx/glxcmds.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 0521b58..4c2e616 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2023,7 +2023,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
left = (req->length << 2) - sz_xGLXRenderReq;
while (left > 0) {
__GLXrenderSizeData entry;
- int extra;
+ int extra = 0;
__GLXdispatchRenderProcPtr proc;
int err;
@@ -2042,6 +2042,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
cmdlen = hdr->length;
opcode = hdr->opcode;
+ if (left < cmdlen)
+ return BadLength;
+
/*
** Check for core opcodes and grab entry data.
*/
@@ -2055,6 +2058,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
return __glXError(GLXBadRenderRequest);
}
+ if (cmdlen < entry.bytes) {
+ return BadLength;
+ }
+
if (entry.varsize) {
/* variable size command */
extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE,
@@ -2062,17 +2069,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc)
if (extra < 0) {
return BadLength;
}
- if (cmdlen != __GLX_PAD(entry.bytes + extra)) {
- return BadLength;
- }
}
- else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry.bytes)) {
- return BadLength;
- }
- }
- if (left < cmdlen) {
+
+ if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) {
return BadLength;
}
--
1.7.9.2
++++++ U_glx_Length_checking_for_RenderLarge_requests.patch ++++++
Subject: glx: Length checking for RenderLarge requests (v2)
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
This is a half-measure until we start passing request length into the
varsize function, but it's better than the nothing we had before.
v2: Verify that there's at least a large render header's worth of
dataBytes (Julien Cristau)
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/glxcmds.c | 57 ++++++++++++++++++++++++++++++++++-----------------------
1 file changed, 34 insertions(+), 23 deletions(-)
diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 4c2e616..0e7efcc 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -2107,6 +2107,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq);
+
req = (xGLXRenderLargeReq *) pc;
if (client->swapped) {
__GLX_SWAP_SHORT(&req->length);
@@ -2122,12 +2124,14 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
__glXResetLargeCommandStatus(cl);
return error;
}
+ if (safe_pad(req->dataBytes) < 0)
+ return BadLength;
dataBytes = req->dataBytes;
/*
** Check the request length.
*/
- if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) {
+ if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) {
client->errorValue = req->length;
/* Reset in case this isn't 1st request. */
__glXResetLargeCommandStatus(cl);
@@ -2137,7 +2141,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
if (cl->largeCmdRequestsSoFar == 0) {
__GLXrenderSizeData entry;
- int extra;
+ int extra = 0;
size_t cmdlen;
int err;
@@ -2150,13 +2154,17 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
return __glXError(GLXBadLargeRequest);
}
+ if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE)
+ return BadLength;
+
hdr = (__GLXrenderLargeHeader *) pc;
if (client->swapped) {
__GLX_SWAP_INT(&hdr->length);
__GLX_SWAP_INT(&hdr->opcode);
}
- cmdlen = hdr->length;
opcode = hdr->opcode;
+ if ((cmdlen = safe_pad(hdr->length)) < 0)
+ return BadLength;
/*
** Check for core opcodes and grab entry data.
@@ -2178,17 +2186,13 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
if (extra < 0) {
return BadLength;
}
- /* large command's header is 4 bytes longer, so add 4 */
- if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) {
- return BadLength;
- }
}
- else {
- /* constant size command */
- if (cmdlen != __GLX_PAD(entry.bytes + 4)) {
- return BadLength;
- }
+
+ /* the +4 is safe because we know entry.bytes is small */
+ if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) {
+ return BadLength;
}
+
/*
** Make enough space in the buffer, then copy the entire request.
*/
@@ -2215,6 +2219,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
** We are receiving subsequent (i.e. not the first) requests of a
** multi request command.
*/
+ int bytesSoFar; /* including this packet */
/*
** Check the request number and the total request count.
@@ -2233,11 +2238,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc)
/*
** Check that we didn't get too much data.
*/
- if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) {
+ if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) {
+ client->errorValue = dataBytes;
+ __glXResetLargeCommandStatus(cl);
+ return __glXError(GLXBadLargeRequest);
+ }
+
+ if (bytesSoFar > cl->largeCmdBytesTotal) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXError(GLXBadLargeRequest);
}
+
memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes);
cl->largeCmdBytesSoFar += dataBytes;
cl->largeCmdRequestsSoFar++;
@@ -2241,17 +2253,16 @@ __glXDisp_RenderLarge(__GLXclientState *
** This is the last request; it must have enough bytes to complete
** the command.
*/
- /* NOTE: the two pad macros have been added below; they are needed
- ** because the client library pads the total byte count, but not
- ** the per-request byte counts. The Protocol Encoding says the
- ** total byte count should not be padded, so a proposal will be
- ** made to the ARB to relax the padding constraint on the total
- ** byte count, thus preserving backward compatibility. Meanwhile,
- ** the padding done below fixes a bug that did not allow
- ** large commands of odd sizes to be accepted by the server.
+ /* NOTE: the pad macro below is needed because the client library
+ ** pads the total byte count, but not the per-request byte counts.
+ ** The Protocol Encoding says the total byte count should not be
+ ** padded, so a proposal will be made to the ARB to relax the
+ ** padding constraint on the total byte count, thus preserving
+ ** backward compatibility. Meanwhile, the padding done below
+ ** fixes a bug that did not allow large commands of odd sizes to
+ ** be accepted by the server.
*/
- if (__GLX_PAD(cl->largeCmdBytesSoFar) !=
- __GLX_PAD(cl->largeCmdBytesTotal)) {
+ if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) {
client->errorValue = dataBytes;
__glXResetLargeCommandStatus(cl);
return __glXError(GLXBadLargeRequest);
++++++ U_glx_Length_checking_for_non_generated_single_request.patch ++++++
Subject: glx: Length checking for non-generated single requests (v2)
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
v2:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
v3:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Julien Cristau
Signed-off-by: Alan Coopersmith
---
glx/indirect_texture_compression.c | 4 ++++
glx/single2.c | 23 +++++++++++++++----
glx/single2swap.c | 19 ++++++++++++----
glx/singlepix.c | 44 ++++++++++++++++++++++++------------
glx/singlepixswap.c | 34 ++++++++++++++++++++++++----
5 files changed, 95 insertions(+), 29 deletions(-)
diff --git a/glx/indirect_texture_compression.c b/glx/indirect_texture_compression.c
index cda7656..1ebf7f3 100644
--- a/glx/indirect_texture_compression.c
+++ b/glx/indirect_texture_compression.c
@@ -43,6 +43,8 @@ __glXDisp_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
__GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
pc += __GLX_SINGLE_HDR_SIZE;
if (cx != NULL) {
const GLenum target = *(GLenum *) (pc + 0);
@@ -87,6 +89,8 @@ __glXDispSwap_GetCompressedTexImage(struct __GLXclientStateRec *cl, GLbyte * pc)
__glXForceCurrent(cl, bswap_32(req->contextTag), &error);
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
pc += __GLX_SINGLE_HDR_SIZE;
if (cx != NULL) {
const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0));
diff --git a/glx/single2.c b/glx/single2.c
index 53b661d..a6ea614 100644
--- a/glx/single2.c
+++ b/glx/single2.c
@@ -45,11 +45,14 @@
int
__glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
GLsizei size;
GLenum type;
__GLXcontext *cx;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -76,10 +79,13 @@ __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -104,7 +110,7 @@ __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
xGLXRenderModeReply reply;
__GLXcontext *cx;
GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@@ -112,6 +118,8 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
GLenum newMode;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -188,7 +196,6 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
- client = cl->client;
reply = (xGLXRenderModeReply) {
.type = X_Reply,
.sequenceNumber = client->sequence,
@@ -207,9 +214,12 @@ __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -223,10 +233,12 @@ __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc)
int
__glXDisp_Finish(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
- ClientPtr client;
int error;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -317,7 +329,7 @@ __glXcombine_strings(const char *cext_string, const char *sext_string)
int
DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLenum name;
const char *string;
@@ -327,6 +339,8 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
char *buf = NULL, *buf1 = NULL;
GLint length = 0;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
/* If the client has the opposite byte order, swap the contextTag and
* the name.
*/
@@ -343,7 +357,6 @@ DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap)
pc += __GLX_SINGLE_HDR_SIZE;
name = *(GLenum *) (pc + 0);
string = (const char *) glGetString(name);
- client = cl->client;
if (string == NULL)
string = "";
diff --git a/glx/single2swap.c b/glx/single2swap.c
index 764501f..5349069 100644
--- a/glx/single2swap.c
+++ b/glx/single2swap.c
@@ -41,6 +41,7 @@
int
__glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
GLsizei size;
GLenum type;
@@ -48,6 +49,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
__GLXcontext *cx;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 8);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -77,12 +80,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
GLsizei size;
__GLX_DECLARE_SWAP_VARIABLES;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -109,7 +115,7 @@ __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
{
- ClientPtr client;
+ ClientPtr client = cl->client;
__GLXcontext *cx;
xGLXRenderModeReply reply;
GLint nitems = 0, retBytes = 0, retval, newModeCheck;
@@ -120,6 +126,8 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_ARRAY_VARIABLES;
int error;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -200,7 +208,6 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
** selection array, as per the API for glRenderMode itself.
*/
noChangeAllowed:;
- client = cl->client;
reply = (xGLXRenderModeReply) {
.type = X_Reply,
.sequenceNumber = client->sequence,
@@ -224,11 +231,14 @@ __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -243,12 +253,14 @@ __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
__GLXcontext *cx;
- ClientPtr client;
int error;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_SIZE_MATCH(xGLXSingleReq);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -260,7 +272,6 @@ __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc)
cx->hasUnflushedCommands = GL_FALSE;
/* Send empty reply packet to indicate finish is finished */
- client = cl->client;
__GLX_BEGIN_REPLY(0);
__GLX_PUT_RETVAL(0);
__GLX_SWAP_REPLY_HEADER();
diff --git a/glx/singlepix.c b/glx/singlepix.c
index 8b6c261..54ed7fd 100644
--- a/glx/singlepix.c
+++ b/glx/singlepix.c
@@ -51,6 +51,8 @@ __glXDisp_ReadPixels(__GLXclientState * cl, GLbyte * pc)
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -100,6 +102,8 @@ __glXDisp_GetTexImage(__GLXclientState * cl, GLbyte * pc)
char *answer, answerBuffer[200];
GLint width = 0, height = 0, depth = 1;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -157,6 +161,8 @@ __glXDisp_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
GLubyte answerBuffer[200];
char *answer;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
return error;
@@ -217,15 +223,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- if (compsize < 0)
+ if ((compsize = safe_pad(compsize)) < 0)
return BadLength;
- if (compsize2 < 0)
+ if ((compsize2 = safe_pad(compsize2)) < 0)
return BadLength;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
glPixelStorei(GL_PACK_SWAP_BYTES, swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
*(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@@ -249,7 +253,8 @@ int
__glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -257,7 +262,8 @@ int
__glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -323,7 +329,8 @@ int
__glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -331,7 +338,8 @@ int
__glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -390,7 +398,8 @@ int
__glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -398,7 +407,8 @@ int
__glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -450,7 +460,8 @@ int
__glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -458,7 +469,8 @@ int
__glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -517,7 +529,8 @@ int
__glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -525,6 +538,7 @@ int
__glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
-
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
diff --git a/glx/singlepixswap.c b/glx/singlepixswap.c
index 8dc304f..9eff592 100644
--- a/glx/singlepixswap.c
+++ b/glx/singlepixswap.c
@@ -53,6 +53,8 @@ __glXDispSwap_ReadPixels(__GLXclientState * cl, GLbyte * pc)
int error;
char *answer, answerBuffer[200];
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 28);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -114,6 +116,8 @@ __glXDispSwap_GetTexImage(__GLXclientState * cl, GLbyte * pc)
char *answer, answerBuffer[200];
GLint width = 0, height = 0, depth = 1;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 20);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -184,6 +188,8 @@ __glXDispSwap_GetPolygonStipple(__GLXclientState * cl, GLbyte * pc)
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 4);
+
__GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag);
cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error);
if (!cx) {
@@ -251,15 +257,13 @@ GetSeparableFilter(__GLXclientState * cl, GLbyte * pc, GLXContextTag tag)
compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1);
compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1);
- if (compsize < 0)
+ if ((compsize = safe_pad(compsize)) < 0)
return BadLength;
- if (compsize2 < 0)
+ if ((compsize2 = safe_pad(compsize2)) < 0)
return BadLength;
- compsize = __GLX_PAD(compsize);
- compsize2 = __GLX_PAD(compsize2);
glPixelStorei(GL_PACK_SWAP_BYTES, !swapBytes);
- __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1);
+ __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1);
__glXClearErrorOccured();
glGetSeparableFilter(*(GLenum *) (pc + 0), *(GLenum *) (pc + 4),
*(GLenum *) (pc + 8), answer, answer + compsize, NULL);
@@ -285,7 +289,9 @@ int
__glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -293,7 +299,9 @@ int
__glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -367,7 +375,9 @@ int
__glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -375,7 +385,9 @@ int
__glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -441,7 +453,9 @@ int
__glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -449,7 +463,9 @@ int
__glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -507,7 +523,9 @@ int
__glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -515,7 +533,9 @@ int
__glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
@@ -581,7 +601,9 @@ int
__glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXSingleReq, 16);
return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag);
}
@@ -589,6 +611,8 @@ int
__glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc)
{
const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc);
+ ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16);
return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag);
}
--
1.7.9.2
++++++ U_glx_Length_checking_for_non_generated_vendor_private_requests.patch ++++++
Subject: glx: Length-checking for non-generated vendor private requests
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Reviewed-by: Keith Packard
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/indirect_program.c | 2 ++
glx/swap_interval.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/glx/indirect_program.c b/glx/indirect_program.c
index cda139e..5caee7b 100644
--- a/glx/indirect_program.c
+++ b/glx/indirect_program.c
@@ -56,6 +56,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc,
__GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error);
ClientPtr client = cl->client;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8);
+
pc += __GLX_VENDPRIV_HDR_SIZE;
if (cx != NULL) {
GLenum target;
diff --git a/glx/swap_interval.c b/glx/swap_interval.c
index 17bc992..2320550 100644
--- a/glx/swap_interval.c
+++ b/glx/swap_interval.c
@@ -46,6 +46,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap)
__GLXcontext *cx;
GLint interval;
+ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4);
+
cx = __glXLookupContextByTag(cl, tag);
if ((cx == NULL) || (cx->pGlxScreen == NULL)) {
--
1.7.9.2
++++++ U_glx_Pass_remaining_request_length_into_varsize.patch ++++++
++++ 915 lines (skipped)
++++++ U_glx_Request_length_checks_for_SetClientInfoARB.patch ++++++
Subject: glx: Request length checks for SetClientInfoARB
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Reviewed-by: Keith Packard
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/clientinfo.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/glx/clientinfo.c b/glx/clientinfo.c
index 4aaa4c9..c5fef30 100644
--- a/glx/clientinfo.c
+++ b/glx/clientinfo.c
@@ -33,18 +33,21 @@ static int
set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req,
unsigned bytes_per_version)
{
+ ClientPtr client = cl->client;
char *gl_extensions;
char *glx_extensions;
+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
/* Verify that the size of the packet matches the size inferred from the
* sizes specified for the various fields.
