commit xorg-x11-server.3538 for openSUSE:13.1:Update

Hello community, here is the log from the commit of package xorg-x11-server.3538 for openSUSE:13.1:Update checked in at 2015-02-20 12:27:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/xorg-x11-server.3538 (Old) and /work/SRC/openSUSE:13.1:Update/.xorg-x11-server.3538.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "xorg-x11-server.3538" Changes: -------- New Changes file: --- /dev/null 2014-12-25 22:38:16.200041506 +0100 +++ /work/SRC/openSUSE:13.1:Update/.xorg-x11-server.3538.new/xorg-x11-server.changes 2015-02-20 12:27:26.000000000 +0100 @@ -0,0 +1,3555 @@ +------------------------------------------------------------------- +Thu Feb 12 11:56:52 UTC 2015 - msrb@suse.com + +- U_xkb-check-strings-length-against-request-size.patch + * Check string lenghts in XkbSetGeometry request. + (bnc#915810, CVE-2015-0255) + +------------------------------------------------------------------- +Wed Dec 17 12:20:20 UTC 2014 - msrb@suse.com + +- Add and update security patches. (bnc#907268, CVE-2014-8091, + CVE-2014-8092, CVE-2014-8093, CVE-2014-8094, CVE-2014-8095, + CVE-2014-8096, CVE-2014-8097, CVE-2014-8098, CVE-2014-8099, + CVE-2014-8100, CVE-2014-8101, CVE-2014-8102, CVE-2014-8103) + + U_Xi_fix_modifier_offset_in_XIPassiveGrab_swapping_function.patch + + U_Xi_unvalidated_lengths_in_Xinput_extension.patch + + U_Xv_unvalidated_lengths_in_XVideo_extension_swapped_procs.patch + + U_dbe_unvalidated_lengths_in_DbeSwapBuffers_calls.patch + + U_dix_integer_overflow_in_GetHosts.patch + + U_dix_integer_overflow_in_ProcPutImage.patch + + U_dix_integer_overflow_in_REQUEST_FIXED_SIZE.patch + + U_dix_integer_overflow_in_RegionSizeof.patch + + U_dri2_integer_overflow_in_ProcDRI2GetBuffers.patch + + U_glx_Add_safe__add_mul_pad.patch + + U_glx_Additional_paranoia_in___glXGetAnswerBuffer___GLX_GET_ANSWER_BUFFER.patch + + U_glx_Be_more_paranoid_about_variable_length_requests.patch + + U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch + + U_glx_Fix_image_size_computation_for_EXT_texture_integer.patch + + U_glx_Fix_mask_truncation_in___glXGetAnswerBuffer.patch + + U_glx_Integer_overflow_protection_for_non_generated_render_requests.patch + + U_glx_Length_checking_for_GLXRender_requests.patch + + U_glx_Length_checking_for_RenderLarge_requests.patch + + U_glx_Length_checking_for_non_generated_single_request.patch + + U_glx_Length_checking_for_non_generated_vendor_private_requests.patch + + U_glx_Pass_remaining_request_length_into_varsize.patch + + U_glx_Request_length_checks_for_SetClientInfoARB.patch + + U_glx_Top_level_length_checking_for_swapped_VendorPrivate_requests.patch + + U_randr_unvalidated_lengths_in_RandR_extension_swapped_procs.patch + + U_render_check_request_size_before_reading_it.patch + + U_render_unvalidated_lengths_in_Render_extn_swapped_procs.patch + + U_unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver.patch + + U_xcmisc_unvalidated_length_in_SProcXCMiscGetXIDList.patch + + U_xfixes_unvalidated_length_in_SProcXFixesSelectSelectionInput.patch + + U_dbe_Call_to_DDX_SwapBuffers_requires_address_of_int_not_unsigned_int.patch + + U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch + + U_dix_Missing_parens_in_REQUEST_FIXED_SIZE_macro.patch + +- U_fb_Fix_Bresenham_algorithms_for_commonly_used_small_segments.patch + * Fixes rendering of some icewm and xfwm themes. (bnc#908258, bnc#856931) + +------------------------------------------------------------------- +Tue Apr 15 16:10:04 UTC 2014 - msrb@suse.com + +- u_dri2_fix-detection-of-wrong-prime_id-in-getscreenprime.patch + * Do not crash when out of range DRI_PRIME is used. (bnc#846352) + +------------------------------------------------------------------- +Mon Dec 16 14:54:12 UTC 2013 - msrb@suse.com + +- u_exa-only-draw-valid-trapezoids.patch + * Fix possible x server crash using invalid trapezoids. + (bnc#853846 CVE-2013-6424) + +------------------------------------------------------------------- +Fri Nov 1 13:46:06 UTC 2013 - msrb@suse.com + +- N_randr_fix_abi.patch + * Fixes compatibility with nvidia binary drivers. (bnc#849152) + +------------------------------------------------------------------- +Mon Oct 28 08:00:16 UTC 2013 - sndirsch@suse.com + +- Update to prerelease 1.14.4-rc1 (1.14.3.901) + * bugfixes + * fixes for security issue CVE-2013-4396 +- obsoletes u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch + +------------------------------------------------------------------- +Fri Oct 25 12:31:46 UTC 2013 - msrb@suse.com + +- Add U_randr_dont_directly_set_changed_bits_in_randr_screen.patch, + U_randr_report_changes_when_we_disconnect_a_GPU_slave.patch, + u_randr_send_rrproviderchangenotify_event.patch, + u_randr_send_rrresourcechangenotify_event.patch, + u_randr_deliver_output_and_crtc_events_of_attached_output.patch, + u_randr_allow_rrselectinput_for_providerchange_and_resourcechange_events.patch + * Send randr 1.4 events to allow tools to react to new providers. (fate#316408, fate#316409) + +------------------------------------------------------------------- +Tue Oct 15 13:07:50 UTC 2013 - sndirsch@suse.com + +- u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch + * Fixes a security issue, in which an authenticated X client + can cause an X server to use memory after it was freed, + potentially leading to crash and/or memory corruption. + (CVE-2013-4396, bnc#843652) + +------------------------------------------------------------------- +Fri Sep 13 23:39:28 UTC 2013 - tobias.johannes.klausmann@mni.thm.de + +- Update to version 1.14.3: + Bugfix release. Changes all over the place. +- Remove upstreamed patches: + + Patch227: u_init_framebuffer_base.patch + +------------------------------------------------------------------- +Tue Sep 10 09:23:38 UTC 2013 - sndirsch@suse.com + +- removed modprobe options for NVIDIA kernel module, since these + have been moved to the NVIDIA packages themselves + +------------------------------------------------------------------- +Fri Aug 9 15:08:34 UTC 2013 - eich@suse.com + +- Delete N_0001-Xinput-Catch-missing-configlayout-when-deleting-dev.patch: + This patch is no longer appicable. The code has been reworked completely + thus the problem fixed with this most likely no longer exists. +- Delete N_Use-external-tool-for-creating-backtraces-on-crashes.patch: + This feature has multiple issues, there is no reason to keep the patch + around. + +------------------------------------------------------------------- +Fri Aug 9 13:25:41 UTC 2013 - tobias.johannes.klausmann@mni.thm.de + +- Remove the unused Xvnc packages +- Remove the now unused vnc macro +- Remove the Xvnc patches: + + Patch17: n_VNC-Add-support-for-VNC.patch + + Patch18: n_VNC-Readd-timeout-when-vnc-viewer-connection-breaks.patch + + Patch19: n_VNC-Fix-crash-when-no-depth-translation-is-required.patch + + Patch20: n_VNC-Don-t-let-VNC-access-the-framebuffer-directly-an.patch + + Patch21: n_VNC-Enable-use-of-all-keyboard-layouts-independent-o.patch + + Patch22: n_VNC-Fix-crash-due-to-unset-input-device-names.patch + + Patch23: n_Xvnc-pthread.diff + + Patch24: n_VNC-Add-proto.diff + +------------------------------------------------------------------- +Thu Aug 8 19:51:35 UTC 2013 - eich@suse.com + +- n_autoconf-On-Linux-give-fbdev-driver-a-higher-precedence-than-vesa.patch: + At SUSE we want to perfer the fbdev driver over the VESA driver + at autoconfiguration as it is expected that fbdev will work in + allmost all situations where no native driver can be found - + even under UEFI and with secure boot. + replaces: N_autoconfig_fallback_fbdev_first.diff + +------------------------------------------------------------------- +Thu Aug 8 15:55:14 UTC 2013 - sndirsch@suse.com + +- removed N_vidmode-sig11.diff (fixed upstream already) + +------------------------------------------------------------------- +Tue Jul 2 13:18:07 UTC 2013 - hrvoje.senjan@gmail.com + +- Update to version 1.14.2: ++ Bugfix release, changes include: + + dix: fix device scaling to use a [min,max[ range. + + dix: pre-scale x by the screen:device:resolution ratio + + os: Reset input buffer's 'ignoreBytes' field + + dix: don't overwrite proximity/focus classes + + dix: plug memory leak in freeing TouchClass + + os: Use ErrorFSigSafe from FatalError and it's friends + + dix: send the current axis value in DeviceChangedEvents (fdo#62321) + + Xi: Use correct destination when swapping barrier events + + xf86: don't hotplug output devices while VT switched. + +------------------------------------------------------------------- +Wed Jun 19 14:20:07 UTC 2013 - tobias.johannes.klausmann@mni.thm.de + +- Packaging changes: + + Added patch240: + U_revert_dri2_realloc_dri2_drawable_if-pixmap_serial_changes.patch + For detailed information visit: + http://cgit.freedesktop.org/xorg/xserver/commit/?id=77e51d5bbb97eb5c9d9dbff9... + +------------------------------------------------------------------- +Thu Jun 6 15:21:18 UTC 2013 - msrb@suse.com + +- u_xserver_xvfb-randr.patch + * Add randr support to Xvfb (bnc#823410) + +------------------------------------------------------------------- +Sat May 11 09:32:10 UTC 2013 - schwab@suse.de + +- Update u_aarch64-support.patch: disable x86 asm also on aarch64 + +------------------------------------------------------------------- +Thu Apr 18 12:00:53 UTC 2013 - sndirsch@suse.com + +- u_disable-acpi-code.patch + * Don't build the ACPI code (bnc#805304) + +------------------------------------------------------------------- +Wed Apr 17 16:31:36 UTC 2013 - tobias.johannes.klausmann@mni.thm.de + +- Update to version 1.14.1: + This release contains the fix for CVE-2013-1940, see here for more ++++ 3358 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.xorg-x11-server.3538.new/xorg-x11-server.changes New: ---- N_0001-Check-harder-for-primary-PCI-device.patch N_0001-Fix-segfault-when-killing-X-with-ctrl-alt-backspace.patch N_0001-Prevent-XSync-Alarms-from-senslessly-calling-CheckTr.patch N_bug-197858_dpms.diff N_bug534768-prefer_local_symbols.patch N_cache-xkbcomp-output-for-fast-start-up.patch N_confine_to_shape.diff N_dpms_screensaver.diff N_driver-autoconfig.diff N_edid_data_sanity_check.diff N_fbdevhw.diff N_fix-dpi-values.diff N_fix_fglrx_screendepth_issue.patch N_p_default-module-path.diff N_p_xnest-ignore-getimage-errors.diff N_randr1_1-sig11.diff N_randr_fix_abi.patch N_sync-fix.patch N_xorg-server-xdmcp.patch N_zap_warning_xserver.diff README.updates U_Xi_fix_modifier_offset_in_XIPassiveGrab_swapping_function.patch U_Xi_unvalidated_lengths_in_Xinput_extension.patch U_Xv_unvalidated_lengths_in_XVideo_extension_swapped_procs.patch U_dbe_Call_to_DDX_SwapBuffers_requires_address_of_int_not_unsigned_int.patch U_dbe_unvalidated_lengths_in_DbeSwapBuffers_calls.patch U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch U_dix_Missing_parens_in_REQUEST_FIXED_SIZE_macro.patch U_dix_integer_overflow_in_GetHosts.patch U_dix_integer_overflow_in_ProcPutImage.patch U_dix_integer_overflow_in_REQUEST_FIXED_SIZE.patch U_dix_integer_overflow_in_RegionSizeof.patch U_dri2_integer_overflow_in_ProcDRI2GetBuffers.patch U_ephyr_add_output_option_support.patch U_ephyr_enable_screen_window_placement.patch U_fb_Fix_Bresenham_algorithms_for_commonly_used_small_segments.patch U_glx_Add_safe__add_mul_pad.patch U_glx_Additional_paranoia_in___glXGetAnswerBuffer___GLX_GET_ANSWER_BUFFER.patch U_glx_Be_more_paranoid_about_variable_length_requests.patch U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch U_glx_Fix_image_size_computation_for_EXT_texture_integer.patch U_glx_Fix_mask_truncation_in___glXGetAnswerBuffer.patch U_glx_Integer_overflow_protection_for_non_generated_render_requests.patch U_glx_Length_checking_for_GLXRender_requests.patch U_glx_Length_checking_for_RenderLarge_requests.patch U_glx_Length_checking_for_non_generated_single_request.patch U_glx_Length_checking_for_non_generated_vendor_private_requests.patch U_glx_Pass_remaining_request_length_into_varsize.patch U_glx_Request_length_checks_for_SetClientInfoARB.patch U_glx_Top_level_length_checking_for_swapped_VendorPrivate_requests.patch U_kdrive_extend_screen_option_syntax.patch U_randr_dont_directly_set_changed_bits_in_randr_screen.patch U_randr_report_changes_when_we_disconnect_a_GPU_slave.patch U_randr_unvalidated_lengths_in_RandR_extension_swapped_procs.patch U_render_check_request_size_before_reading_it.patch U_render_unvalidated_lengths_in_Render_extn_swapped_procs.patch U_revert_dri2_realloc_dri2_drawable_if-pixmap_serial_changes.patch U_unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver.patch U_xcmisc_unvalidated_length_in_SProcXCMiscGetXIDList.patch U_xfixes_unvalidated_length_in_SProcXFixesSelectSelectionInput.patch U_xkb-check-strings-length-against-request-size.patch n_Xvnc-pthread.diff n_autoconf-On-Linux-give-fbdev-driver-a-higher-precedence-than-vesa.patch n_xorg-x11-server-rpmmacros.patch pre_checkin.sh sysconfig.displaymanager.template u_aarch64-support.patch u_disable-acpi-code.patch u_dri2_fix-detection-of-wrong-prime_id-in-getscreenprime.patch u_exa-only-draw-valid-trapezoids.patch u_randr_allow_rrselectinput_for_providerchange_and_resourcechange_events.patch u_randr_deliver_output_and_crtc_events_of_attached_output.patch u_randr_send_rrproviderchangenotify_event.patch u_randr_send_rrresourcechangenotify_event.patch u_vgaHW-no-legacy.patch u_xserver_xvfb-randr.patch xorg-backtrace xorg-server-1.14.3.901.tar.bz2 xorg-server-provides xorg-x11-server.changes xorg-x11-server.macros.in xorg-x11-server.spec xorgcfg.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xorg-x11-server.spec ++++++ # # spec file for package xorg-x11-server # # Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: xorg-x11-server %define dirsuffix 1.14.3.901 Summary: X License: GPL-2.0+ and MIT Group: System/X11/Servers/XF86_4 Source0: http://xorg.freedesktop.org/archive/individual/xserver/xorg-server-%{dirsuffix}.tar.bz2 Source1: sysconfig.displaymanager.template Source3: README.updates Source4: xorgcfg.tar.bz2 Source8: xorg-backtrace # RPM Macros to be installed. The ABI Versions will be injected by configure. Source96: xorg-x11-server.macros.in # Source98 and Source99 are used to ensure proper ABI provides. Source98: xorg-server-provides Source99: pre_checkin.sh # PATCH-FEATURE-OPENSUSE n_xorg-x11-server-rpmmacros.patch dimstar@opensuse.org -- Provide RPM macros to require correct ABI Versions. Patch0: n_xorg-x11-server-rpmmacros.patch # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch2: N_p_default-module-path.diff # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch16: N_p_xnest-ignore-getimage-errors.diff BuildRequires: Mesa-devel BuildRequires: bison BuildRequires: flex BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: pkgconfig(bigreqsproto) >= 1.1.0 BuildRequires: pkgconfig(damageproto) >= 1.1 BuildRequires: pkgconfig(dmx) >= 1.0.99.1 BuildRequires: pkgconfig(fixesproto) >= 4.1 BuildRequires: pkgconfig(fontconfig) BuildRequires: pkgconfig(fontenc) BuildRequires: pkgconfig(fontsproto) BuildRequires: pkgconfig(fontutil) BuildRequires: pkgconfig(freetype2) BuildRequires: pkgconfig(ice) BuildRequires: pkgconfig(inputproto) >= 1.9.99.902 BuildRequires: pkgconfig(kbproto) >= 1.0.3 BuildRequires: pkgconfig(libdrm) BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(pciaccess) >= 0.8.0 BuildRequires: pkgconfig(pixman-1) >= 0.24 BuildRequires: pkgconfig(randrproto) >= 1.2.99.3 BuildRequires: pkgconfig(renderproto) >= 0.11 BuildRequires: pkgconfig(sm) BuildRequires: pkgconfig(x11) BuildRequires: pkgconfig(xau) BuildRequires: pkgconfig(xau) BuildRequires: pkgconfig(xaw7) BuildRequires: pkgconfig(xcmiscproto) >= 1.2.0 BuildRequires: pkgconfig(xdmcp) BuildRequires: pkgconfig(xext) >= 1.0.99.4 BuildRequires: pkgconfig(xextproto) >= 7.1.99 BuildRequires: pkgconfig(xfixes) BuildRequires: pkgconfig(xfont) >= 1.4.2 BuildRequires: pkgconfig(xi) >= 1.2.99.1 BuildRequires: pkgconfig(xkbfile) BuildRequires: pkgconfig(xmu) BuildRequires: pkgconfig(xp) BuildRequires: pkgconfig(xpm) BuildRequires: pkgconfig(xprintutil) BuildRequires: pkgconfig(xproto) >= 7.0.17 BuildRequires: pkgconfig(xrender) BuildRequires: pkgconfig(xres) BuildRequires: pkgconfig(xt) BuildRequires: pkgconfig(xtrans) >= 1.2.2 BuildRequires: pkgconfig(xtst) >= 1.0.99.2 BuildRequires: pkgconfig(xv) ### udev support (broken on openSUSE 11.2, see also bnc #589997) %if 0%{?suse_version} >= 1130 BuildRequires: pkgconfig(libudev) >= 143 %endif Version: 7.6_%{dirsuffix} Release: 0 Url: http://xorg.freedesktop.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-build %ifnarch s390 s390x Requires(pre): %fillup_prereq %endif Requires: pkgconfig Requires: xkbcomp Requires: xorg-x11-fonts-core %ifnarch s390 s390x Requires: libpixman-1-0 >= 0.24 %(cat %{SOURCE98}) %endif Requires: Mesa Provides: xorg-x11-Xvfb Provides: xorg-x11-server-glx Obsoletes: xorg-x11-Xvfb Obsoletes: xorg-x11-server-glx # Xvfb requires keyboard files as well (bnc#797124) Requires: xkeyboard-config # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch45: N_bug-197858_dpms.diff # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch77: N_fbdevhw.diff # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch79: N_edid_data_sanity_check.diff # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch101: N_zap_warning_xserver.diff # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch103: N_confine_to_shape.diff # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch106: N_randr1_1-sig11.diff # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch112: N_fix-dpi-values.diff # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch127: N_dpms_screensaver.diff # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch143: n_autoconf-On-Linux-give-fbdev-driver-a-higher-precedence-than-vesa.patch # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch145: N_driver-autoconfig.diff # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch162: N_cache-xkbcomp-output-for-fast-start-up.patch # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch200: N_bug534768-prefer_local_symbols.patch # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch202: N_0001-Check-harder-for-primary-PCI-device.patch # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch203: N_0001-Fix-segfault-when-killing-X-with-ctrl-alt-backspace.patch # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch206: N_fix_fglrx_screendepth_issue.patch # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch211: N_0001-Prevent-XSync-Alarms-from-senslessly-calling-CheckTr.patch # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch213: N_xorg-server-xdmcp.patch # PATCH-MISSING-TAG -- See http://wiki.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch222: N_sync-fix.patch Patch226: u_vgaHW-no-legacy.patch Patch228: u_aarch64-support.patch Patch229: u_disable-acpi-code.patch Patch230: u_xserver_xvfb-randr.patch Patch240: U_revert_dri2_realloc_dri2_drawable_if-pixmap_serial_changes.patch Patch242: U_randr_dont_directly_set_changed_bits_in_randr_screen.patch Patch243: U_randr_report_changes_when_we_disconnect_a_GPU_slave.patch Patch244: u_randr_send_rrproviderchangenotify_event.patch Patch245: u_randr_send_rrresourcechangenotify_event.patch Patch246: u_randr_deliver_output_and_crtc_events_of_attached_output.patch Patch247: u_randr_allow_rrselectinput_for_providerchange_and_resourcechange_events.patch Patch248: N_randr_fix_abi.patch # PATCH-FIX-UPSTREAM u_exa-only-draw-valid-trapezoids.patch bnc#853846 msrb@suse.com -- Fixes possible crash of server using invalid trapezoids. 2013-12-12 patch is waiting in mailing list to be upstreamed. Patch249: u_exa-only-draw-valid-trapezoids.patch Patch250: u_dri2_fix-detection-of-wrong-prime_id-in-getscreenprime.patch Patch251: U_unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver.patch Patch252: U_dix_integer_overflow_in_ProcPutImage.patch Patch253: U_dix_integer_overflow_in_GetHosts.patch Patch254: U_dix_integer_overflow_in_RegionSizeof.patch Patch255: U_dix_integer_overflow_in_REQUEST_FIXED_SIZE.patch Patch256: U_dri2_integer_overflow_in_ProcDRI2GetBuffers.patch Patch257: U_dbe_unvalidated_lengths_in_DbeSwapBuffers_calls.patch Patch258: U_Xi_fix_modifier_offset_in_XIPassiveGrab_swapping_function.patch Patch259: U_Xi_unvalidated_lengths_in_Xinput_extension.patch Patch260: U_xcmisc_unvalidated_length_in_SProcXCMiscGetXIDList.patch Patch261: U_Xv_unvalidated_lengths_in_XVideo_extension_swapped_procs.patch Patch262: U_randr_unvalidated_lengths_in_RandR_extension_swapped_procs.patch Patch263: U_render_check_request_size_before_reading_it.patch Patch264: U_render_unvalidated_lengths_in_Render_extn_swapped_procs.patch Patch265: U_xfixes_unvalidated_length_in_SProcXFixesSelectSelectionInput.patch Patch266: U_glx_Be_more_paranoid_about_variable_length_requests.patch Patch267: U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch Patch268: U_glx_Additional_paranoia_in___glXGetAnswerBuffer___GLX_GET_ANSWER_BUFFER.patch Patch269: U_glx_Fix_image_size_computation_for_EXT_texture_integer.patch Patch270: U_glx_Add_safe__add_mul_pad.patch Patch271: U_glx_Length_checking_for_GLXRender_requests.patch Patch272: U_glx_Integer_overflow_protection_for_non_generated_render_requests.patch Patch273: U_glx_Length_checking_for_RenderLarge_requests.patch Patch274: U_glx_Top_level_length_checking_for_swapped_VendorPrivate_requests.patch Patch275: U_glx_Request_length_checks_for_SetClientInfoARB.patch Patch276: U_glx_Length_checking_for_non_generated_vendor_private_requests.patch Patch277: U_glx_Length_checking_for_non_generated_single_request.patch Patch278: U_glx_Pass_remaining_request_length_into_varsize.patch Patch279: U_glx_Fix_mask_truncation_in___glXGetAnswerBuffer.patch Patch280: U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch Patch281: U_dix_Missing_parens_in_REQUEST_FIXED_SIZE_macro.patch Patch282: U_dbe_Call_to_DDX_SwapBuffers_requires_address_of_int_not_unsigned_int.patch Patch283: U_fb_Fix_Bresenham_algorithms_for_commonly_used_small_segments.patch Patch284: U_xkb-check-strings-length-against-request-size.patch %description This package contains the X.Org Server. %package extra Summary: Additional Xservers (Xdmx, Xephyr, Xnest) Group: System/X11/Servers/XF86_4 Requires: Mesa Requires: xkbcomp Requires: xkeyboard-config Requires: xorg-x11-fonts-core Provides: xorg-x11-Xnest Obsoletes: xorg-x11-Xnest %description extra This package contains additional Xservers (Xdmx, Xephyr, Xnest). %package sdk Summary: X