*/
- const unsigned expected_size = sz_xGLXSetClientInfoARBReq
- + (req->numVersions * bytes_per_version)
- + __GLX_PAD(req->numGLExtensionBytes)
- + __GLX_PAD(req->numGLXExtensionBytes);
+ int size = sz_xGLXSetClientInfoARBReq;
+ size = safe_add(size, safe_mul(req->numVersions, bytes_per_version));
+ size = safe_add(size, safe_pad(req->numGLExtensionBytes));
+ size = safe_add(size, safe_pad(req->numGLXExtensionBytes));
- if (req->length != (expected_size / 4))
+ if (size < 0 || req->length != (size / 4))
return BadLength;
/* Verify that the actual length of the GL extension string matches what's
@@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
req->length = bswap_16(req->length);
req->numVersions = bswap_32(req->numVersions);
req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
@@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc;
+ REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq);
+
req->length = bswap_16(req->length);
req->numVersions = bswap_32(req->numVersions);
req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes);
--
1.7.9.2
++++++ U_glx_Top_level_length_checking_for_swapped_VendorPrivate_requests.patch ++++++
Subject: glx: Top-level length checking for swapped VendorPrivate requests
References: bnc#907268, CVE-2014-8098
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Reviewed-by: Keith Packard
Reviewed-by: Julien Cristau
Reviewed-by: Michal Srb
Reviewed-by: Andy Ritger
Signed-off-by: Adam Jackson
Signed-off-by: Alan Coopersmith
---
glx/glxcmdsswap.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
index 5d179f3..9ec1222 100644
--- a/glx/glxcmdsswap.c
+++ b/glx/glxcmdsswap.c
@@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateReq *req;
GLint vendorcode;
__GLXdispatchVendorPrivProcPtr proc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq);
req = (xGLXVendorPrivateReq *) pc;
__GLX_SWAP_SHORT(&req->length);
@@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc)
int
__glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc)
{
+ ClientPtr client = cl->client;
xGLXVendorPrivateWithReplyReq *req;
GLint vendorcode;
__GLXdispatchVendorPrivProcPtr proc;
__GLX_DECLARE_SWAP_VARIABLES;
+ REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq);
req = (xGLXVendorPrivateWithReplyReq *) pc;
__GLX_SWAP_SHORT(&req->length);
--
1.7.9.2
++++++ U_kdrive_extend_screen_option_syntax.patch ++++++
From 376f4de8ae927748417046390c24afbda24b0583 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?La=C3=A9rcio=20de=20Sousa?=
Date: Mon, 18 Aug 2014 08:45:41 -0300
Subject: kdrive: add support to +X+Y syntax in -screen option parsing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch enhances current -screen option parsing for kdrive-based
applications. It can parse strings like
<WIDTH>x<HEIGHT>+<XOFFSET>+<YOFFSET>, storing X and Y offsets
in KdScreenInfo instances.
For negative values, this patch supports +-X+-Y (not -X-Y) syntax.
It will allow e.g. proper Xephyr window placement for multiseat
purposes.
Signed-off-by: Laércio de Sousa
Reviewed-by: Keith Packard
Signed-off-by: Keith Packard
diff --git a/hw/kdrive/src/kdrive.c b/hw/kdrive/src/kdrive.c
index b5b91c0..5dbff3f 100644
--- a/hw/kdrive/src/kdrive.c
+++ b/hw/kdrive/src/kdrive.c
@@ -300,6 +300,8 @@ KdParseScreen(KdScreenInfo * screen, const char *arg)
screen->softCursor = kdSoftCursor;
screen->origin = kdOrigin;
screen->randr = RR_Rotate_0;
+ screen->x = 0;
+ screen->y = 0;
screen->width = 0;
screen->height = 0;
screen->width_mm = 0;
@@ -313,7 +315,7 @@ KdParseScreen(KdScreenInfo * screen, const char *arg)
return;
for (i = 0; i < 2; i++) {
- arg = KdParseFindNext(arg, "x/@XY", save, &delim);
+ arg = KdParseFindNext(arg, "x/+@XY", save, &delim);
if (!save[0])
return;
@@ -321,7 +323,7 @@ KdParseScreen(KdScreenInfo * screen, const char *arg)
mm = 0;
if (delim == '/') {
- arg = KdParseFindNext(arg, "x@XY", save, &delim);
+ arg = KdParseFindNext(arg, "x+@XY", save, &delim);
if (!save[0])
return;
mm = atoi(save);
@@ -335,7 +337,8 @@ KdParseScreen(KdScreenInfo * screen, const char *arg)
screen->height = pixels;
screen->height_mm = mm;
}
- if (delim != 'x' && delim != '@' && delim != 'X' && delim != 'Y' &&
+ if (delim != 'x' && delim != '+' && delim != '@' &&
+ delim != 'X' && delim != 'Y' &&
(delim != '\0' || i == 0))
return;
}
@@ -346,6 +349,18 @@ KdParseScreen(KdScreenInfo * screen, const char *arg)
kdSoftCursor = FALSE;
kdSubpixelOrder = SubPixelUnknown;
+ if (delim == '+') {
+ arg = KdParseFindNext(arg, "+@xXY", save, &delim);
+ if (save[0])
+ screen->x = atoi(save);
+ }
+
+ if (delim == '+') {
+ arg = KdParseFindNext(arg, "@xXY", save, &delim);
+ if (save[0])
+ screen->y = atoi(save);
+ }
+
if (delim == '@') {
arg = KdParseFindNext(arg, "xXY", save, &delim);
if (save[0]) {
@@ -425,7 +440,7 @@ KdUseMsg(void)
{
ErrorF("\nTinyX Device Dependent Usage:\n");
ErrorF
- ("-screen WIDTH[/WIDTHMM]xHEIGHT[/HEIGHTMM][@ROTATION][X][Y][xDEPTH/BPP[xFREQ]] Specify screen characteristics\n");
+ ("-screen WIDTH[/WIDTHMM]xHEIGHT[/HEIGHTMM][+[-]XOFFSET][+[-]YOFFSET][@ROTATION][X][Y][xDEPTH/BPP[xFREQ]] Specify screen characteristics\n");
ErrorF
("-rgba rgb/bgr/vrgb/vbgr/none Specify subpixel ordering for LCD panels\n");
ErrorF
diff --git a/hw/kdrive/src/kdrive.h b/hw/kdrive/src/kdrive.h
index 08b1681..066a134 100644
--- a/hw/kdrive/src/kdrive.h
+++ b/hw/kdrive/src/kdrive.h
@@ -89,6 +89,8 @@ typedef struct _KdScreenInfo {
ScreenPtr pScreen;
void *driver;
Rotation randr; /* rotation and reflection */
+ int x;
+ int y;
int width;
int height;
int rate;
--
cgit v0.10.2
++++++ U_os-Teach-vpnprintf-how-to-handle-.-s.patch ++++++
From: Jon TURNEY
Date: Thu Feb 5 20:29:48 2015 +0000
Subject: [PATCH]os: Teach vpnprintf() how to handle "%*.*s"
Patch-mainline: xorg-server-1.17.99.901
Git-commit: d3080d421bf0d91daea2e39bfc391c43d7fdad75
Git-repo: git://anongit.freedesktop.org/git/xorg/xserver
References: bsc#954321
Signed-off-by: Egbert Eich
XdmcpFatal uses the format specifier %*.*s, which vpnprintf() doesn't
understand, which causes a backtrace and prevents the reason for the XDMCP
failure being logged.
See also:
https://bugs.freedesktop.org/show_bug.cgi?id=66862
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758574
"%*.*s" is also currently used in a few other places, so teach vpnprintf() how
to handle it
$ fgrep -r "%*.*s" *
hw/dmx/config/scanner.l: fprintf(stderr, "parse error on line %d at token \"%*.*s\"\n",
hw/dmx/dmxlog.c: ErrorF("(%s) dmx[i%d/%*.*s]: ", type,
hw/dmx/input/dmxinputinit.c: dmxLogCont(dmxInfo, "\t[i%d/%*.*s",
os/access.c: ErrorF("Xserver: siAddrMatch(): type = %s, value = %*.*s -- %s\n",
os/access.c: ("Xserver: siCheckAddr(): type = %s, value = %*.*s, len = %d -- %s\n",
os/xdmcp.c: FatalError("XDMCP fatal error: %s %*.*s\n", type,
Signed-off-by: Jon TURNEY
Reviewed-by: Colin Harrison
---
os/log.c | 28 ++++++++++++++++++++++++----
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/os/log.c b/os/log.c
index 0532c2e..3db5c53 100644
--- a/os/log.c
+++ b/os/log.c
@@ -355,6 +355,7 @@ vpnprintf(char *string, int size_in, const char *f, va_list args)
uint64_t ui;
int64_t si;
size_t size = size_in;
+ int precision;
for (; f_idx < f_len && s_idx < size - 1; f_idx++) {
int length_modifier = 0;
@@ -365,9 +366,29 @@ vpnprintf(char *string, int size_in, const char *f, va_list args)
f_idx++;
- /* silently swallow digit length modifiers */
- while (f_idx < f_len && ((f[f_idx] >= '0' && f[f_idx] <= '9') || f[f_idx] == '.'))
+ /* silently swallow minimum field width */
+ if (f[f_idx] == '*') {
f_idx++;
+ va_arg(args, int);
+ } else {
+ while (f_idx < f_len && ((f[f_idx] >= '0' && f[f_idx] <= '9')))
+ f_idx++;
+ }
+
+ /* is there a precision? */
+ precision = size;
+ if (f[f_idx] == '.') {
+ f_idx++;
+ if (f[f_idx] == '*') {
+ f_idx++;
+ /* precision is supplied in an int argument */
+ precision = va_arg(args, int);
+ } else {
+ /* silently swallow precision digits */
+ while (f_idx < f_len && ((f[f_idx] >= '0' && f[f_idx] <= '9')))
+ f_idx++;
+ }
+ }
/* non-digit length modifiers */
if (f_idx < f_len) {
@@ -383,9 +404,8 @@ vpnprintf(char *string, int size_in, const char *f, va_list args)
switch (f[f_idx]) {
case 's':
string_arg = va_arg(args, char*);
- p_len = strlen_sigsafe(string_arg);
- for (i = 0; i < p_len && s_idx < size - 1; i++)
+ for (i = 0; string_arg[i] != 0 && s_idx < size - 1 && s_idx < precision; i++)
string[s_idx++] = string_arg[i];
break;
++++++ U_os-support-new-implicit-local-user-access-mode.patch ++++++
Subject: os: support new implicit local user access mode
Author: Ray Strode
Path-mainline: Upstream
Git-commit: 4b4b9086d02b80549981d205fb1f495edc373538
References: bnc#934102 CVE-2015-3164
Signed-off-by: Michal Srb
If the X server is started without a '-auth' argument, then
it gets started wide open to all local users on the system.
This isn't a great default access model, but changing it in
Xorg at this point would break backward compatibility.
Xwayland, on the other hand is new, and much more targeted
in scope. It could, in theory, be changed to allow the much
more secure default of a "user who started X server can connect
clients to that server."
This commit paves the way for that change, by adding a mechanism
for DDXs to opt-in to that behavior. They merely need to call
LocalAccessScopeUser()
in their init functions.
A subsequent commit will add that call for Xwayland.
Signed-off-by: Ray Strode
Reviewed-by: Daniel Stone
Reviewed-by: Alan Coopersmith
Signed-off-by: Keith Packard
diff --git a/include/os.h b/include/os.h
index 6638c84..b2b96c8 100644
--- a/include/os.h
+++ b/include/os.h
@@ -431,11 +431,28 @@ extern _X_EXPORT void
ResetHosts(const char *display);
extern _X_EXPORT void
+EnableLocalAccess(void);
+
+extern _X_EXPORT void
+DisableLocalAccess(void);
+
+extern _X_EXPORT void
EnableLocalHost(void);
extern _X_EXPORT void
DisableLocalHost(void);
+#ifndef NO_LOCAL_CLIENT_CRED
+extern _X_EXPORT void
+EnableLocalUser(void);
+
+extern _X_EXPORT void
+DisableLocalUser(void);
+
+extern _X_EXPORT void
+LocalAccessScopeUser(void);
+#endif
+
extern _X_EXPORT void
AccessUsingXdmcp(void);
diff --git a/os/access.c b/os/access.c
index 8fa028e..75e7a69 100644
--- a/os/access.c
+++ b/os/access.c
@@ -102,6 +102,10 @@ SOFTWARE.