Group: System/Libraries Requires: xorg-x11-proto-devel Requires: xorg-x11-server Requires: pkgconfig(fontconfig) Requires: pkgconfig(fontenc) Requires: pkgconfig(freetype2) Requires: pkgconfig(ice) Requires: pkgconfig(libdrm) Requires: pkgconfig(sm) Requires: pkgconfig(x11) Requires: pkgconfig(xau) Requires: pkgconfig(xdmcp) Requires: pkgconfig(xext) Requires: pkgconfig(xfixes) Requires: pkgconfig(xkbfile) Requires: pkgconfig(xmu) Requires: pkgconfig(xp) Requires: pkgconfig(xpm) Requires: pkgconfig(xprintutil) Requires: pkgconfig(xrender) Requires: pkgconfig(xt) Requires: pkgconfig(xtrans) Requires: pkgconfig(xv) Provides: xorg-x11-sdk Obsoletes: xorg-x11-sdk %description sdk This package contains the X.Org Server SDK. %prep %setup -q -n xorg-server-%{dirsuffix} -a4 # Early verification if the ABI Defines are correct. Let's not waste build cycles if the Provides are wrong at the end. sh %{SOURCE99} --verify . %{SOURCE98} cp %{SOURCE96} . %patch0 -p1 %patch2 %patch16 -p1 ### Needs to be rebased #%patch45 -p0 %patch77 %patch79 -p1 %patch101 -p1 %patch103 %patch106 -p1 %patch112 -p0 %patch127 -p1 %patch143 -p1 %patch145 -p0 ### disabled for now #%patch162 -p1 %patch200 -p1 %patch202 -p1 %patch203 -p1 %patch206 -p0 ### disabled for now #%patch211 -p1 %patch213 -p1 ### patch222 might not be applicable anymore #%patch222 -p1 %patch226 -p0 %patch228 -p1 %patch229 -p1 %patch230 -p1 %patch240 -p1 %patch242 -p1 %patch243 -p1 %patch244 -p1 %patch245 -p1 %patch246 -p1 %patch247 -p1 %patch248 -p1 %patch249 -p1 %patch250 -p1 %patch251 -p1 %patch252 -p1 %patch253 -p1 %patch254 -p1 %patch255 -p1 %patch256 -p1 %patch257 -p1 %patch258 -p1 %patch259 -p1 %patch260 -p1 %patch261 -p1 %patch262 -p1 %patch263 -p1 %patch264 -p1 %patch265 -p1 %patch266 -p1 %patch267 -p1 %patch268 -p1 %patch269 -p1 %patch270 -p1 %patch271 -p1 %patch272 -p1 %patch273 -p1 %patch274 -p1 %patch275 -p1 %patch276 -p1 %patch277 -p1 %patch278 -p1 %patch279 -p1 %patch280 -p1 %patch281 -p1 %patch282 -p1 %patch283 -p1 %patch284 -p1 %build autoreconf -fi %configure CFLAGS="%{optflags} -fno-strict-aliasing" \ --sysconfdir=/etc \ --enable-install-libxf86config \ --enable-xdmcp \ --enable-xdm-auth-1 \ --enable-dri \ --enable-dri2 \ --enable-dmx \ --enable-xnest \ --enable-kdrive \ --enable-kdrive-evdev \ --enable-xephyr \ --disable-xfake \ --disable-xfbdev \ --enable-record \ --enable-xcsecurity \ --with-sha1=libcrypto \ %ifarch s390 s390x --disable-xorg \ --disable-aiglx \ %else --enable-xorg \ %if 0%{?suse_version} > 1120 --enable-config-udev \ %endif %endif --with-log-dir="/var/log" \ --with-os-name="openSUSE" \ --with-os-vendor="SUSE LINUX" \ --with-fontrootdir="/usr/share/fonts" \ --with-xkb-path="/usr/share/X11/xkb" \ --with-xkb-output="/var/lib/xkb/compiled" \ --with-default-font-path="/usr/share/fonts/misc:unscaled,\ /usr/share/fonts/Type1/,/usr/share/fonts/100dpi:unscaled,\ %if 0%{?suse_version} > 1210 /usr/share/fonts/75dpi:unscaled,/usr/share/fonts/ghostscript/,\ %else /usr/share/fonts/75dpi:unscaled,/usr/share/fonts/URW/,\ %endif /usr/share/fonts/cyrillic:unscaled,\ /usr/share/fonts/misc/sgi:unscaled,\ /usr/share/fonts/truetype/,built-ins" make %{?_smp_mflags} make -C hw/kdrive %{?_smp_mflags} %install %make_install make -C hw/kdrive install DESTDIR=%{buildroot} %ifnarch s390 s390x # remove .la files find %{buildroot}%{_libdir}/xorg/modules/ -name "*.la" | \ xargs rm install -m 644 hw/xfree86/parser/{xf86Parser.h,xf86Optrec.h} \ %{buildroot}%{_includedir}/xorg # bnc #632737 chmod u-s %{buildroot}%{_bindir}/Xorg mkdir -p %{buildroot}%{_localstatedir}/lib/X11 ln -snf ../../../usr/bin/Xorg %{buildroot}%{_localstatedir}/lib/X11/X ln -snf ../../var/lib/X11/X %{buildroot}%{_bindir}/X %if 0%{?suse_version} > 1120 %ifnarch s390 s390x mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d cp %{buildroot}/%{_datadir}/X11/xorg.conf.d/10-evdev.conf %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/ %endif %endif mkdir -p %{buildroot}%{_libdir}/xorg/modules/updates/{fonts,input,linux,drivers,multimedia,extensions} install -m 644 $RPM_SOURCE_DIR/README.updates %{buildroot}%{_libdir}/xorg/modules/updates %else rm -f %{buildroot}%{_datadir}/aclocal/*.m4 %endif %ifarch s390 s390x rm -f %{buildroot}%{_sysconfdir}/X11/10-evdev.conf make -C hw/xfree86/parser mkdir -p %{buildroot}%{_includedir}/xorg \ %{buildroot}%{_libdir} install -m 644 hw/xfree86/parser/{xf86Parser.h,xf86Optrec.h} \ %{buildroot}%{_includedir}/xorg install -m 644 include/list.h \ %{buildroot}%{_includedir}/xorg if [ -f hw/xfree86/parser/.libs/libxf86config.a ] ; then install -m 644 hw/xfree86/parser/.libs/libxf86config.a \ %{buildroot}//usr/%{_lib} else install -m 644 hw/xfree86/parser/libxf86config.a \ %{buildroot}//usr/%{_lib} fi %endif %ifnarch s390 s390x mkdir -p %{buildroot}%{_localstatedir}/adm/fillup-templates install -m 644 %_sourcedir/sysconfig.displaymanager.template \ %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.displaymanager-%{name} %endif install -m 755 $RPM_SOURCE_DIR/xorg-backtrace %{buildroot}%{_bindir}/xorg-backtrace install -D xorg-x11-server.macros %{buildroot}%{_sysconfdir}/rpm/macros.xorg-server %post %ifnarch s390 s390x %{fillup_only -an displaymanager} if [ -f etc/X11/xorg.conf ]; then # Document how to restore previous input driver behaviour in xorg.conf files created # on openSUSE <= 11.1 if ! grep -q "will be disabled unless 'Option \"AutoAddDevices\" \"off\"'" etc/X11/xorg.conf; then if ! grep -q "\"AutoAddDevices\" \"off\"" etc/X11/xorg.conf; then sed -i ' /Section "ServerFlags"/{ h g a\ # Uncomment the following option to reenable kbd/mouse driver input sections. \ # Otherwise evdev driver is used. \ #Option "AutoAddDevices" "off" } ' etc/X11/xorg.conf fi fi fi %endif exit 0 %files %defattr(-,root,root) %ifnarch s390 s390x %if 0%{?suse_version} > 1120 %dir %{_sysconfdir}/X11/xorg.conf.d %config(noreplace) %{_sysconfdir}/X11/xorg.conf.d/10-evdev.conf %dir %{_datadir}/X11/xorg.conf.d %{_datadir}/X11/xorg.conf.d/10-evdev.conf %endif %dir %{_localstatedir}/lib/X11 %endif %dir %{_localstatedir}/lib/xkb %dir %{_localstatedir}/lib/xkb/compiled %dir %{_libdir}/xorg %{_libdir}/xorg/protocol.txt %{_mandir}/man1/* %exclude %{_mandir}/man1/Xdmx.1* %exclude %{_mandir}/man1/Xephyr.1* %exclude %{_mandir}/man1/Xnest.1* %{_localstatedir}/lib/xkb/compiled/README.compiled %ifnarch s390 s390x %{_bindir}/Xorg %{_bindir}/X %{_bindir}/cvt %{_bindir}/gtf %{_libdir}/xorg/modules/ %{_mandir}/man4/* %{_mandir}/man5/* %{_localstatedir}/adm/fillup-templates/sysconfig.displaymanager-%{name} %{_localstatedir}/lib/X11/X %endif %{_bindir}/Xvfb %{_bindir}/xorg-backtrace %files extra %defattr(-,root,root) %{_bindir}/Xephyr %{_bindir}/Xnest %{_bindir}/Xdmx %{_bindir}/dmxaddinput %{_bindir}/dmxaddscreen %{_bindir}/dmxinfo %{_bindir}/dmxreconfig %{_bindir}/dmxresize %{_bindir}/dmxrminput %{_bindir}/dmxrmscreen %{_bindir}/dmxtodmx %{_bindir}/dmxwininfo %{_bindir}/vdltodmx %{_bindir}/xdmxconfig %{_mandir}/man1/Xdmx.1* %{_mandir}/man1/Xephyr.1* %{_mandir}/man1/Xnest.1* %files sdk %defattr(-,root,root) %{_includedir}/xorg/ %{_libdir}/*.a %ifnarch s390 s390x %exclude %{_libdir}/libxf86config.la %{_libdir}/pkgconfig/*.pc %{_datadir}/aclocal/*.m4 %endif %{_sysconfdir}/rpm/macros.xorg-server %changelog ++++++ N_0001-Check-harder-for-primary-PCI-device.patch ++++++

From 35540106538b24ca1765e752fe9d6efc968a88fa Mon Sep 17 00:00:00 2001 From: Egbert Eich <eich@linux-p1mv.site> Date: Wed, 7 Oct 2009 16:31:44 +0200 Subject: [PATCH] Check harder for primary PCI device.

Primary PCI devices are identified by checking for an 'PCIINFOCLASSES' device which is VGA and has access to the memory bars enabled. If there should be more than one device for which this is true redo the check and also check if IO resoures are also enabled, if this still doesn't turn up a unique result also check for the presence of a BIOS rom. ================================================================================ Index: xorg-server-1.12.1/hw/xfree86/common/xf86pciBus.c =================================================================== --- xorg-server-1.12.1.orig/hw/xfree86/common/xf86pciBus.c +++ xorg-server-1.12.1/hw/xfree86/common/xf86pciBus.c @@ -134,9 +134,50 @@ xf86PciProbe(void) primaryBus.id.pci = info; } else { - xf86Msg(X_NOTICE, - "More than one possible primary device found\n"); - primaryBus.type ^= (BusType) (-1); + /* + * Ok, we found more than one possible primary device with this heuristic + * Now also check if IO is enabled. + */ + int j; + + primaryBus.type = BUS_NONE; + for (j = 0; j < num; j++) { + info = xf86PciVideoInfo[j]; + pci_device_cfg_read_u16(info, & command, 4); + + if ((command & PCI_CMD_MEM_ENABLE) + && (command & PCI_CMD_IO_ENABLE) + && (IS_VGA(info->device_class))) { + if (primaryBus.type == BUS_NONE) { + primaryBus.type = BUS_PCI; + primaryBus.id.pci = info; + } else { + primaryBus.type = BUS_NONE; + for (j = 0; j < num; j++) { + info = xf86PciVideoInfo[j]; + pci_device_cfg_read_u16(info, & command, 4); + + if ((command & PCI_CMD_MEM_ENABLE) + && (command & PCI_CMD_IO_ENABLE) + && (IS_VGA(info->device_class)) + && info->rom_size) { + if (primaryBus.type == BUS_NONE) { + primaryBus.type = BUS_PCI; + primaryBus.id.pci = info; + } else { + xf86Msg(X_NOTICE, + "More than one possible primary device found\n"); + primaryBus.type ^= (BusType)(-1); + break; + } + } + } + break; + } + } + } + break; + } } } ++++++ N_0001-Fix-segfault-when-killing-X-with-ctrl-alt-backspace.patch ++++++ Index: xorg-server-1.12.1/mi/misprite.c =================================================================== --- xorg-server-1.12.1.orig/mi/misprite.c +++ xorg-server-1.12.1/mi/misprite.c @@ -378,6 +378,7 @@ miSpriteCloseScreen(int i, ScreenPtr pSc pScreen->InstallColormap = pScreenPriv->InstallColormap; pScreen->StoreColors = pScreenPriv->StoreColors; + miSpriteDisableDamage(pScreen, pScreenPriv); DamageDestroy(pScreenPriv->pDamage); free(pScreenPriv); ++++++ N_0001-Prevent-XSync-Alarms-from-senslessly-calling-CheckTr.patch ++++++

From d1d9d4e5f8f9ac1d22e1258759d6ee9e49c7fe90 Mon Sep 17 00:00:00 2001 From: Egbert Eich <eich@freedesktop.org> Date: Fri, 9 Apr 2010 15:10:32 +0200 Subject: [PATCH] Prevent XSync Alarms from senslessly calling CheckTrigger() when inactive.

If an XSync Alarm is set to inactive there is no need to check if a trigger needs to fire. Doing so if the counter is the IdleCounter will put the server on 100 percent CPU load since the select timeout is set to 0. --- xorg-server-1.8.0/Xext/sync.c | 11 +++++++++-- xorg-server-1.8.0/Xext/syncsrv.h | 1 + 2 files changed, 10 insertions(+), 2 deletions(-) Index: xorg-server-1.8.0/Xext/sync.c =================================================================== --- xorg-server-1.8.0.orig/Xext/sync.c +++ xorg-server-1.8.0/Xext/sync.c @@ -518,6 +518,10 @@ SyncAlarmTriggerFired(SyncTrigger *pTrig pAlarm->state = XSyncAlarmInactive; } } + /* Stop server from looping! */ + if (pAlarm->state == XSyncAlarmInactive) + SyncDeleteTriggerFromCounter(&pAlarm->trigger); + /* The AlarmNotify event has to have the "new state of the alarm" * which we can't be sure of until this point. However, it has * to have the "old" trigger test value. That's the reason for @@ -730,7 +734,7 @@ SyncChangeAlarmAttributes(ClientPtr clie XSyncCounter counter; Mask origmask = mask; - counter = pAlarm->trigger.pCounter ? pAlarm->trigger.pCounter->id : None; + counter = pAlarm->counter_id; while (mask) { @@ -741,7 +745,7 @@ SyncChangeAlarmAttributes(ClientPtr clie case XSyncCACounter: mask &= ~XSyncCACounter; /* sanity check in SyncInitTrigger */ - counter = *values++; + counter = pAlarm->counter_id = *values++; break; case XSyncCAValueType: @@ -808,6 +812,14 @@ SyncChangeAlarmAttributes(ClientPtr clie return BadMatch; } } + if (pAlarm->state == XSyncAlarmInactive) { + /* + * If we are inactive the trigger has been deleted from the counter. + * Persuade SyncInitTrigger() to readd it. + */ + origmask |= XSyncCACounter; + pAlarm->trigger.pCounter = NULL; + } /* postpone this until now, when we're sure nothing else can go wrong */ if ((status = SyncInitTrigger(client, &pAlarm->trigger, counter, @@ -815,6 +827,7 @@ SyncChangeAlarmAttributes(ClientPtr clie return status; /* XXX spec does not really say to do this - needs clarification */ + /* It's the only place where it is set to XSyncAlarmActive! */ pAlarm->state = XSyncAlarmActive; return Success; } @@ -1617,8 +1630,10 @@ ProcSyncCreateAlarm(ClientPtr client) pAlarm->client = client; pAlarm->alarm_id = stuff->id; + pAlarm->counter_id = None; XSyncIntToValue(&pAlarm->delta, 1L); pAlarm->events = TRUE; + /* SyncChangeAlarmAttributes() changes this - no need to set this here! */ pAlarm->state = XSyncAlarmInactive; pAlarm->pEventClients = NULL; status = SyncChangeAlarmAttributes(client, pAlarm, vmask, Index: xorg-server-1.8.0/Xext/syncsrv.h =================================================================== --- xorg-server-1.8.0.orig/Xext/syncsrv.h +++ xorg-server-1.8.0/Xext/syncsrv.h @@ -129,6 +129,7 @@ typedef struct _SyncAlarm { int events; int state; SyncAlarmClientList *pEventClients; + XSyncCounter counter_id; } SyncAlarm; typedef struct { ++++++ N_bug-197858_dpms.diff ++++++ Index: hw/xfree86/common/xf86Events.c =================================================================== --- hw/xfree86/common/xf86Events.c.orig +++ hw/xfree86/common/xf86Events.c @@ -115,6 +115,7 @@ typedef struct x_IHRec { InputHandlerProc ihproc; pointer data; Bool enabled; + Bool is_input; struct x_IHRec *next; } IHRec, *IHPtr; @@ -445,9 +446,13 @@ xf86VTSwitch(void) * Keep the order: Disable Device > LeaveVT * EnterVT > EnableDevice */ - for (ih = InputHandlers; ih; ih = ih->next) + for (ih = InputHandlers; ih; ih = ih->next) { + if (ih->is_input) xf86DisableInputHandler(ih); - for (pInfo = xf86InputDevs; pInfo; pInfo = pInfo->next) { + else + xf86DisableGeneralHandler(ih); + } + for (pInfo = xf86InputDevs; pInfo; pInfo = pInfo->next) { if (pInfo->dev) { xf86ReleaseKeys(pInfo->dev); ProcessInputEvents(); @@ -486,8 +491,12 @@ xf86VTSwitch(void) EnableDevice(pInfo->dev, TRUE); pInfo = pInfo->next; } - for (ih = InputHandlers; ih; ih = ih->next) - xf86EnableInputHandler(ih); + for (ih = InputHandlers; ih; ih = ih->next) { + if (ih->is_input) + xf86EnableInputHandler(ih); + else + xf86EnableGeneralHandler(ih); + } xf86UnblockSIGIO(prevSIGIO); @@ -542,8 +551,12 @@ xf86VTSwitch(void) pInfo = pInfo->next; } - for (ih = InputHandlers; ih; ih = ih->next) - xf86EnableInputHandler(ih); + for (ih = InputHandlers; ih; ih = ih->next) { + if (ih->is_input) + xf86EnableInputHandler(ih); + else + xf86EnableGeneralHandler(ih); + } xf86UnblockSIGIO(prevSIGIO); } @@ -579,8 +592,10 @@ xf86AddInputHandler(int fd, InputHandler { IHPtr ih = addInputHandler(fd, proc, data); - if (ih) + if (ih) { AddEnabledDevice(fd); + ih->is_input = TRUE; + } return ih; } ++++++ N_bug534768-prefer_local_symbols.patch ++++++ Index: xorg-server-1.12.1/hw/xfree86/loader/loader.c =================================================================== --- xorg-server-1.12.1.orig/hw/xfree86/loader/loader.c +++ xorg-server-1.12.1/hw/xfree86/loader/loader.c @@ -152,7 +152,7 @@ LoaderSymbol(const char *name) return p; if (!global_scope) - global_scope = dlopen(NULL, DLOPEN_LAZY | DLOPEN_GLOBAL); + global_scope = dlopen(NULL, DLOPEN_LAZY | DLOPEN_GLOBAL | RTLD_DEEPBIND); if (global_scope) return dlsym(global_scope, name); ++++++ N_cache-xkbcomp-output-for-fast-start-up.patch ++++++

From 0f70ba9d3412b17ac4e08e33e1be3c226c06ea54 Mon Sep 17 00:00:00 2001 From: Yan Li <yan.i.li@intel.com> Date: Tue, 12 May 2009 17:49:07 +0800 Subject: [PATCH] XKB: cache xkbcomp output for fast start-up v5 for 1.6.1 Organization: Intel

xkbcomp outputs will be cached in files with hashed keymap as names. This saves boot time for around 1s on commodity netbooks. Signed-off-by: Yan Li <yan.i.li@intel.com> ================================================================================ --- xorg-server-1.7.99/configure.ac +++ xorg-server-1.7.99/configure.ac @@ -527,9 +527,9 @@ AC_ARG_WITH(xkb-path, AS_HELP_STRING([--with-xkb-path=PATH], [Path to XKB base dir (default: ${datadir}/X11/xkb)]), [ XKBPATH="$withval" ], [ XKBPATH="${datadir}/X11/xkb" ]) -AC_ARG_WITH(xkb-output, AS_HELP_STRING([--with-xkb-output=PATH], [Path to XKB output dir (default: ${datadir}/X11/xkb/compiled)]), +AC_ARG_WITH(xkb-output, AS_HELP_STRING([--with-xkb-output=PATH], [Path to XKB output dir (default: ${localstatedir}/cache/xkb)]), [ XKBOUTPUT="$withval" ], - [ XKBOUTPUT="compiled" ]) + [ XKBOUTPUT="${localstatedir}/cache/xkb" ]) AC_ARG_WITH(default-xkb-rules, AS_HELP_STRING([--with-default-xkb-rules=RULES], [Keyboard ruleset (default: base/evdev)]), [ XKB_DFLT_RULES="$withval" ], @@ -1160,7 +1160,7 @@ dnl Make sure XKM_OUTPUT_DIR is an absolute path XKBOUTPUT_FIRSTCHAR=`echo $XKBOUTPUT | cut -b 1` if [[ x$XKBOUTPUT_FIRSTCHAR != x/ -a x$XKBOUTPUT_FIRSTCHAR != 'x$' ]] ; then - XKBOUTPUT="$XKB_BASE_DIRECTORY/$XKBOUTPUT" + AC_MSG_ERROR([xkb-output must be an absolute path.]) fi dnl XKM_OUTPUT_DIR (used in code) must end in / or file names get hosed --- xorg-server-1.7.99/xkb/README.compiled +++ xorg-server-1.7.99/xkb/README.compiled @@ -4,10 +4,10 @@ or some other tool might destroy or replace the files in this directory, so it is not a safe place to store compiled keymaps for long periods of time. The default keymap for any server is usually stored in: - X<num>-default.xkm -where <num> is the display number of the server in question, which makes -it possible for several servers *on the same host* to share the same -directory. + server-<SHA1>.xkm + +where <SHA1> is the SHA1 hash of keymap source, so that compiled +keymap of different keymap sources are stored in different files. Unless the X server is modified, sharing this directory between servers on different hosts could cause problems. --- xorg-server-1.9.0/xkb/ddxLoad.c.orig 2010-07-14 22:23:17.000000000 +0200 +++ xorg-server-1.9.0/xkb/ddxLoad.c 2010-08-23 15:23:47.000000000 +0200 @@ -30,6 +30,12 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. #include <xkb-config.h> +#ifdef HAVE_SHA1_IN_LIBMD /* Use libmd for SHA1 */ +# include <sha1.h> +#else /* Use OpenSSL's libcrypto */ +# include <stddef.h> /* buggy openssl/sha.h wants size_t */ +# include <openssl/sha.h> +#endif #include <stdio.h> #include <ctype.h> #include <X11/X.h> @@ -43,24 +49,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE. #define XKBSRV_NEED_FILE_FUNCS #include <xkbsrv.h> #include <X11/extensions/XI.h> +#include <errno.h> #include "xkb.h" #if defined(CSRG_BASED) || defined(linux) || defined(__GNU__) #include <paths.h> #endif - /* - * If XKM_OUTPUT_DIR specifies a path without a leading slash, it is - * relative to the top-level XKB configuration directory. - * Making the server write to a subdirectory of that directory - * requires some work in the general case (install procedure - * has to create links to /var or somesuch on many machines), - * so we just compile into /usr/tmp for now. - */ -#ifndef XKM_OUTPUT_DIR -#define XKM_OUTPUT_DIR "compiled/" -#endif - #define PRE_ERROR_MSG "\"The XKEYBOARD keymap compiler (xkbcomp) reports:\"" #define ERROR_PREFIX "\"> \"" #define POST_ERROR_MSG1 "\"Errors from xkbcomp are not fatal to the X server\"" @@ -175,6 +170,45 @@ OutputDirectory( } static Bool +Sha1Asc(char sha1Asc[SHA_DIGEST_LENGTH*2+1], const char * input) +{ + int i; + unsigned char sha1[SHA_DIGEST_LENGTH]; + +#ifdef HAVE_SHA1_IN_LIBMD /* Use libmd for SHA1 */ + SHA1_CTX ctx; + + SHA1Init (&ctx); + SHA1Update (&ctx, input, strlen(input)); + SHA1Final (sha1, &ctx); +#else /* Use OpenSSL's libcrypto */ + SHA_CTX ctx; + int success; + + success = SHA1_Init (&ctx); + if (! success) + return BadAlloc; + + success = SHA1_Update (&ctx, input, strlen(input)); + if (! success) + return BadAlloc; + + success = SHA1_Final (sha1, &ctx); + if (! success) + return BadAlloc; +#endif + + /* convert sha1 to sha1_asc */ + for(i=0; i<SHA_DIGEST_LENGTH; ++i) { + sprintf(sha1Asc+i*2, "%02X", sha1[i]); + } + + return Success; +} + +/* call xkbcomp and compile XKB keymap, return xkm file name in + nameRtrn */ +static Bool XkbDDXCompileKeymapByNames( XkbDescPtr xkb, XkbComponentNamesPtr names, unsigned want, @@ -183,7 +217,11 @@ XkbDDXCompileKeymapByNames( XkbDescPtr int nameRtrnLen) { FILE * out; - char *buf = NULL, keymap[PATH_MAX], xkm_output_dir[PATH_MAX]; + char * buf = NULL, xkmfile[PATH_MAX], xkm_output_dir[PATH_MAX]; + char * tmpXkmFile = NULL; + char * canonicalXkmFileName = NULL; + char sha1Asc[SHA_DIGEST_LENGTH*2+1], xkbKeyMapBuf[100*1024]; + int ret, result; const char *emptystring = ""; char *xkbbasedirflag = NULL; @@ -194,15 +232,70 @@ XkbDDXCompileKeymapByNames( XkbDescPtr /* WIN32 has no popen. The input must be stored in a file which is used as input for xkbcomp. xkbcomp does not read from stdin. */ char tmpname[PATH_MAX]; - const char *xkmfile = tmpname; + const char *xkbfile = tmpname; #else - const char *xkmfile = "-"; + const char *xkbfile = "-"; +#endif + + /* Write keymap source (xkbfile) to memory buffer `xkbKeyMapBuf', + of which SHA1 is generated and used as result xkm file name */ + memset(xkbKeyMapBuf, 0, sizeof(xkbKeyMapBuf)); + out = fmemopen(xkbKeyMapBuf, sizeof(xkbKeyMapBuf), "w"); + if (NULL == out) { + ErrorF("[xkb] Open xkbKeyMapBuf for writing failed\n"); + return FALSE; + } + ret = XkbWriteXKBKeymapForNames(out, names, xkb, want, need); + if (fclose(out) !