#include
#include
+#ifndef NO_LOCAL_CLIENT_CRED
+#include
+#endif
+
#if defined(TCPCONN) || defined(STREAMSCONN)
#include
#endif /* TCPCONN || STREAMSCONN */
@@ -225,6 +229,13 @@ static int LocalHostEnabled = FALSE;
static int LocalHostRequested = FALSE;
static int UsingXdmcp = FALSE;
+static enum {
+ LOCAL_ACCESS_SCOPE_HOST = 0,
+#ifndef NO_LOCAL_CLIENT_CRED
+ LOCAL_ACCESS_SCOPE_USER,
+#endif
+} LocalAccessScope;
+
/* FamilyServerInterpreted implementation */
static Bool siAddrMatch(int family, void *addr, int len, HOST * host,
ClientPtr client);
@@ -237,6 +248,21 @@ static void siTypesInitialize(void);
*/
void
+EnableLocalAccess(void)
+{
+ switch (LocalAccessScope) {
+ case LOCAL_ACCESS_SCOPE_HOST:
+ EnableLocalHost();
+ break;
+#ifndef NO_LOCAL_CLIENT_CRED
+ case LOCAL_ACCESS_SCOPE_USER:
+ EnableLocalUser();
+ break;
+#endif
+ }
+}
+
+void
EnableLocalHost(void)
{
if (!UsingXdmcp) {
@@ -249,6 +275,21 @@ EnableLocalHost(void)
* called when authorization is enabled to keep us secure
*/
void
+DisableLocalAccess(void)
+{
+ switch (LocalAccessScope) {
+ case LOCAL_ACCESS_SCOPE_HOST:
+ DisableLocalHost();
+ break;
+#ifndef NO_LOCAL_CLIENT_CRED
+ case LOCAL_ACCESS_SCOPE_USER:
+ DisableLocalUser();
+ break;
+#endif
+ }
+}
+
+void
DisableLocalHost(void)
{
HOST *self;
@@ -262,6 +303,74 @@ DisableLocalHost(void)
}
}
+#ifndef NO_LOCAL_CLIENT_CRED
+static int GetLocalUserAddr(char **addr)
+{
+ static const char *type = "localuser";
+ static const char delimiter = '\0';
+ static const char *value;
+ struct passwd *pw;
+ int length = -1;
+
+ pw = getpwuid(getuid());
+
+ if (pw == NULL || pw->pw_name == NULL)
+ goto out;
+
+ value = pw->pw_name;
+
+ length = asprintf(addr, "%s%c%s", type, delimiter, value);
+
+ if (length == -1) {
+ goto out;
+ }
+
+ /* Trailing NUL */
+ length++;
+
+out:
+ return length;
+}
+
+void
+EnableLocalUser(void)
+{
+ char *addr = NULL;
+ int length = -1;
+
+ length = GetLocalUserAddr(&addr);
+
+ if (length == -1)
+ return;
+
+ NewHost(FamilyServerInterpreted, addr, length, TRUE);
+
+ free(addr);
+}
+
+void
+DisableLocalUser(void)
+{
+ char *addr = NULL;
+ int length = -1;
+
+ length = GetLocalUserAddr(&addr);
+
+ if (length == -1)
+ return;
+
+ RemoveHost(NULL, FamilyServerInterpreted, length, addr);
+
+ free(addr);
+}
+
+void
+LocalAccessScopeUser(void)
+{
+ LocalAccessScope = LOCAL_ACCESS_SCOPE_USER;
+}
+#endif
+
/*
* called at init time when XDMCP will be used; xdmcp always
* adds local hosts manually when needed
diff --git a/os/auth.c b/os/auth.c
index 5fcb538..7da6fc6 100644
--- a/os/auth.c
+++ b/os/auth.c
@@ -181,11 +181,11 @@ CheckAuthorization(unsigned int name_length,
/*
* If the authorization file has at least one entry for this server,
- * disable local host access. (loadauth > 0)
+ * disable local access. (loadauth > 0)
*
* If there are zero entries (either initially or when the
* authorization file is later reloaded), or if a valid
- * authorization file was never loaded, enable local host access.
+ * authorization file was never loaded, enable local access.
* (loadauth == 0 || !loaded)
*
* If the authorization file was loaded initially (with valid
@@ -194,11 +194,11 @@ CheckAuthorization(unsigned int name_length,
*/
if (loadauth > 0) {
- DisableLocalHost(); /* got at least one */
+ DisableLocalAccess(); /* got at least one */
loaded = TRUE;
}
else if (loadauth == 0 || !loaded)
- EnableLocalHost();
+ EnableLocalAccess();
}
if (name_length) {
for (i = 0; i < NUM_AUTHORIZATION; i++) {
++++++ U_present_unvalidated_lengths_in_Present_extension_procs.patch ++++++
Subject: present: unvalidated lengths in Present extension procs
References: bnc#907268, CVE-2014-8103
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
Reviewed-by: Julien Cristau
---
present/present_request.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/present/present_request.c b/present/present_request.c
index 835890d..7c53e72 100644
--- a/present/present_request.c
+++ b/present/present_request.c
@@ -210,6 +210,7 @@ proc_present_query_capabilities (ClientPtr client)
RRCrtcPtr crtc = NULL;
int r;
+ REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
r = dixLookupWindow(&window, stuff->target, client, DixGetAttrAccess);
switch (r) {
case Success:
@@ -254,6 +255,7 @@ static int
sproc_present_query_version(ClientPtr client)
{
REQUEST(xPresentQueryVersionReq);
+ REQUEST_SIZE_MATCH(xPresentQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
@@ -265,6 +267,7 @@ static int
sproc_present_pixmap(ClientPtr client)
{
REQUEST(xPresentPixmapReq);
+ REQUEST_AT_LEAST_SIZE(xPresentPixmapReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -284,6 +287,7 @@ static int
sproc_present_notify_msc(ClientPtr client)
{
REQUEST(xPresentNotifyMSCReq);
+ REQUEST_SIZE_MATCH(xPresentNotifyMSCReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -297,6 +301,7 @@ static int
sproc_present_select_input (ClientPtr client)
{
REQUEST(xPresentSelectInputReq);
+ REQUEST_SIZE_MATCH(xPresentSelectInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
@@ -308,6 +313,7 @@ static int
sproc_present_query_capabilities (ClientPtr client)
{
REQUEST(xPresentQueryCapabilitiesReq);
+ REQUEST_SIZE_MATCH(xPresentQueryCapabilitiesReq);
swaps(&stuff->length);
swapl(&stuff->target);
return (*proc_present_vector[stuff->presentReqType]) (client);
--
1.7.9.2
++++++ U_randr_unvalidated_lengths_in_RandR_extension_swapped_procs.patch ++++++
Subject: randr: unvalidated lengths in RandR extension swapped procs
References: bnc#907268, CVE-2014-8101
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
randr/rrsdispatch.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c
index 08c3b6a..47558cf 100644
--- a/randr/rrsdispatch.c
+++ b/randr/rrsdispatch.c
@@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client)
{
REQUEST(xRRQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRRQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
swapl(&stuff->minorVersion);
@@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client)
{
REQUEST(xRRGetScreenInfoReq);
+ REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
swaps(&stuff->length);
swapl(&stuff->window);
return (*ProcRandrVector[stuff->randrReqType]) (client);
@@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client)
{
REQUEST(xRRSelectInputReq);
+ REQUEST_SIZE_MATCH(xRRSelectInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
swaps(&stuff->enable);
@@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client)
{
REQUEST(xRRConfigureOutputPropertyReq);
+ REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq);
swaps(&stuff->length);
swapl(&stuff->output);
swapl(&stuff->property);
--
1.7.9.2
++++++ U_render_check_request_size_before_reading_it.patch ++++++
Subject: render: check request size before reading it
References: bnc#907268, CVE-2014-8100
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Otherwise we may be reading outside of the client request.
Signed-off-by: Julien Cristau
Reviewed-by: Alan Coopersmith
Signed-off-by: Alan Coopersmith
---
render/render.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/render/render.c b/render/render.c
index e3031da..200e0c8 100644
--- a/render/render.c
+++ b/render/render.c
@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
REQUEST(xRenderQueryVersionReq);
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+
pRenderClient->major_version = stuff->majorVersion;
pRenderClient->minor_version = stuff->minorVersion;
- REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
-
if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
(SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
rep.majorVersion = stuff->majorVersion;
--
1.7.9.2
++++++ U_render_unvalidated_lengths_in_Render_extn_swapped_procs.patch ++++++
Subject: render: unvalidated lengths in Render extn. swapped procs
References: bnc#907268, CVE-2014-8100
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
render/render.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/render/render.c b/render/render.c
index 200e0c8..723f380 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1995,7 +1995,7 @@ static int
SProcRenderQueryVersion(ClientPtr client)
{
REQUEST(xRenderQueryVersionReq);
-
+ REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
swaps(&stuff->length);
swapl(&stuff->majorVersion);
swapl(&stuff->minorVersion);
@@ -2006,6 +2006,7 @@ static int
SProcRenderQueryPictFormats(ClientPtr client)
{
REQUEST(xRenderQueryPictFormatsReq);
+ REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq);
swaps(&stuff->length);
return (*ProcRenderVector[stuff->renderReqType]) (client);
}
@@ -2014,6 +2015,7 @@ static int
SProcRenderQueryPictIndexValues(ClientPtr client)
{
REQUEST(xRenderQueryPictIndexValuesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq);
swaps(&stuff->length);
swapl(&stuff->format);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2029,6 +2031,7 @@ static int
SProcRenderCreatePicture(ClientPtr client)
{
REQUEST(xRenderCreatePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq);
swaps(&stuff->length);
swapl(&stuff->pid);
swapl(&stuff->drawable);
@@ -2042,6 +2045,7 @@ static int
SProcRenderChangePicture(ClientPtr client)
{
REQUEST(xRenderChangePictureReq);
+ REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq);
swaps(&stuff->length);
swapl(&stuff->picture);
swapl(&stuff->mask);
@@ -2053,6 +2057,7 @@ static int
SProcRenderSetPictureClipRectangles(ClientPtr client)
{
REQUEST(xRenderSetPictureClipRectanglesReq);
+ REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq);
swaps(&stuff->length);
swapl(&stuff->picture);
swaps(&stuff->xOrigin);
@@ -2065,6 +2070,7 @@ static int
SProcRenderFreePicture(ClientPtr client)
{
REQUEST(xRenderFreePictureReq);
+ REQUEST_SIZE_MATCH(xRenderFreePictureReq);
swaps(&stuff->length);
swapl(&stuff->picture);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2074,6 +2080,7 @@ static int
SProcRenderComposite(ClientPtr client)
{
REQUEST(xRenderCompositeReq);
+ REQUEST_SIZE_MATCH(xRenderCompositeReq);
swaps(&stuff->length);
swapl(&stuff->src);
swapl(&stuff->mask);
@@ -2093,6 +2100,7 @@ static int
SProcRenderScale(ClientPtr client)
{
REQUEST(xRenderScaleReq);
+ REQUEST_SIZE_MATCH(xRenderScaleReq);
swaps(&stuff->length);
swapl(&stuff->src);
swapl(&stuff->dst);
@@ -2193,6 +2201,7 @@ static int
SProcRenderCreateGlyphSet(ClientPtr client)
{
REQUEST(xRenderCreateGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq);
swaps(&stuff->length);
swapl(&stuff->gsid);
swapl(&stuff->format);
@@ -2203,6 +2212,7 @@ static int
SProcRenderReferenceGlyphSet(ClientPtr client)
{
REQUEST(xRenderReferenceGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq);
swaps(&stuff->length);
swapl(&stuff->gsid);
swapl(&stuff->existing);
@@ -2213,6 +2223,7 @@ static int
SProcRenderFreeGlyphSet(ClientPtr client)
{
REQUEST(xRenderFreeGlyphSetReq);
+ REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq);
swaps(&stuff->length);
swapl(&stuff->glyphset);
return (*ProcRenderVector[stuff->renderReqType]) (client);
@@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client)
xGlyphInfo *gi;
REQUEST(xRenderAddGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq);
swaps(&stuff->length);
swapl(&stuff->glyphset);
swapl(&stuff->nglyphs);
@@ -2261,6 +2273,7 @@ static int
SProcRenderFreeGlyphs(ClientPtr client)
{
REQUEST(xRenderFreeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq);
swaps(&stuff->length);
swapl(&stuff->glyphset);
SwapRestL(stuff);
@@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client)
int size;
REQUEST(xRenderCompositeGlyphsReq);
+ REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq);
switch (stuff->renderReqType) {
default:
--
1.7.9.2
++++++ U_unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver.patch ++++++
Subject: unchecked malloc may allow unauthed client to crash Xserver
References: bnc#907268, CVE-2014-8091
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.
It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).
Reported-by: Ilja Van Sprundel
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
os/rpcauth.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/os/rpcauth.c b/os/rpcauth.c
index d60ea35..413cc61 100644
--- a/os/rpcauth.c
+++ b/os/rpcauth.c
@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len)
SVCXPRT xprt;
temp_inmsg = malloc(len);
+ if (temp_inmsg == NULL) {
+ why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+ return NULL;
+ }
memmove(temp_inmsg, inmsg, len);
memset((char *) &msg, 0, sizeof(msg));
--
1.7.9.2
++++++ U_xcmisc_unvalidated_length_in_SProcXCMiscGetXIDList.patch ++++++
Subject: xcmisc: unvalidated length in SProcXCMiscGetXIDList()
References: bnc#907268, CVE-2014-8096
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
Xext/xcmisc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/Xext/xcmisc.c b/Xext/xcmisc.c
index 034bfb6..1e91010 100644
--- a/Xext/xcmisc.c
+++ b/Xext/xcmisc.c
@@ -167,6 +167,7 @@ static int
SProcXCMiscGetXIDList(ClientPtr client)
{
REQUEST(xXCMiscGetXIDListReq);
+ REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
swaps(&stuff->length);
swapl(&stuff->count);
--
1.7.9.2
++++++ U_xfixes_unvalidated_length_in_SProcXFixesSelectSelectionInput.patch ++++++
Subject: xfixes: unvalidated length in SProcXFixesSelectSelectionInput
References: bnc#907268, CVE-2014-8102
Patch-Mainline: Upstream
Signed-off-by: Michal Srb
Signed-off-by: Alan Coopersmith
Reviewed-by: Peter Hutterer
---
xfixes/select.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/xfixes/select.c b/xfixes/select.c
index c088ed3..e964d58 100644
--- a/xfixes/select.c
+++ b/xfixes/select.c
@@ -201,6 +201,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client)
{
REQUEST(xXFixesSelectSelectionInputReq);
+ REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq);
swaps(&stuff->length);
swapl(&stuff->window);
swapl(&stuff->selection);
--
1.7.9.2
++++++ U_xkb-check-strings-length-against-request-size.patch ++++++
Git-commit: cc830bd3a5b44796f1e8721f336dca4f565a8130
Author: Olivier Fourdan
Subject: xkb: Check strings length against request size
References: bnc#915810, CVE-2015-0255
Signed-off-by: Michal Srb
Ensure that the given strings length in an XkbSetGeometry request remain
within the limits of the size of the request.
Signed-off-by: Olivier Fourdan
---
xkb/xkb.c | 65 +++++++++++++++++++++++++++++++++++++++------------------------
1 file changed, 40 insertions(+), 25 deletions(-)
Index: xorg-server-1.15.2/xkb/xkb.c
===================================================================
--- xorg-server-1.15.2.orig/xkb/xkb.c
+++ xorg-server-1.15.2/xkb/xkb.c
@@ -4957,26 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client)
/***====================================================================***/
-static char *
-_GetCountedString(char **wire_inout, Bool swap)
+static Status
+_GetCountedString(char **wire_inout, ClientPtr client, char **str)
{
- char *wire, *str;
- CARD16 len, *plen;
+ char *wire, *next;
+ CARD16 len;
wire = *wire_inout;
- plen = (CARD16 *) wire;
- if (swap) {
- swaps(plen);
- }
- len = *plen;
- str = malloc(len + 1);
- if (str) {
- memcpy(str, &wire[2], len);
- str[len] = '\0';
+ len = *(CARD16 *) wire;
+ if (client->swapped) {
+ swaps(&len);
}
- wire += XkbPaddedSize(len + 2);
- *wire_inout = wire;
- return str;
+ next = wire + XkbPaddedSize(len + 2);
+ /* Check we're still within the size of the request */
+ if (client->req_len <
+ bytes_to_int32(next - (char *) client->requestBuffer))
+ return BadValue;
+ *str = malloc(len + 1);
+ if (!*str)
+ return BadAlloc;
+ memcpy(*str, &wire[2], len);
+ *(*str + len) = '\0';
+ *wire_inout = next;
+ return Success;
}
static Status
@@ -4986,6 +4989,7 @@ _CheckSetDoodad(char **wire_inout,
char *wire;
xkbDoodadWireDesc *dWire;
XkbDoodadPtr doodad;
+ Status status;
dWire = (xkbDoodadWireDesc *) (*wire_inout);
wire = (char *) &dWire[1];
@@ -5033,8 +5037,14 @@ _CheckSetDoodad(char **wire_inout,
doodad->text.width = dWire->text.width;
doodad->text.height = dWire->text.height;
doodad->text.color_ndx = dWire->text.colorNdx;
- doodad->text.text = _GetCountedString(&wire, client->swapped);
- doodad->text.font = _GetCountedString(&wire, client->swapped);
+ status = _GetCountedString(&wire, client, &doodad->text.text);
+ if (status != Success)
+ return status;
+ status = _GetCountedString(&wire, client, &doodad->text.font);
+ if (status != Success) {
+ free (doodad->text.text);
+ return status;
+ }
break;
case XkbIndicatorDoodad:
if (dWire->indicator.onColorNdx >= geom->num_colors) {
@@ -5069,7 +5079,9 @@ _CheckSetDoodad(char **wire_inout,
}
doodad->logo.color_ndx = dWire->logo.colorNdx;
doodad->logo.shape_ndx = dWire->logo.shapeNdx;
- doodad->logo.logo_name = _GetCountedString(&wire, client->swapped);
+ status = _GetCountedString(&wire, client, &doodad->logo.logo_name);
+ if (status != Success)
+ return status;
break;
default:
client->errorValue = _XkbErrCode2(0x4F, dWire->any.type);
@@ -5301,18 +5313,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
char *wire;
wire = (char *) &req[1];
- geom->label_font = _GetCountedString(&wire, client->swapped);
+ status = _GetCountedString(&wire, client, &geom->label_font);
+ if (status != Success)
+ return status;
for (i = 0; i < req->nProperties; i++) {
char *name, *val;
- name = _GetCountedString(&wire, client->swapped);
- if (!name)
- return BadAlloc;
- val = _GetCountedString(&wire, client->swapped);
- if (!val) {
+ status = _GetCountedString(&wire, client, &name);
+ if (status != Success)
+ return status;
+ status = _GetCountedString(&wire, client, &val);
+ if (status != Success) {
free(name);
- return BadAlloc;
+ return status;
}
if (XkbAddGeomProperty(geom, name, val) == NULL) {
free(name);
@@ -5346,9 +5360,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe
for (i = 0; i < req->nColors; i++) {
char *name;
- name = _GetCountedString(&wire, client->swapped);
- if (!name)
- return BadAlloc;
+ status = _GetCountedString(&wire, client, &name);
+ if (status != Success)
+ return status;
if (!XkbAddGeomColor(geom, name, geom->num_colors)) {
free(name);
return BadAlloc;
++++++ U_xwayland-default-to-local-user-if-no-xauth-file-given.patch ++++++
Subject: xwayland: default to local user if no xauth file given.
Author: Ray Strode
Path-mainline: Upstream
Git-commit: 76636ac12f2d1dbdf7be08222f80e7505d53c451
References: bnc#934102 CVE-2015-3164
Signed-off-by: Michal Srb
Right now if "-auth" isn't passed on the command line, we let
any user on the system connect to the Xwayland server.
That's clearly suboptimal, given Xwayland is generally designed
to be used by one user at a time.
This commit changes the behavior, so only the user who started the
X server can connect clients to it.
Signed-off-by: Ray Strode
Reviewed-by: Daniel Stone
Reviewed-by: Alan Coopersmith
Signed-off-by: Keith Packard
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index c5bee77..bc92beb 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -702,4 +702,6 @@ InitOutput(ScreenInfo * screen_info, int argc, char **argv)
if (AddScreen(xwl_screen_init, argc, argv) == -1) {
FatalError("Couldn't add screen\n");
}
+
+ LocalAccessScopeUser();
}
++++++ U_xwayland-enable-access-control-on-open-socket.patch ++++++
Subject: xwayland: Enable access control on open sockets
Author: Ray Strode
Path-mainline: Upstream
Git-commit: c4534a38b68aa07fb82318040dc8154fb48a9588
References: bnc#934102 CVE-2015-3164
Signed-off-by: Michal Srb
Xwayland currently allows wide-open access to the X sockets
it listens on, ignoring Xauth access control.
This commit makes sure to enable access control on the sockets,
so one user can't snoop on another user's X-over-wayland
applications.
Signed-off-by: Ray Strode
Reviewed-by: Daniel Stone
Reviewed-by: Alan Coopersmith
Signed-off-by: Keith Packard
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index 7e8d667..c5bee77 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -483,7 +483,7 @@ listen_on_fds(struct xwl_screen *xwl_screen)
int i;
for (i = 0; i < xwl_screen->listen_fd_count; i++)
- ListenOnOpenFD(xwl_screen->listen_fds[i], TRUE);
+ ListenOnOpenFD(xwl_screen->listen_fds[i], FALSE);
}
static void
++++++ b_0001-Prevent-XSync-Alarms-from-senslessly-calling-CheckTr.patch ++++++
From d1d9d4e5f8f9ac1d22e1258759d6ee9e49c7fe90 Mon Sep 17 00:00:00 2001
From: Egbert Eich
Date: Fri, 9 Apr 2010 15:10:32 +0200
Subject: [PATCH] Prevent XSync Alarms from senslessly calling CheckTrigger() when inactive.
If an XSync Alarm is set to inactive there is no need to check if a trigger
needs to fire. Doing so if the counter is the IdleCounter will put the
server on 100 percent CPU load since the select timeout is set to 0.
---
xorg-server-1.8.0/Xext/sync.c | 11 +++++++++--
xorg-server-1.8.0/Xext/syncsrv.h | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
Index: xorg-server-1.8.0/Xext/sync.c
===================================================================
--- xorg-server-1.8.0.orig/Xext/sync.c
+++ xorg-server-1.8.0/Xext/sync.c
@@ -518,6 +518,10 @@ SyncAlarmTriggerFired(SyncTrigger *pTrig
pAlarm->state = XSyncAlarmInactive;
}
}
+ /* Stop server from looping! */
+ if (pAlarm->state == XSyncAlarmInactive)
+ SyncDeleteTriggerFromCounter(&pAlarm->trigger);
+
/* The AlarmNotify event has to have the "new state of the alarm"
* which we can't be sure of until this point. However, it has
* to have the "old" trigger test value. That's the reason for
@@ -730,7 +734,7 @@ SyncChangeAlarmAttributes(ClientPtr clie
XSyncCounter counter;
Mask origmask = mask;
- counter = pAlarm->trigger.pCounter ? pAlarm->trigger.pCounter->id : None;
+ counter = pAlarm->counter_id;
while (mask)
{
@@ -741,7 +745,7 @@ SyncChangeAlarmAttributes(ClientPtr clie
case XSyncCACounter:
mask &= ~XSyncCACounter;
/* sanity check in SyncInitTrigger */
- counter = *values++;
+ counter = pAlarm->counter_id = *values++;
break;
case XSyncCAValueType:
@@ -808,6 +812,14 @@ SyncChangeAlarmAttributes(ClientPtr clie
return BadMatch;
}
}
+ if (pAlarm->state == XSyncAlarmInactive) {
+ /*
+ * If we are inactive the trigger has been deleted from the counter.
+ * Persuade SyncInitTrigger() to readd it.
+ */
+ origmask |= XSyncCACounter;
+ pAlarm->trigger.pCounter = NULL;
+ }
/* postpone this until now, when we're sure nothing else can go wrong */
if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter,
@@ -815,6 +827,7 @@ SyncChangeAlarmAttributes(ClientPtr clie
return status;
/* XXX spec does not really say to do this - needs clarification */
+ /* It's the only place where it is set to XSyncAlarmActive! */
pAlarm->state = XSyncAlarmActive;
return Success;
}
@@ -1617,8 +1630,10 @@ ProcSyncCreateAlarm(ClientPtr client)
pAlarm->client = client;
pAlarm->alarm_id = stuff->id;
+ pAlarm->counter_id = None;
XSyncIntToValue(&pAlarm->delta, 1L);
pAlarm->events = TRUE;
+ /* SyncChangeAlarmAttributes() changes this - no need to set this here! */
pAlarm->state = XSyncAlarmInactive;
pAlarm->pEventClients = NULL;
status = SyncChangeAlarmAttributes(client, pAlarm, vmask,
Index: xorg-server-1.8.0/Xext/syncsrv.h
===================================================================
--- xorg-server-1.8.0.orig/Xext/syncsrv.h
+++ xorg-server-1.8.0/Xext/syncsrv.h
@@ -129,6 +129,7 @@ typedef struct _SyncAlarm {
int events;
int state;
SyncAlarmClientList *pEventClients;
+ XSyncCounter counter_id;
} SyncAlarm;
typedef struct {
++++++ b_cache-xkbcomp-output-for-fast-start-up.patch ++++++
From 0f70ba9d3412b17ac4e08e33e1be3c226c06ea54 Mon Sep 17 00:00:00 2001
From: Yan Li
Date: Tue, 12 May 2009 17:49:07 +0800
Subject: [PATCH] XKB: cache xkbcomp output for fast start-up v5 for 1.6.1
Organization: Intel
xkbcomp outputs will be cached in files with hashed keymap as
names. This saves boot time for around 1s on commodity netbooks.
Signed-off-by: Yan Li
================================================================================
--- xorg-server-1.7.99/configure.ac
+++ xorg-server-1.7.99/configure.ac
@@ -527,9 +527,9 @@
AC_ARG_WITH(xkb-path, AS_HELP_STRING([--with-xkb-path=PATH], [Path to XKB base dir (default: ${datadir}/X11/xkb)]),
[ XKBPATH="$withval" ],
[ XKBPATH="${datadir}/X11/xkb" ])
-AC_ARG_WITH(xkb-output, AS_HELP_STRING([--with-xkb-output=PATH], [Path to XKB output dir (default: ${datadir}/X11/xkb/compiled)]),
+AC_ARG_WITH(xkb-output, AS_HELP_STRING([--with-xkb-output=PATH], [Path to XKB output dir (default: ${localstatedir}/cache/xkb)]),
[ XKBOUTPUT="$withval" ],
- [ XKBOUTPUT="compiled" ])
+ [ XKBOUTPUT="${localstatedir}/cache/xkb" ])
AC_ARG_WITH(default-xkb-rules, AS_HELP_STRING([--with-default-xkb-rules=RULES],
[Keyboard ruleset (default: base/evdev)]),
[ XKB_DFLT_RULES="$withval" ],
@@ -1160,7 +1160,7 @@
dnl Make sure XKM_OUTPUT_DIR is an absolute path
XKBOUTPUT_FIRSTCHAR=`echo $XKBOUTPUT | cut -b 1`
if [[ x$XKBOUTPUT_FIRSTCHAR != x/ -a x$XKBOUTPUT_FIRSTCHAR != 'x$' ]] ; then
- XKBOUTPUT="$XKB_BASE_DIRECTORY/$XKBOUTPUT"
+ AC_MSG_ERROR([xkb-output must be an absolute path.])
fi
dnl XKM_OUTPUT_DIR (used in code) must end in / or file names get hosed
--- xorg-server-1.7.99/xkb/README.compiled
+++ xorg-server-1.7.99/xkb/README.compiled
@@ -4,10 +4,10 @@
or some other tool might destroy or replace the files in this directory,
so it is not a safe place to store compiled keymaps for long periods of
time. The default keymap for any server is usually stored in:
- X<num>-default.xkm
-where <num> is the display number of the server in question, which makes
-it possible for several servers *on the same host* to share the same
-directory.
+ server-<SHA1>.xkm
+
+where <SHA1> is the SHA1 hash of keymap source, so that compiled
+keymap of different keymap sources are stored in different files.
Unless the X server is modified, sharing this directory between servers on
different hosts could cause problems.
--- xorg-server-1.9.0/xkb/ddxLoad.c.orig 2010-07-14 22:23:17.000000000 +0200
+++ xorg-server-1.9.0/xkb/ddxLoad.c 2010-08-23 15:23:47.000000000 +0200
@@ -30,6 +30,12 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include
+#ifdef HAVE_SHA1_IN_LIBMD /* Use libmd for SHA1 */
+# include
+#else /* Use OpenSSL's libcrypto */
+# include /* buggy openssl/sha.h wants size_t */
+# include
+#endif
#include
#include
#include
@@ -43,24 +49,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#define XKBSRV_NEED_FILE_FUNCS
#include
#include
+#include
#include "xkb.h"
#if defined(CSRG_BASED) || defined(linux) || defined(__GNU__)
#include
#endif
- /*
- * If XKM_OUTPUT_DIR specifies a path without a leading slash, it is
- * relative to the top-level XKB configuration directory.
- * Making the server write to a subdirectory of that directory
- * requires some work in the general case (install procedure
- * has to create links to /var or somesuch on many machines),
- * so we just compile into /usr/tmp for now.
- */
-#ifndef XKM_OUTPUT_DIR
-#define XKM_OUTPUT_DIR "compiled/"
-#endif
-
#define PRE_ERROR_MSG "\"The XKEYBOARD keymap compiler (xkbcomp) reports:\""
#define ERROR_PREFIX "\"> \""
#define POST_ERROR_MSG1 "\"Errors from xkbcomp are not fatal to the X server\""
@@ -175,6 +170,45 @@ OutputDirectory(
}
static Bool
+Sha1Asc(char sha1Asc[SHA_DIGEST_LENGTH*2+1], const char * input)
+{
+ int i;
+ unsigned char sha1[SHA_DIGEST_LENGTH];
+
+#ifdef HAVE_SHA1_IN_LIBMD /* Use libmd for SHA1 */
+ SHA1_CTX ctx;
+
+ SHA1Init (&ctx);
+ SHA1Update (&ctx, input, strlen(input));
+ SHA1Final (sha1, &ctx);
+#else /* Use OpenSSL's libcrypto */
+ SHA_CTX ctx;
+ int success;
+
+ success = SHA1_Init (&ctx);
+ if (! success)
+ return BadAlloc;
+
+ success = SHA1_Update (&ctx, input, strlen(input));
+ if (! success)
+ return BadAlloc;
+
+ success = SHA1_Final (sha1, &ctx);
+ if (! success)
+ return BadAlloc;
+#endif
+
+ /* convert sha1 to sha1_asc */
+ for(i=0; i nameRtrnLen) && nameRtrn) {
+ ErrorF("[xkb] nameRtrn too small to hold xkmfile name\n");
+ return FALSE;
+ }
+ strncpy(nameRtrn, xkmfile, nameRtrnLen);
+
+ /* if the xkm file already exists, reuse it */
+ canonicalXkmFileName = Xprintf("%s%s.xkm", xkm_output_dir, xkmfile);
+ if (access(canonicalXkmFileName, R_OK) == 0) {
+ /* yes, we can reuse the old xkm file */
+ LogMessage(X_INFO, "XKB: reuse xkmfile %s\n", canonicalXkmFileName);
+ result = TRUE;
+ goto _ret;
+ }
+ LogMessage(X_INFO, "XKB: generating xkmfile %s\n", canonicalXkmFileName);
+
+ /* continue to call xkbcomp to compile the keymap. to avoid race
+ condition, we compile it to a tmpfile then rename it to
+ xkmfile */
+
+
#ifdef WIN32
strcpy(tmpname, Win32TempDir());
strcat(tmpname, "\\xkb_XXXXXX");
@@ -225,14 +318,20 @@ XkbDDXCompileKeymapByNames( XkbDescPtr
}
}
+ if ( (tmpXkmFile = tempnam(xkm_output_dir, NULL)) == NULL ) {
+ ErrorF("[xkb] Can't generate temp xkm file name");
+ result = FALSE;
+ goto _ret;
+ }
+
buf = Xprintf("\"%s%sxkbcomp\" -w %d %s -xkm \"%s\" "
- "-em1 %s -emp %s -eml %s \"%s%s.xkm\"",
+ "-em1 %s -emp %s -eml %s \"%s\"",
xkbbindir, xkbbindirsep,
( (xkbDebugFlags < 2) ? 1 :
((xkbDebugFlags > 10) ? 10 : (int)xkbDebugFlags) ),
- xkbbasedirflag ? xkbbasedirflag : "", xkmfile,
+ xkbbasedirflag ? xkbbasedirflag : "", xkbfile,
PRE_ERROR_MSG, ERROR_PREFIX, POST_ERROR_MSG1,
- xkm_output_dir, keymap);
+ tmpXkmFile);
free(xkbbasedirflag);
@@ -240,7 +339,12 @@ XkbDDXCompileKeymapByNames( XkbDescPtr
LogMessage(X_ERROR, "XKB: Could not invoke xkbcomp: not enough memory\n");
return FALSE;
}
-
+
+ /* there's a potential race condition between calling tempnam()
+ and invoking xkbcomp to write the result file (potential temp
+ file name conflicts), but since xkbcomp is a standalone
+ program, we have to live with this */
+
#ifndef WIN32
out= Popen(buf,"w");
#else
@@ -248,31 +352,42 @@ XkbDDXCompileKeymapByNames( XkbDescPtr
#endif
if (out!=NULL) {
-#ifdef DEBUG
- if (xkbDebugFlags) {
- ErrorF("[xkb] XkbDDXCompileKeymapByNames compiling keymap:\n");
- XkbWriteXKBKeymapForNames(stderr,names,xkb,want,need);
- }
-#endif
- XkbWriteXKBKeymapForNames(out,names,xkb,want,need);
+ /* write XKBKeyMapBuf to xkbcomp */
+ if (EOF==fputs(xkbKeyMapBuf, out))
+ {
+ ErrorF("[xkb] Sending keymap to xkbcomp failed\n");
+ result = FALSE;
+ goto _ret;
+ }
#ifndef WIN32
if (Pclose(out)==0)
#else
if (fclose(out)==0 && System(buf) >= 0)
#endif
{
+ /* xkbcomp success */
if (xkbDebugFlags)
DebugF("[xkb] xkb executes: %s\n",buf);
- if (nameRtrn) {
- strncpy(nameRtrn,keymap,nameRtrnLen);
- nameRtrn[nameRtrnLen-1]= '\0';
+ /* if canonicalXkmFileName already exists now, we simply
+ overwrite it, this is OK */
+ ret = rename(tmpXkmFile, canonicalXkmFileName);
+ if (0 != ret) {
+ ErrorF("[xkb] Can't rename %s to %s, error: %s\n",
+ tmpXkmFile, canonicalXkmFileName,
+ strerror(errno));
+
+ /* in case of error, don't unlink tmpXkmFile, leave it
+ for debugging */
+
+ result = FALSE;
+ goto _ret;
}
- if (buf != NULL)
- free(buf);
- return TRUE;
+
+ result = TRUE;
+ goto _ret;
}
else
- LogMessage(X_ERROR, "Error compiling keymap (%s)\n", keymap);
+ LogMessage(X_ERROR, "Error compiling keymap (%s)\n", xkbfile);
#ifdef WIN32
/* remove the temporary file */
unlink(tmpname);
@@ -289,7 +404,17 @@ XkbDDXCompileKeymapByNames( XkbDescPtr
nameRtrn[0]= '\0';
if (buf != NULL)
free(buf);
- return FALSE;
+ result = FALSE;
+
+_ret:
+ if (tmpXkmFile)
+ free(tmpXkmFile);
+ if (canonicalXkmFileName)
+ xfree(canonicalXkmFileName);
+ if (buf != NULL)
+ xfree (buf);
+
+ return result;
}
static FILE *
@@ -373,7 +498,6 @@ unsigned missing;
DebugF("Loaded XKB keymap %s, defined=0x%x\n",fileName,(*xkbRtrn)->defined);
}
fclose(file);
- (void) unlink (fileName);
return (need|want)&(~missing);
}
++++++ b_sync-fix.patch ++++++
Index: xorg-server-1.12.1/Xext/sync.c
===================================================================
--- xorg-server-1.12.1.orig/Xext/sync.c
+++ xorg-server-1.12.1/Xext/sync.c
@@ -2615,9 +2615,43 @@ static XSyncValue *pIdleTimeValueGreater
static void
IdleTimeQueryValue(pointer pCounter, CARD64 * pValue_return)
{
- CARD32 idle = GetTimeInMillis() - lastDeviceEventTime.milliseconds;
+ static CARD32 previousLastDeviceEventTimeMilliseconds = 0;
+ CARD32 now = GetTimeInMillis();
+ CARD32 idle = now - lastDeviceEventTime.milliseconds;
+ CARD32 previousIdle = now - previousLastDeviceEventTimeMilliseconds;
+ SyncCounter *pIdleTimeCounter = (SyncCounter*)pCounter;
XSyncIntsToValue(pValue_return, idle, 0);
+ if (pCounter == NULL)
+ {
+ return;
+ }
+ if (previousLastDeviceEventTimeMilliseconds == 0)
+ {
+ /* initialize static var when this function is invoked the first time. */
+ previousLastDeviceEventTimeMilliseconds = lastDeviceEventTime.milliseconds;
+ return;
+ }
+
+ if (previousLastDeviceEventTimeMilliseconds == lastDeviceEventTime.milliseconds)
+ {
+ /* no new user event, no need to change idle counter. */
+ return;
+ }
+ previousLastDeviceEventTimeMilliseconds = lastDeviceEventTime.milliseconds;
+
+ /*
+ * Some user event occured; now update idle counter with previous
+ * event time, so idle counter has the most up-to-date value with
+ * respect to previous user event (we need old and new counter
+ * value to compute if a transition occured). Recompute bracket
+ * values if this is system counter.
+ */
+
+ XSyncIntsToValue (&pIdleTimeCounter->value, previousIdle, 0);
+ if (IsSystemCounter(pIdleTimeCounter)) {
+ SyncComputeBracketValues(pIdleTimeCounter);
+ }
}
static void
@@ -2700,7 +2734,7 @@ IdleTimeWakeupHandler(pointer env, int r
if (!pIdleTimeValueLess && !pIdleTimeValueGreater)
return;
- IdleTimeQueryValue(NULL, &idle);
+ IdleTimeQueryValue(IdleTimeCounter, &idle);
if ((pIdleTimeValueGreater &&
XSyncValueGreaterOrEqual(idle, *pIdleTimeValueGreater)) ||
++++++ n_RandR-Disable-rotation-for-GPU-screens.patch ++++++
From: Egbert Eich
Date: Wed Jan 20 19:21:59 2016 +0100
Subject: [PATCH]RandR: Disable rotation for GPU screens
Patch-mainline: never
References: boo#962295
Signed-off-by: Egbert Eich
This is a temporary hack to keep the Xserver from crashing.
Signed-off-by: Egbert Eich
---
hw/xfree86/modes/xf86Crtc.c | 2 +-
hw/xfree86/modes/xf86Rotate.c | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index b70d089..25b445b 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -778,7 +778,7 @@ xf86CrtcScreenInit(ScreenPtr screen)
if (!crtc->funcs->shadow_allocate || !crtc->funcs->shadow_create)
break;
}
- if (c == config->num_crtc) {
+ if (c == config->num_crtc && !screen->isGPU) {
xf86RandR12SetRotations(screen, RR_Rotate_0 | RR_Rotate_90 |
RR_Rotate_180 | RR_Rotate_270 |
RR_Reflect_X | RR_Reflect_Y);
diff --git a/hw/xfree86/modes/xf86Rotate.c b/hw/xfree86/modes/xf86Rotate.c
index 9c00a44..0334253 100644
--- a/hw/xfree86/modes/xf86Rotate.c
+++ b/hw/xfree86/modes/xf86Rotate.c
@@ -366,6 +366,9 @@ xf86CrtcRotate(xf86CrtcPtr crtc)
RRTransformPtr transform = NULL;
Bool damage = FALSE;
+ if (pScreen->isGPU)
+ return FALSE;
+
if (crtc->transformPresent)
transform = &crtc->transform;
++++++ n_xserver-optimus-autoconfig-hack.patch ++++++
From 3216e0c618cc330f053ed36a749c8d8cfeb87a2f Mon Sep 17 00:00:00 2001
From: Dave Airlie
Date: Fri, 17 Aug 2012 09:49:24 +1000
Subject: [PATCH] autobind GPUs to the screen, (v3)
this is racy and really not what we want for hotplug going forward,
but until DE support is in GNOME its probably for the best.
v2: fix if config or slave config is NULL
v3: fix multi useful slaves
DO NOT UPSTREAM.
Signed-off-by: Dave Airlie
---
hw/xfree86/common/xf86Init.c | 12 ++++++++++++
hw/xfree86/common/xf86platformBus.c | 3 +++
hw/xfree86/modes/xf86Crtc.c | 32 ++++++++++++++++++++++++++++++++
3 files changed, 47 insertions(+)
diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
index 1e95061..c58fd2b 100644
--- a/hw/xfree86/common/xf86Init.c
+++ b/hw/xfree86/common/xf86Init.c
@@ -361,6 +361,16 @@ xf86CreateRootWindow(WindowPtr pWin)
return ret;
}
+extern void xf86AutoConfigOutputDevice(ScrnInfoPtr pScrn, ScrnInfoPtr master);
+static void
+xf86AutoConfigOutputDevices(void)
+{
+ int i;
+
+ for (i = 0; i < xf86NumGPUScreens; i++)
+ xf86AutoConfigOutputDevice(xf86GPUScreens[i], xf86Screens[0]);
+}
+
static void
InstallSignalHandlers(void)
{
@@ -931,6 +941,8 @@ InitOutput(ScreenInfo * pScreenInfo, int argc, char **argv)
for (i = 0; i < xf86NumGPUScreens; i++)
AttachUnboundGPU(xf86Screens[0]->pScreen, xf86GPUScreens[i]->pScreen);
+ xf86AutoConfigOutputDevices();
+
xf86VGAarbiterWrapFunctions();
if (sigio_blocked)
OsReleaseSIGIO();
diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c
index 33b2b7d..be3bdd9 100644
--- a/hw/xfree86/common/xf86platformBus.c
+++ b/hw/xfree86/common/xf86platformBus.c
@@ -393,6 +393,8 @@ xf86platformProbeDev(DriverPtr drvp)
return foundScreen;
}
+extern void xf86AutoConfigOutputDevice(ScrnInfoPtr pScrn, ScrnInfoPtr master);
+
int
xf86platformAddDevice(int index)
{
@@ -465,6 +467,7 @@ xf86platformAddDevice(int index)
}
/* attach unbound to 0 protocol screen */
AttachUnboundGPU(xf86Screens[0]->pScreen, xf86GPUScreens[i]->pScreen);
+ xf86AutoConfigOutputDevice(xf86GPUScreens[i], xf86Screens[0]);
RRResourcesChanged(xf86Screens[0]->pScreen);
RRTellChanged(xf86Screens[0]->pScreen);
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index a441fd1..c1a56a5 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -3383,3 +3383,35 @@ xf86DetachAllCrtc(ScrnInfoPtr scrn)
crtc->x = crtc->y = 0;
}
}
+
+
+void xf86AutoConfigOutputDevice(ScrnInfoPtr pScrn, ScrnInfoPtr master)
+{
+ RRProviderPtr master_provider;
+ xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(master);
+ xf86CrtcConfigPtr slave_config = XF86_CRTC_CONFIG_PTR(pScrn);
+ Bool unbound = FALSE;
+
+ if (!config || !slave_config)
+ return;
+
+ master_provider = config->randr_provider;
+
+ if ((master->capabilities & RR_Capability_SinkOffload) &&
+ pScrn->capabilities & RR_Capability_SourceOffload) {
+ /* source offload */
+
+ DetachUnboundGPU(pScrn->pScreen);
+ unbound = TRUE;
+ AttachOffloadGPU(master->pScreen, pScrn->pScreen);
+ slave_config->randr_provider->offload_sink = master_provider;
+ }
+ if ((master->capabilities & RR_Capability_SourceOutput) &&
+ pScrn->capabilities & RR_Capability_SinkOutput) {
+ /* sink offload */
+ if (!unbound)
+ DetachUnboundGPU(pScrn->pScreen);
+ AttachOutputGPU(master->pScreen, pScrn->pScreen);
+ slave_config->randr_provider->output_source = master_provider;
+ }
+}
--
1.8.4.5
++++++ pre_checkin.sh ++++++
#!/bin/sh
# pre_checking.sh
# Licensed under the same condition as the xorg-server.
# This script updates the .spec file (based on .spec.in) and inject versioned ABI Symbols from the X-Server,
# stored in a template file xorg-server-provides. The content of this file is verified during build, as the
# same script runs then again, extracting ABI versions from the source to be built. This ensures we can't
# publish a package with wrong ABI Versions being provided as part of the RPM Metadata.
# Driver-, Input and extension-packages are supposed to use the provided macros to ensure correct Requires.
# extract ABI Versions... this function is copied from configure.ac
extract_abi() {
grep ^.define.*${1}_VERSION ${xorg_src}/hw/xfree86/common/xf86Module.h | tr '(),' ' .' | awk '{ print $4$5 }'
}
if [ "$1" == "--tar" ]; then
tmpdir=$(mktemp -d)
tar xf "$2" -C ${tmpdir}
xorg_src=${tmpdir}/*
elif [ "$1" == "--verify" ]; then
xorg_src="$2"
prv_ext=".build"
else
echo "Wrong usage of this script"
echo "$0 can be started in two ways:"
echo "1: $0 --tar {xorg-server-xxxx.tar.bz2}"
echo "2: $0 --verify {source-folder}"
echo "Variant 1 creates the file xorg-server-provides to be included in the src rpm"
echo "Variant 2 is being called during build to ensure the ABI provides match the expectations."
echo ""
echo ""
echo "Trying to guess the right tarball"
sh $0 --tar xorg-server-*.tar.bz2
echo "... Please verify if the result makes sense"
exit 2
fi
abi_ansic=`extract_abi ANSIC`
abi_videodrv=`extract_abi VIDEODRV`
abi_xinput=`extract_abi XINPUT`
abi_extension=`extract_abi EXTENSION`
A="Provides: X11_ABI_XINPUT = ${abi_xinput}\nProvides: X11_ABI_VIDEODRV = ${abi_videodrv}\nProvides: X11_ABI_ANSIC = ${abi_ansic}\nProvides: X11_ABI_EXTENSION = ${abi_extension}"
echo -e $A > xorg-server-provides${prv_ext}
if [ "$1" == "--tar" ]; then
if [ -d ${tmpdir} ]; then
rm -rf ${tmpdir}
fi
elif [ "$1" == "--verify" ]; then
diff "$3" xorg-server-provides${prv_ext}
if [ $? -gt 0 ]; then
echo "The ABI verification failed... please run $0 before checking in"
exit 1
fi
fi
++++++ sysconfig.displaymanager.template ++++++
## Type: string(Xorg)
## Path: Desktop/Display manager
## Default: "Xorg"
#
DISPLAYMANAGER_XSERVER="Xorg"
++++++ u_CloseConsole-Don-t-report-FatalError-when-shutting-down.patch ++++++
From: Egbert Eich
Date: Sat May 24 02:02:32 2014 +0200
Subject: [PATCH]CloseConsole: Don't report FatalError() when shutting down
Patch-mainline: to be upstreamed
Git-commit: 4edf1fd15b9d2746f1f83165ab45efbe35af8de8
Git-repo:
References: bnc#879666, bnc#879489
Signed-off-by: Egbert Eich
When encountering a problem while closing the console, don't report this
as a FatalError(). FatalError() will terminate the Xserver - no use calling
it when terminating anyway. Since FatalError() will call CloseConsole()
we would only come here again.
Signed-off-by: Egbert Eich
---
hw/xfree86/os-support/linux/lnx_init.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/hw/xfree86/os-support/linux/lnx_init.c b/hw/xfree86/os-support/linux/lnx_init.c
index bcb039f..c46bca9 100644
--- a/hw/xfree86/os-support/linux/lnx_init.c
+++ b/hw/xfree86/os-support/linux/lnx_init.c
@@ -63,17 +63,24 @@ drain_console(int fd, void *closure)
}
static void
-switch_to(int vt, const char *from)
+switch_to(int vt, const char *from, Bool fatal)
{
int ret;
SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_ACTIVATE, vt));
- if (ret < 0)
- FatalError("%s: VT_ACTIVATE failed: %s\n", from, strerror(errno));
-
+ if (ret < 0) {
+ if (fatal)
+ FatalError("%s: VT_ACTIVATE failed: %s\n", from, strerror(errno));
+ else
+ xf86Msg(X_WARNING, "%s: VT_ACTIVATE failed: %s\n", from, strerror(errno));
+ }
SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_WAITACTIVE, vt));
- if (ret < 0)
- FatalError("%s: VT_WAITACTIVE failed: %s\n", from, strerror(errno));
+ if (ret < 0) {
+ if (fatal)
+ FatalError("%s: VT_WAITACTIVE failed: %s\n", from, strerror(errno));
+ else
+ xf86Msg(X_WARNING, "%s: VT_WAITACTIVE failed: %s\n", from, strerror(errno));
+ }
}
void
@@ -194,7 +201,7 @@ xf86OpenConsole(void)
/*
* now get the VT. This _must_ succeed, or else fail completely.
*/
- switch_to(xf86Info.vtno, "xf86OpenConsole");
+ switch_to(xf86Info.vtno, "xf86OpenConsole", TRUE);
SYSCALL(ret = ioctl(xf86Info.consoleFd, VT_GETMODE, &VT));
if (ret < 0)
@@ -255,7 +262,7 @@ xf86OpenConsole(void)
else { /* serverGeneration != 1 */
if (!xf86Info.ShareVTs && xf86Info.autoVTSwitch) {
/* now get the VT */
- switch_to(xf86Info.vtno, "xf86OpenConsole");
+ switch_to(xf86Info.vtno, "xf86OpenConsole", TRUE);
}
}
}
@@ -305,7 +312,7 @@ xf86CloseConsole(void)
* Perform a switch back to the active VT when we were started
*/
if (activeVT >= 0) {
- switch_to(activeVT, "xf86CloseConsole");
+ switch_to(activeVT, "xf86CloseConsole", FALSE);
activeVT = -1;
}
}
++++++ u_Panning-Set-panning-state-in-xf86RandR12ScreenSetSize.patch ++++++
From: Egbert Eich
Date: Fri Jan 15 16:52:18 2016 +0100
Subject: [PATCH]Panning: Set panning state in xf86RandR12ScreenSetSize()
Patch-mainline: to be upstreamed
References: boo#771521
Signed-off-by: Egbert Eich
References: boo#771521
Signed-off-by: Egbert Eich
Right after verifying the panning area the per-crtc panning state should
be set.
This fixes panning when set in the configuration.
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=771521
Signed-off-by: Egbert Eich
---
hw/xfree86/modes/xf86RandR12.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c
index b1c306a..c265011 100644
--- a/hw/xfree86/modes/xf86RandR12.c
+++ b/hw/xfree86/modes/xf86RandR12.c
@@ -681,6 +681,7 @@ xf86RandR12ScreenSetSize(ScreenPtr pScreen,
WindowPtr pRoot = pScreen->root;
PixmapPtr pScrnPix;
Bool ret = FALSE;
+ Bool panning = FALSE;
int c;
if (xf86RandR12Key) {
@@ -711,6 +712,7 @@ xf86RandR12ScreenSetSize(ScreenPtr pScreen,
if (crtc->panningTrackingArea.y2 > crtc->panningTrackingArea.y1)
crtc->panningTrackingArea.y2 += height - pScreen->height;
xf86RandR13VerifyPanningArea(crtc, width, height);
+ panning = panning ? TRUE : PANNING_ENABLED (crtc);
xf86RandR13Pan(crtc, randrp->pointerX, randrp->pointerY);
}
}
@@ -720,6 +722,7 @@ xf86RandR12ScreenSetSize(ScreenPtr pScreen,
pScreen->height = pScrnPix->drawable.height = height;
randrp->mmWidth = pScreen->mmWidth = mmWidth;
randrp->mmHeight = pScreen->mmHeight = mmHeight;
+ randrp->panning = panning;
xf86SetViewport(pScreen, pScreen->width - 1, pScreen->height - 1);
xf86SetViewport(pScreen, 0, 0);
++++++ u_busfault_sigaction-Only-initialize-pointer-when-matched.patch ++++++
From: Egbert Eich
Date: Mon Jan 11 21:48:15 2016 +0100
Subject: [PATCH]busfault_sigaction: Only initialize pointer when matched
Patch-mainline: to be upstreamed
References: boo#961439
Signed-off-by: Egbert Eich
When looping over the registered map ranges, don't use
the variable holding the final result as loop variable -
It would always be initialized, on an empty list or
when we run past the end of the list when no entry was
found.
Signed-off-by: Egbert Eich
---
os/busfault.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/os/busfault.c b/os/busfault.c
index d4afa6d..53f02e6 100644
--- a/os/busfault.c
+++ b/os/busfault.c
@@ -98,13 +98,15 @@ static void
busfault_sigaction(int sig, siginfo_t *info, void *param)
{
void *fault = info->si_addr;
- struct busfault *busfault = NULL;
+ struct busfault *tmp, *busfault = NULL;
void *new_addr;
/* Locate the faulting address in our list of shared segments
*/
- xorg_list_for_each_entry(busfault, &busfaults, list) {
- if ((char *) busfault->addr <= (char *) fault && (char *) fault < (char *) busfault->addr + busfault->size) {
+ xorg_list_for_each_entry(tmp, &busfaults, list) {
+ if ((char *) tmp->addr <= (char *) fault &&
+ (char *) fault < (char *) tmp->addr + tmp->size) {
+ busfault = tmp;
break;
}
}
++++++ u_confine_to_shape.diff ++++++
From: Egbert Eich
DIX/ConfineTo: Improve algorithm to jump to the nearest point inside
ConfineToShape does not work well: The cursor often times doesn't jump
to the point closest to the current cursor position outside the shape.
This patch fixes this.
--- dix/events.c.orig 2012-04-17 11:34:39.714915372 -0500
+++ dix/events.c 2012-04-17 11:26:54.735728478 -0500
@@ -671,32 +671,77 @@
{
BoxRec box;
int x = *px, y = *py;
- int incx = 1, incy = 1;
+ int nbox;
+ BoxPtr pbox;
+ int d, min = (~0U >> 1), dx2, dy2, x_r, y_r;
if (RegionContainsPoint(shape, x, y, &box))
return;
- box = *RegionExtents(shape);
- /* this is rather crude */
- do {
- x += incx;
- if (x >= box.x2) {
- incx = -1;
- x = *px - 1;
+
+ for (nbox = REGION_NUM_RECTS (shape),
+ pbox = REGION_RECTS(shape);
+ nbox--;
+ pbox++)
+ {
+ if (pbox->x1 < x && pbox->x2 > x) {
+ d = pbox->y1 - y;
+ if (d >= 0) {
+ d *= d;
+ if (d < min) {
+ *px = x;
+ *py = pbox->y1 + 1;
+ min = d;
+ }
+ } else {
+ d = pbox->y2 - y; d *= d;
+ if (d < min) {
+ *px = x;
+ *py = pbox->y2 - 1;
+ min = d;
+ }
+ }
}
- else if (x < box.x1) {
- incx = 1;
- x = *px;
- y += incy;
- if (y >= box.y2) {
- incy = -1;
- y = *py - 1;
+ else if (pbox->y1 < y && pbox->y2 > y) {
+ d = pbox->x1 - x;
+ if (d >= 0) {
+ d *= d;
+ if (d < min) {
+ *px = pbox->x1 + 1;
+ *py = y;
+ min = d;
+ }
+ } else {
+ d = pbox->x2 - x; d *= d;
+ if (d < min) {
+ *px = pbox->x2 - 1;
+ *py = y;
+ min = d;
+ }
+ }
+ } else {
+ dx2 = pbox->x1 - x;
+ if (dx2 >= 0) {
+ dx2 *= dx2;
+ x_r = pbox->x1 + 1;
+ } else {
+ dx2 = pbox->x2 - x; dx2 *= dx2;
+ x_r = pbox->x2 - 1;
+ }
+ dy2 = pbox->y1 - y;
+ if (dy2 >= 0) {
+ dy2 *= dy2;
+ y_r = pbox->y1 + 1;
+ } else {
+ dy2 = pbox->y2 - y; dy2 *= dy2;
+ y_r = pbox->y2 - 1;
+ }
+ if ((d = dx2 + dy2) < min) {
+ *px = x_r;
+ *py = y_r;
+ min = d;
}
- else if (y < box.y1)
- return; /* should never get here! */
}
- } while (!RegionContainsPoint(shape, x, y, &box));
- *px = x;
- *py = y;
+ }
}
static void
++++++ u_connection-avoid-crash-when-CloseWellKnownConnections-gets-called-twice.patch ++++++
From: Egbert Eich
Date: Fri May 23 20:08:29 2014 +0200
Subject: [PATCH]connection: avoid crash when CloseWellKnownConnections() gets called twice
Patch-mainline: to be upstreamed
Git-commit: 74472c4e8e4c873014554f321ec2086066126297
Git-repo:
References: bnc#879666, bnc#879489
Signed-off-by: Egbert Eich
CloseWellKnownConnections() closes all connections and deallocates
their data. Thus all entries in ListenTransConns are invalid.
To avoid access to those entries set ListenTransCount to 0.
This avoids crashes when CloseWellKnownConnections() is called twice
for instance when FatalError() is called on Xserver shutdown.
Signed-off-by: Egbert Eich
---
os/connection.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/os/connection.c b/os/connection.c
index 162e1d9..3c0b62a 100644
--- a/os/connection.c
+++ b/os/connection.c
@@ -513,6 +513,8 @@ CloseWellKnownConnections(void)
for (i = 0; i < ListenTransCount; i++)
_XSERVTransClose(ListenTransConns[i]);
+
+ ListenTransCount = 0;
}
static void
++++++ u_exa-only-draw-valid-trapezoids.patch ++++++
Author: Maarten Lankhorst
Subject: exa: only draw valid trapezoids
Patch-Mainline: To be upstreamed
References: bnc#853846 CVE-2013-6424
Signed-off-by: Michal Srb
diff --git a/exa/exa_render.c b/exa/exa_render.c
index 172e2b5..807eeba 100644
--- a/exa/exa_render.c
+++ b/exa/exa_render.c
@@ -1141,7 +1141,8 @@ exaTrapezoids(CARD8 op, PicturePtr pSrc, PicturePtr pDst,
exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
for (; ntrap; ntrap--, traps++)
- (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
+ if (xTrapezoidValid(traps))
+ (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
xRel = bounds.x1 + xSrc - xDst;
diff --git a/render/picture.h b/render/picture.h
index c85353a..fcd6401 100644
--- a/render/picture.h
+++ b/render/picture.h
@@ -211,7 +211,7 @@ typedef pixman_fixed_t xFixed;
/* whether 't' is a well defined not obviously empty trapezoid */
#define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \
(t)->right.p1.y != (t)->right.p2.y && \
- (int) ((t)->bottom - (t)->top) > 0)
+ ((t)->bottom > (t)->top))
/*
* Standard NTSC luminance conversions:
++++++ u_fbdevhw.diff ++++++
From: Egbert Eich
Make error message about FBIOBLANK missing less prominent but more telling
The FBIOBLANK ioctl is not present in some fbdev kernel drivers. This
however is not a huge problem. This don't mark it as error in the log
instead give more information on the possible cause.
Index: hw/xfree86/fbdevhw/fbdevhw.c
===================================================================
--- hw/xfree86/fbdevhw/fbdevhw.c.orig
+++ hw/xfree86/fbdevhw/fbdevhw.c
@@ -858,9 +858,10 @@ fbdevHWDPMSSet(ScrnInfoPtr pScrn, int mo
return;
}
+ /* Novell Bug #146462 */
if (-1 == ioctl(fPtr->fd, FBIOBLANK, (void *) fbmode))
- xf86DrvMsg(pScrn->scrnIndex, X_ERROR,
- "FBIOBLANK: %s\n", strerror(errno));
+ xf86DrvMsg(pScrn->scrnIndex, X_INFO,
+ "FBIOBLANK: %s (Screen blanking not supported by vesafb of Linux Kernel)\n", strerror(errno));
}
Bool
@@ -875,9 +876,10 @@ fbdevHWSaveScreen(ScreenPtr pScreen, int
unblank = xf86IsUnblank(mode);
+ /* Novell Bug #146462 */
if (-1 == ioctl(fPtr->fd, FBIOBLANK, (void *) (1 - unblank))) {
- xf86DrvMsg(pScrn->scrnIndex, X_ERROR,
- "FBIOBLANK: %s\n", strerror(errno));
+ xf86DrvMsg(pScrn->scrnIndex, X_INFO,
+ "FBIOBLANK: %s (Screen blanking not supported by vesafb of Linux Kernel)\n", strerror(errno));
return FALSE;
}
++++++ u_kdrive-UnregisterFd-Fix-off-by-one.patch ++++++
From: Egbert Eich
Date: Tue Nov 24 16:10:08 2015 +0100
Subject: [PATCH]kdrive/UnregisterFd: Fix off by one
Patch-mainline: to be upstreamed
References: boo#867483
Signed-off-by: Egbert Eich
References: boo#867483
Signed-off-by: Egbert Eich
The number of FDs has been decremented already, therefore this
number contains the index of the top one that is to me moved down.
Signed-off-by: Egbert Eich
---
hw/kdrive/src/kinput.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/kdrive/src/kinput.c b/hw/kdrive/src/kinput.c
index a539ca5..d28bbe0 100644
--- a/hw/kdrive/src/kinput.c
+++ b/hw/kdrive/src/kinput.c
@@ -221,7 +221,7 @@ KdUnregisterFd(void *closure, int fd, Bool do_close)
if (do_close)
close(kdInputFds[i].fd);
kdNumInputFds--;
- for (j = i; j < (kdNumInputFds - 1); j++)
+ for (j = i; j < kdNumInputFds; j++)
kdInputFds[j] = kdInputFds[j + 1];
break;
}
++++++ u_randr_allow_rrselectinput_for_providerchange_and_resourcechange_events.patch ++++++
From 6d0da2a4d5c31d055674f482d3d1afe308ed8eeb Mon Sep 17 00:00:00 2001
From: Michal Srb
Date: Mon, 7 Oct 2013 17:55:30 +0300
Subject: [PATCH] randr: Allow RRSelectInput for ProviderChange and
ResourceChange events.
Reviewed-by: Dave Airlie
Signed-off-by: Michal Srb
diff --git a/randr/rrdispatch.c b/randr/rrdispatch.c
index 7fbc9f0..f050d38 100644
--- a/randr/rrdispatch.c
+++ b/randr/rrdispatch.c
@@ -92,7 +92,9 @@ ProcRRSelectInput(ClientPtr client)
RRCrtcChangeNotifyMask |
RROutputChangeNotifyMask |
RROutputPropertyNotifyMask |
- RRProviderPropertyNotifyMask)) {
+ RRProviderChangeNotifyMask |
+ RRProviderPropertyNotifyMask |
+ RRResourceChangeNotifyMask)) {
ScreenPtr pScreen = pWin->drawable.pScreen;
rrScrPriv(pScreen);
++++++ u_render-Cast-color-masks-to-unsigned-long-before-shifting-them.patch ++++++
From: Egbert Eich
Date: Fri May 30 19:08:00 2014 -0400
Subject: [PATCH]render: Cast color masks to unsigned long before shifting them
Patch-mainline: to be upstreamed
Git-commit: 6ec9a78f9b79668239c3a1519d715cbecf186cef
Git-repo:
References: bnc#876757
Signed-off-by: Egbert Eich
The color masks in DirectFormatRec are CARD16. Shifting them may lead
to unexpected results. Cast them to unsigned long to make sure the
shifted value will still fit into that type.
Signed-off-by: Egbert Eich
---
render/picture.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/render/picture.c b/render/picture.c
index 2908b76..74369de 100644
--- a/render/picture.c
+++ b/render/picture.c
@@ -548,12 +548,12 @@ PictureMatchVisual(ScreenPtr pScreen, int depth, VisualPtr pVisual)
return format;
}
else {
- if (format->direct.redMask << format->direct.red ==
- pVisual->redMask &&
- format->direct.greenMask << format->direct.green ==
- pVisual->greenMask &&
- format->direct.blueMask << format->direct.blue ==
- pVisual->blueMask) {
+ if (((unsigned long)format->direct.redMask) <<
+ format->direct.red == pVisual->redMask &&
+ ((unsigned long)format->direct.greenMask) <<
+ format->direct.green == pVisual->greenMask &&
+ ((unsigned long)format->direct.blueMask) <<
+ format->direct.blue == pVisual->blueMask) {
return format;
}
}
++++++ u_x86emu-include-order.patch ++++++
Subject: [PATCH] Change include order to avoid conflict with system header
From: Andreas Schwab
R_SP is also defined in on m68k.
Also remove duplicate definitions.
Signed-off-by: Andreas Schwab
Index: xorg-server-1.14.3/hw/xfree86/int10/xf86x86emu.c
===================================================================
--- xorg-server-1.14.3.orig/hw/xfree86/int10/xf86x86emu.c
+++ xorg-server-1.14.3/hw/xfree86/int10/xf86x86emu.c
@@ -7,7 +7,6 @@
#include
#endif
-#include
#include "xf86.h"
#include "xf86_OSproc.h"
#include "xf86Pci.h"
@@ -15,6 +14,7 @@
#define _INT10_PRIVATE
#include "xf86int10.h"
#include "int10Defines.h"
+#include
#define M _X86EMU_env
Index: xorg-server-1.14.3/hw/xfree86/x86emu/x86emu/regs.h
===================================================================
--- xorg-server-1.14.3.orig/hw/xfree86/x86emu/x86emu/regs.h
+++ xorg-server-1.14.3/hw/xfree86/x86emu/x86emu/regs.h
@@ -147,14 +147,6 @@ struct i386_segment_regs {
#define R_FLG spc.FLAGS
/* special registers */
-#define R_SP spc.SP.I16_reg.x_reg
-#define R_BP spc.BP.I16_reg.x_reg
-#define R_SI spc.SI.I16_reg.x_reg
-#define R_DI spc.DI.I16_reg.x_reg
-#define R_IP spc.IP.I16_reg.x_reg
-#define R_FLG spc.FLAGS
-
-/* special registers */
#define R_ESP spc.SP.I32_reg.e_reg
#define R_EBP spc.BP.I32_reg.e_reg
#define R_ESI spc.SI.I32_reg.e_reg
++++++ u_xorg-expose-getmaster-to-modules.patch ++++++
Author: Michal Srb
Subject: Expose GetMaster to modules.
Patch-Mainline: To be upstreamed
References: bnc#918628
Add _X_EXPORT to GetMaster function. It is required by tigervnc's VNC module.
---
include/input.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/input.h b/include/input.h
index bf22dc7..7212cc1 100644
--- a/include/input.h
+++ b/include/input.h
@@ -505,7 +505,7 @@ extern int AttachDevice(ClientPtr client,
DeviceIntPtr slave, DeviceIntPtr master);
extern _X_EXPORT DeviceIntPtr GetPairedDevice(DeviceIntPtr kbd);
-extern DeviceIntPtr GetMaster(DeviceIntPtr dev, int type);
+extern _X_EXPORT DeviceIntPtr GetMaster(DeviceIntPtr dev, int type);
extern _X_EXPORT int AllocDevicePair(ClientPtr client,
const char *name,
--
2.1.2
++++++ u_xorg-server-xdmcp.patch ++++++
Author: Reinhard Max
XDMCP: For IPv6 add IPv6 link local addresses to the end of the list
For IPv6 add a link local addresses to the end of the list passed to
the XDMCP servers.
Reason: for link local addresses the XDMCP server would need to either
know the interface thru a scope identifier or try all available interfaces.
If they don't this address will fail in which case the XDMCP server
could still try the other addresses passed - however some only try
the first address and then give up.
Even if this seems to be the wrong place to fix this it seems to be
easier than fixing all display servers.
Index: xorg-server-1.12.1/os/access.c
===================================================================
--- xorg-server-1.12.1.orig/os/access.c
+++ xorg-server-1.12.1/os/access.c
@@ -714,7 +714,9 @@ DefineSelf(int fd)
/*
* ignore 'localhost' entries as they're not useful
- * on the other end of the wire
+ * on the other end of the wire and because on hosts
+ * with shared home dirs they'll result in conflicting
+ * entries in ~/.Xauthority
*/
if (ifr->ifa_flags & IFF_LOOPBACK)
continue;
@@ -735,6 +737,14 @@ DefineSelf(int fd)
else if (family == FamilyInternet6 &&
IN6_IS_ADDR_LOOPBACK((struct in6_addr *) addr))
continue;
+
+ /* Ignore IPv6 link local addresses (fe80::/10), because
+ * they need a scope identifier, which we have no way
+ * of telling to the other end.
+ */
+ if (family == FamilyInternet6 &&
+ IN6_IS_ADDR_LINKLOCAL((struct in6_addr *)addr))
+ continue;
#endif
XdmcpRegisterConnection(family, (char *) addr, len);
#if defined(IPv6) && defined(AF_INET6)
++++++ ux_xserver_xvfb-randr.patch ++++++
Author: Lambros Lambrou
Subject: xvfb: add randr support
Patch-Mainline: To be upstreamed
References: bnc#823410 fdo#26391
Signed-off-by: Michal Srb
--- a/hw/vfb/InitOutput.c
+++ b/hw/vfb/InitOutput.c
@@ -66,6 +66,7 @@
#include "dix.h"
#include "miline.h"
#include "glx_extinit.h"
+#include "randrstr.h"
#define VFB_DEFAULT_WIDTH 1280
#define VFB_DEFAULT_HEIGHT 1024
@@ -812,6 +813,165 @@
}
static Bool
+vfbRROutputValidateMode(ScreenPtr pScreen,
+ RROutputPtr output,
+ RRModePtr mode)
+{
+ rrScrPriv(pScreen);
+
+ if (pScrPriv->minWidth <= mode->mode.width &&
+ pScrPriv->maxWidth >= mode->mode.width &&
+ pScrPriv->minHeight <= mode->mode.height &&
+ pScrPriv->maxHeight >= mode->mode.height)
+ return TRUE;
+ else
+ return FALSE;
+}
+
+static Bool
+vfbRRScreenSetSize(ScreenPtr pScreen,
+ CARD16 width,
+ CARD16 height,
+ CARD32 mmWidth,
+ CARD32 mmHeight)
+{
+ WindowPtr root = pScreen->root;
+ WindowPtr layer;
+ WindowPtr child;
+ BoxRec box;
+
+ pScreen->width = width;
+ pScreen->height = height;
+ pScreen->mmWidth = mmWidth;
+ pScreen->mmHeight = mmHeight;
+
+ // Resize the root window & adjust its clipping
+ box.x1 = 0;
+ box.y1 = 0;
+ box.x2 = pScreen->width;
+ box.y2 = pScreen->height;
+ REGION_INIT(pScreen, &root->winSize, &box, 1);
+ REGION_INIT(pScreen, &root->borderSize, &box, 1);
+ REGION_RESET(pScreen, &root->borderClip, &box);
+ root->drawable.width = pScreen->width;
+ root->drawable.height = pScreen->height;
+ REGION_BREAK (pScreen, &root->clipList);
+
+ // Update the clipping regions of all windows
+ for (child = root->firstChild; child; child = child->nextSib)
+ (*pScreen->MarkOverlappedWindows)(child, child, &layer);
+
+ if (root->firstChild)
+ {
+ (*pScreen->MarkOverlappedWindows)(root->firstChild,
+ root->firstChild,
+ (WindowPtr *)NULL);
+ }
+ else
+ {
+ (*pScreen->MarkWindow) (root);
+ }
+
+ (*pScreen->ValidateTree)(root, NullWindow, VTOther);
+ (*pScreen->HandleExposures)(root);
+
+ // Reposition top-level windows to fit new root size
+ // XXX I assume this is what it does, but I'm not sure
+ ResizeChildrenWinSize (root, 0, 0, 0, 0);
+
+
+ // Check the pointer position
+ WindowsRestructured ();
+
+ RRScreenSizeNotify (pScreen);
+ RRTellChanged(pScreen);
+
+ // Flush resulting events, etc to clients
+ FlushAllOutput ();
+
+ return TRUE;
+}
+
+static Bool
+vfbRRCrtcSet(ScreenPtr pScreen,
+ RRCrtcPtr crtc,
+ RRModePtr mode,
+ int x,
+ int y,
+ Rotation rotation,
+ int numOutput,
+ RROutputPtr *outputs)
+{
+ return RRCrtcNotify(crtc, mode, x, y, rotation, NULL, numOutput, outputs);
+}
+
+static Bool
+vfbRRGetInfo(ScreenPtr pScreen, Rotation *rotations)
+{
+ return TRUE;
+}
+
+static Bool
+vfbRandRInit(ScreenPtr pScreen)
+{
+ rrScrPrivPtr pScrPriv;
+#if RANDR_12_INTERFACE
+ RRModePtr mode;
+ RRCrtcPtr crtc;
+ RROutputPtr output;
+ xRRModeInfo modeInfo;
+ char name[64];
+#endif
+
+ if (!RRScreenInit (pScreen))
+ return FALSE;
+ pScrPriv = rrGetScrPriv(pScreen);
+ pScrPriv->rrGetInfo = vfbRRGetInfo;
+#if RANDR_12_INTERFACE
+ pScrPriv->rrCrtcSet = vfbRRCrtcSet;
+ pScrPriv->rrScreenSetSize = vfbRRScreenSetSize;
+ pScrPriv->rrOutputSetProperty = NULL;
+#if RANDR_13_INTERFACE
+ pScrPriv->rrOutputGetProperty = NULL;
+#endif
+ pScrPriv->rrOutputValidateMode = vfbRROutputValidateMode;
+ pScrPriv->rrModeDestroy = NULL;
+
+ RRScreenSetSizeRange (pScreen,
+ 1, 1,
+ pScreen->width, pScreen->height);
+
+ sprintf (name, "%dx%d", pScreen->width, pScreen->height);
+ memset (&modeInfo, '\0', sizeof (modeInfo));
+ modeInfo.width = pScreen->width;
+ modeInfo.height = pScreen->height;
+ modeInfo.nameLength = strlen (name);
+
+ mode = RRModeGet (&modeInfo, name);
+ if (!mode)
+ return FALSE;
+
+ crtc = RRCrtcCreate (pScreen, NULL);
+ if (!crtc)
+ return FALSE;
+
+ output = RROutputCreate (pScreen, "screen", 6, NULL);
+ if (!output)
+ return FALSE;
+ if (!RROutputSetClones (output, NULL, 0))
+ return FALSE;
+ if (!RROutputSetModes (output, &mode, 1, 0))
+ return FALSE;
+ if (!RROutputSetCrtcs (output, &crtc, 1))
+ return FALSE;
+ if (!RROutputSetConnection (output, RR_Connected))
+ return FALSE;
+ RRCrtcNotify (crtc, mode, 0, 0, RR_Rotate_0, NULL, 1, &output);
+#endif
+ return TRUE;
+}
+
+static Bool
vfbScreenInit(ScreenPtr pScreen, int argc, char **argv)
{
vfbScreenInfoPtr pvfb = &vfbScreens[pScreen->myNum];
@@ -885,6 +1045,9 @@
if (!ret)
return FALSE;
+ if (!vfbRandRInit(pScreen))
+ return FALSE;
+
pScreen->InstallColormap = vfbInstallColormap;
pScreen->UninstallColormap = vfbUninstallColormap;
pScreen->ListInstalledColormaps = vfbListInstalledColormaps;
++++++ xorg-backtrace ++++++
#!/usr/bin/perl
$version = "1.0";
$timeout = 5;
@pkgs = ( "xorg-x11-server", "xorg-x11-driver-video", "xorg-x11-driver-input",
"libpixman-1-0", "libpciaccess0" );
$xtracmds= "/etc/X11/xorg-backtrace-cmds";
$pid=$ARGV[0];
if ($pid == 0) {
print "Usage: $0 <pid>\n";
exit 1;
}
if (! -e "/usr/bin/gdb") {
print "Install gdb to get reasonable backtraces\n";
exit 2;
}
$SIG{ALRM} = sub { die "timeout starting gdb" };
alarm $timeout;
open STDERR, ">&STDOUT";
use FileHandle;
use IPC::Open2;
$gdb = open2 (*R, *W, "/usr/bin/gdb -n -p $pid");
$SIG{ALRM} = sub { kill QUIT, $gdb; sleep 1; kill KILL, $gdb; die "timeout using gdb" };
alarm $timeout;
print "\n==================== GDB Backtrace ============\n\n";
print "Done by $0 V$version\n\n";
$needpkgs=0;
for $p (@pkgs) {
next if system ("rpm", "-q", "--quiet", "$p-debuginfo") == 0 &&
system ("rpm", "-q", "--quiet", "$p-debugsource") == 0;
print "Install following debug packages to improve backtrace:\n" unless $needpkgs;
$needpkgs++;
print "\t$p-debug*\n";
}
print "\n" if $needpkgs;
print W "set prompt\necho \\n===info\\n\n";
#print W "info files\necho ===files\\n\n";
print W "thread apply all bt full\necho ===btend\\n\n";
$_=<R>; # GNU gdb version
print;
while (<R>) {
last if /^===info/;
print if /^This GDB was configured as/;
}
#print "\n==================== Files ====================\n\n";
#while (<R>) {
# last if /^===files/;
# print;
#}
print "\n==================== Backtrace ================\n";
$fno = "";
$fls = 0;
$o = "";
$use = 0;
while (<R>) {
last if /^===btend/;
if (/^#(\d+)\s/) {
$fno = $1;
$o .= "\n";
$o .= "===l".($fno-1)."\n" if $use;
$o .= "\n";
$fls = $fno+1 if /\bxorg_backtrace \(/ || /\bOsSigHandler \(/;
$use = 1;
}
$line{$fno} = $1 if $line{$fno} == 0 && /:(\d+)\s*$/;
$o .= $_;
$use = 0 if /^No symbol table info available/;
}
$o .="\n===l$fno";
for $i ($fls..$fno) {
print W "frame $i\necho ===fs$i\\n\nlist\necho ===fe$i\\n\n";
while (<R>) {
last if /^===fs$i\b/;
}
$r = "";
while (<R>) {
last if /^===fe$i\b/;
$r .= $_;
}
if ($line{$i} > 0) {
$r =~ s/^$line{$i}\b/$line{$i} */m;
}
$o =~ s/^===l$i$/$r/m;
}
if ($fls > 0) {
for $i (0..$fls-1) {
$o =~ s/^(#$i\s.*?)\n.*?\n#/$1\n\n#/ms;
}
}
$o =~ s/^===l.*$//mg;
print "$o";
if (-e $xtracmds) {
print W "source -v $xtracmds\necho ===cmds\\n\n";
print "\n==================== Extra Commands ===========\n\n";
while (<R>) {
last if /^===cmds/;
print unless /^\+echo ===cmds/;
}
}
print "\n==================== Backtrace End ============\n\n";
close R;
close W;
exit 0;
++++++ xorg-server-provides ++++++
Provides: X11_ABI_XINPUT = 21.0
Provides: X11_ABI_VIDEODRV = 18.0
Provides: X11_ABI_ANSIC = 0.4
Provides: X11_ABI_EXTENSION = 8.0
++++++ xorg-x11-server.macros.in ++++++
# RPM macros for XOrg ABI Definitions
# Add a Requires for the correct VIDEO Driver ABI
%x11_abi_videodrv_req \
Requires: X11_ABI_VIDEODRV = @abi_videodrv@
%x11_abi_xinput_req \
Requires: X11_ABI_XINPUT = @abi_xinput@
%x11_abi_ansic_req \
Requires: X11_ABI_ANSIC = @abi_ansic@
%x11_abi_extension_req \
Requires: X11_ABI_EXTENSION = @abi_extension@