=0) + { + ErrorF("[xkb] XkbWriteXKBKeymapForNames error, perhaps xkbKeyMapBuf is too small\n"); + return FALSE; + } +#ifdef DEBUG + if (xkbDebugFlags) { + ErrorF("[xkb] XkbDDXCompileKeymapByNames compiling keymap:\n"); + fputs(xkbKeyMapBuf, stderr); + } #endif + if (!ret) { + ErrorF("[xkb] Generating XKB Keymap failed, giving up compiling keymap\n"); + return FALSE; + } - snprintf(keymap, sizeof(keymap), "server-%s", display); + DebugF("[xkb] computing SHA1 of keymap\n"); + if (Success == Sha1Asc(sha1Asc, xkbKeyMapBuf)) { + snprintf(xkmfile, sizeof(xkmfile), "server-%s", sha1Asc); + } + else { + ErrorF("[xkb] Computing SHA1 of keymap failed, " + "using display name instead as xkm file name\n"); + snprintf(xkmfile, sizeof(xkmfile), "server-%s", display); + } OutputDirectory(xkm_output_dir, sizeof(xkm_output_dir)); + /* set nameRtrn, fail if it's too small */ + if ((strlen(xkmfile)+1 > nameRtrnLen) && nameRtrn) { + ErrorF("[xkb] nameRtrn too small to hold xkmfile name\n"); + return FALSE; + } + strncpy(nameRtrn, xkmfile, nameRtrnLen); + + /* if the xkm file already exists, reuse it */ + canonicalXkmFileName = Xprintf("%s%s.xkm", xkm_output_dir, xkmfile); + if (access(canonicalXkmFileName, R_OK) == 0) { + /* yes, we can reuse the old xkm file */ + LogMessage(X_INFO, "XKB: reuse xkmfile %s\n", canonicalXkmFileName); + result = TRUE; + goto _ret; + } + LogMessage(X_INFO, "XKB: generating xkmfile %s\n", canonicalXkmFileName); + + /* continue to call xkbcomp to compile the keymap. to avoid race + condition, we compile it to a tmpfile then rename it to + xkmfile */ + + #ifdef WIN32 strcpy(tmpname, Win32TempDir()); strcat(tmpname, "\\xkb_XXXXXX"); @@ -225,14 +318,20 @@ XkbDDXCompileKeymapByNames( XkbDescPtr } } + if ( (tmpXkmFile = tempnam(xkm_output_dir, NULL)) == NULL ) { + ErrorF("[xkb] Can't generate temp xkm file name"); + result = FALSE; + goto _ret; + } + buf = Xprintf("\"%s%sxkbcomp\" -w %d %s -xkm \"%s\" " - "-em1 %s -emp %s -eml %s \"%s%s.xkm\"", + "-em1 %s -emp %s -eml %s \"%s\"", xkbbindir, xkbbindirsep, ( (xkbDebugFlags < 2) ? 1 : ((xkbDebugFlags > 10) ? 10 : (int)xkbDebugFlags) ), - xkbbasedirflag ? xkbbasedirflag : "", xkmfile, + xkbbasedirflag ? xkbbasedirflag : "", xkbfile, PRE_ERROR_MSG, ERROR_PREFIX, POST_ERROR_MSG1, - xkm_output_dir, keymap); + tmpXkmFile); free(xkbbasedirflag); @@ -240,7 +339,12 @@ XkbDDXCompileKeymapByNames( XkbDescPtr LogMessage(X_ERROR, "XKB: Could not invoke xkbcomp: not enough memory\n"); return FALSE; } - + + /* there's a potential race condition between calling tempnam() + and invoking xkbcomp to write the result file (potential temp + file name conflicts), but since xkbcomp is a standalone + program, we have to live with this */ + #ifndef WIN32 out= Popen(buf,"w"); #else @@ -248,31 +352,42 @@ XkbDDXCompileKeymapByNames( XkbDescPtr #endif if (out!=NULL) { -#ifdef DEBUG - if (xkbDebugFlags) { - ErrorF("[xkb] XkbDDXCompileKeymapByNames compiling keymap:\n"); - XkbWriteXKBKeymapForNames(stderr,names,xkb,want,need); - } -#endif - XkbWriteXKBKeymapForNames(out,names,xkb,want,need); + /* write XKBKeyMapBuf to xkbcomp */ + if (EOF==fputs(xkbKeyMapBuf, out)) + { + ErrorF("[xkb] Sending keymap to xkbcomp failed\n"); + result = FALSE; + goto _ret; + } #ifndef WIN32 if (Pclose(out)==0) #else if (fclose(out)==0 && System(buf) >= 0) #endif { + /* xkbcomp success */ if (xkbDebugFlags) DebugF("[xkb] xkb executes: %s\n",buf); - if (nameRtrn) { - strncpy(nameRtrn,keymap,nameRtrnLen); - nameRtrn[nameRtrnLen-1]= '\0'; + /* if canonicalXkmFileName already exists now, we simply + overwrite it, this is OK */ + ret = rename(tmpXkmFile, canonicalXkmFileName); + if (0 != ret) { + ErrorF("[xkb] Can't rename %s to %s, error: %s\n", + tmpXkmFile, canonicalXkmFileName, + strerror(errno)); + + /* in case of error, don't unlink tmpXkmFile, leave it + for debugging */ + + result = FALSE; + goto _ret; } - if (buf != NULL) - free(buf); - return TRUE; + + result = TRUE; + goto _ret; } else - LogMessage(X_ERROR, "Error compiling keymap (%s)\n", keymap); + LogMessage(X_ERROR, "Error compiling keymap (%s)\n", xkbfile); #ifdef WIN32 /* remove the temporary file */ unlink(tmpname); @@ -289,7 +404,17 @@ XkbDDXCompileKeymapByNames( XkbDescPtr nameRtrn[0]= '\0'; if (buf != NULL) free(buf); - return FALSE; + result = FALSE; + +_ret: + if (tmpXkmFile) + free(tmpXkmFile); + if (canonicalXkmFileName) + xfree(canonicalXkmFileName); + if (buf != NULL) + xfree (buf); + + return result; } static FILE * @@ -373,7 +498,6 @@ unsigned missing; DebugF("Loaded XKB keymap %s, defined=0x%x\n",fileName,(*xkbRtrn)->defined); } fclose(file); - (void) unlink (fileName); return (need|want)&(~missing); } ++++++ N_confine_to_shape.diff ++++++ --- dix/events.c.orig 2012-04-17 11:34:39.714915372 -0500 +++ dix/events.c 2012-04-17 11:26:54.735728478 -0500 @@ -671,32 +671,77 @@ { BoxRec box; int x = *px, y = *py; - int incx = 1, incy = 1; + int nbox; + BoxPtr pbox; + int d, min = (~0U >> 1), dx2, dy2, x_r, y_r; if (RegionContainsPoint(shape, x, y, &box)) return; - box = *RegionExtents(shape); - /* this is rather crude */ - do { - x += incx; - if (x >= box.x2) { - incx = -1; - x = *px - 1; + + for (nbox = REGION_NUM_RECTS (shape), + pbox = REGION_RECTS(shape); + nbox--; + pbox++) + { + if (pbox->x1 < x && pbox->x2 > x) { + d = pbox->y1 - y; + if (d >= 0) { + d *= d; + if (d < min) { + *px = x; + *py = pbox->y1 + 1; + min = d; + } + } else { + d = pbox->y2 - y; d *= d; + if (d < min) { + *px = x; + *py = pbox->y2 - 1; + min = d; + } + } } - else if (x < box.x1) { - incx = 1; - x = *px; - y += incy; - if (y >= box.y2) { - incy = -1; - y = *py - 1; + else if (pbox->y1 < y && pbox->y2 > y) { + d = pbox->x1 - x; + if (d >= 0) { + d *= d; + if (d < min) { + *px = pbox->x1 + 1; + *py = y; + min = d; + } + } else { + d = pbox->x2 - x; d *= d; + if (d < min) { + *px = pbox->x2 - 1; + *py = y; + min = d; + } + } + } else { + dx2 = pbox->x1 - x; + if (dx2 >= 0) { + dx2 *= dx2; + x_r = pbox->x1 + 1; + } else { + dx2 = pbox->x2 - x; dx2 *= dx2; + x_r = pbox->x2 - 1; + } + dy2 = pbox->y1 - y; + if (dy2 >= 0) { + dy2 *= dy2; + y_r = pbox->y1 + 1; + } else { + dy2 = pbox->y2 - y; dy2 *= dy2; + y_r = pbox->y2 - 1; + } + if ((d = dx2 + dy2) < min) { + *px = x_r; + *py = y_r; + min = d; } - else if (y < box.y1) - return; /* should never get here! */ } - } while (!RegionContainsPoint(shape, x, y, &box)); - *px = x; - *py = y; + } } static void ++++++ N_dpms_screensaver.diff ++++++ Index: xorg-server-1.12.1/hw/xfree86/common/xf86DPMS.c =================================================================== --- xorg-server-1.12.1.orig/hw/xfree86/common/xf86DPMS.c +++ xorg-server-1.12.1/hw/xfree86/common/xf86DPMS.c @@ -151,7 +151,8 @@ DPMSSet(ClientPtr client, int level) rc = dixSaveScreens(client, SCREEN_SAVER_FORCER, ScreenSaverActive); if (rc != Success) return rc; - } + } else + dixSaveScreens(client, SCREEN_SAVER_FORCER, ScreenSaverReset); /* For each screen, set the DPMS level */ for (i = 0; i < xf86NumScreens; i++) { ++++++ N_driver-autoconfig.diff ++++++ Index: hw/xfree86/common/xf86pciBus.c =================================================================== --- hw/xfree86/common/xf86pciBus.c.orig +++ hw/xfree86/common/xf86pciBus.c @@ -1107,7 +1107,8 @@ videoPtrToDriverList(struct pci_device * driverList[0] = "ast"; break; case 0x1002: - driverList[0] = "ati"; + driverList[0] = "fglrx"; + driverList[1] = "ati"; break; case 0x102c: driverList[0] = "chips"; @@ -1139,6 +1141,13 @@ videoPtrToDriverList(struct pci_device * driverList[0] = "neomagic"; break; case 0x10de: + driverList[0] = "nvidia"; + driverList[1] = "nouveau"; + /* GeForce 6150SE support broken (bnc #465190/544674) */ + if (dev->device_id != 0x03D0) { + driverList[2] = "nv"; + } + break; case 0x12d2: { int idx = 0; @@ -1150,7 +1159,8 @@ videoPtrToDriverList(struct pci_device * break; } case 0x1106: - driverList[0] = "openchrome"; + driverList[0] = "via"; + driverList[1] = "openchrome"; break; case 0x1b36: driverList[0] = "qxl"; ++++++ N_edid_data_sanity_check.diff ++++++ Index: xorg-server-1.6.3.901/hw/xfree86/modes/xf86Crtc.c ================================================================================ --- xorg-server-1.7.99/hw/xfree86/modes/xf86Crtc.c +++ xorg-server-1.7.99/hw/xfree86/modes/xf86Crtc.c @@ -2916,8 +2916,14 @@ p->output->MonInfo->features.vsize); if (det_mon->type == DT && det_mon->section.d_timings.h_size != 0 && - det_mon->section.d_timings.v_size != 0) { - + det_mon->section.d_timings.v_size != 0 && + det_mon->section.d_timings.v_size != 0 && + /* some sanity checking for aspect ration */ + ((det_mon->section.d_timings.h_size / + det_mon->section.d_timings.v_size) < 2) && + ((det_mon->section.d_timings.v_size / + det_mon->section.d_timings.h_size) < 2) + ) { p->output->mm_width = det_mon->section.d_timings.h_size; p->output->mm_height = det_mon->section.d_timings.v_size; p->ret = TRUE; ++++++ N_fbdevhw.diff ++++++ Index: hw/xfree86/fbdevhw/fbdevhw.c =================================================================== --- hw/xfree86/fbdevhw/fbdevhw.c.orig +++ hw/xfree86/fbdevhw/fbdevhw.c @@ -858,9 +858,10 @@ fbdevHWDPMSSet(ScrnInfoPtr pScrn, int mo return; } + /* Novell Bug #146462 */ if (-1 == ioctl(fPtr->fd, FBIOBLANK, (void *) fbmode)) - xf86DrvMsg(pScrn->scrnIndex, X_ERROR, - "FBIOBLANK: %s\n", strerror(errno)); + xf86DrvMsg(pScrn->scrnIndex, X_INFO, + "FBIOBLANK: %s (Screen blanking not supported by vesafb of Linux Kernel)\n", strerror(errno)); } Bool @@ -875,9 +876,10 @@ fbdevHWSaveScreen(ScreenPtr pScreen, int unblank = xf86IsUnblank(mode); + /* Novell Bug #146462 */ if (-1 == ioctl(fPtr->fd, FBIOBLANK, (void *) (1 - unblank))) { - xf86DrvMsg(pScrn->scrnIndex, X_ERROR, - "FBIOBLANK: %s\n", strerror(errno)); + xf86DrvMsg(pScrn->scrnIndex, X_INFO, + "FBIOBLANK: %s (Screen blanking not supported by vesafb of Linux Kernel)\n", strerror(errno)); return FALSE; } ++++++ N_fix-dpi-values.diff ++++++ Index: hw/xfree86/common/xf86Helper.c =================================================================== --- hw/xfree86/common/xf86Helper.c.orig +++ hw/xfree86/common/xf86Helper.c @@ -922,12 +922,22 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int else if (pScrn->widthmm > 0 || pScrn->heightmm > 0) { from = X_CONFIG; if (pScrn->widthmm > 0) { - pScrn->xDpi = - (int) ((double) pScrn->virtualX * MMPERINCH / pScrn->widthmm); + if (pScrn->modes && pScrn->modes->HDisplay > 0) { + pScrn->xDpi = + (int)((double) pScrn->modes->HDisplay * MMPERINCH / pScrn->widthmm); + } else { + pScrn->xDpi = + (int)((double)pScrn->virtualX * MMPERINCH / pScrn->widthmm); + } } if (pScrn->heightmm > 0) { - pScrn->yDpi = - (int) ((double) pScrn->virtualY * MMPERINCH / pScrn->heightmm); + if (pScrn->modes && pScrn->modes->VDisplay > 0) { + pScrn->yDpi = + (int)((double)pScrn->modes->VDisplay * MMPERINCH / pScrn->heightmm); + } else { + pScrn->yDpi = + (int)((double)pScrn->virtualY * MMPERINCH / pScrn->heightmm); + } } if (pScrn->xDpi > 0 && pScrn->yDpi <= 0) pScrn->yDpi = pScrn->xDpi; @@ -966,12 +976,22 @@ xf86SetDpi(ScrnInfoPtr pScrn, int x, int pScrn->widthmm = ddcWidthmm; pScrn->heightmm = ddcHeightmm; if (pScrn->widthmm > 0) { - pScrn->xDpi = - (int) ((double) pScrn->virtualX * MMPERINCH / pScrn->widthmm); + if (pScrn->modes && pScrn->modes->HDisplay > 0) { + pScrn->xDpi = + (int)((double) pScrn->modes->HDisplay * MMPERINCH / pScrn->widthmm); + } else { + pScrn->xDpi = + (int)((double)pScrn->virtualX * MMPERINCH / pScrn->widthmm); + } } if (pScrn->heightmm > 0) { - pScrn->yDpi = - (int) ((double) pScrn->virtualY * MMPERINCH / pScrn->heightmm); + if (pScrn->modes && pScrn->modes->VDisplay > 0) { + pScrn->yDpi = + (int)((double)pScrn->modes->VDisplay * MMPERINCH / pScrn->heightmm); + } else { + pScrn->yDpi = + (int)((double)pScrn->virtualY * MMPERINCH / pScrn->heightmm); + } } if (pScrn->xDpi > 0 && pScrn->yDpi <= 0) pScrn->yDpi = pScrn->xDpi; ++++++ N_fix_fglrx_screendepth_issue.patch ++++++ Index: hw/xfree86/common/xf86AutoConfig.c =================================================================== --- hw/xfree86/common/xf86AutoConfig.c.orig +++ hw/xfree86/common/xf86AutoConfig.c @@ -75,6 +75,13 @@ "\tDevice\t" BUILTIN_DEVICE_NAME "\n" \ "EndSection\n\n" +#define BUILTIN_SCREEN_SECTION_FOR_FGLRX \ + "Section \"Screen\"\n" \ + "\tIdentifier\t" BUILTIN_SCREEN_NAME "\n" \ + "\tDevice\t" BUILTIN_DEVICE_NAME "\n" \ + "\tDefaultDepth\t24\n" \ + "EndSection\n\n" + #define BUILTIN_LAYOUT_SECTION_PRE \ "Section \"ServerLayout\"\n" \ "\tIdentifier\t\"Builtin Default Layout\"\n" @@ -153,7 +160,10 @@ xf86AutoConfig(void) for (p = deviceList; *p; p++) { snprintf(buf, sizeof(buf), BUILTIN_DEVICE_SECTION, *p, 0, *p); AppendToConfig(buf); - snprintf(buf, sizeof(buf), BUILTIN_SCREEN_SECTION, *p, 0, *p, 0); + if( strcmp(*p, "fglrx") == 0 ) + snprintf(buf, sizeof(buf), BUILTIN_SCREEN_SECTION_FOR_FGLRX, *p, 0, *p, 0); + else + snprintf(buf, sizeof(buf), BUILTIN_SCREEN_SECTION, *p, 0, *p, 0); AppendToConfig(buf); } ++++++ N_p_default-module-path.diff ++++++ Index: hw/xfree86/common/xf86Globals.c =================================================================== --- hw/xfree86/common/xf86Globals.c.orig +++ hw/xfree86/common/xf86Globals.c @@ -135,7 +135,7 @@ xf86InfoRec xf86Info = { const char *xf86ConfigFile = NULL; const char *xf86ConfigDir = NULL; -const char *xf86ModulePath = DEFAULT_MODULE_PATH; +const char *xf86ModulePath = DEFAULT_MODULE_PATH "/updates," DEFAULT_MODULE_PATH; MessageType xf86ModPathFrom = X_DEFAULT; const char *xf86LogFile = DEFAULT_LOGPREFIX; MessageType xf86LogFileFrom = X_DEFAULT; ++++++ N_p_xnest-ignore-getimage-errors.diff ++++++ Index: xorg-server-1.12.1/hw/xnest/GCOps.c =================================================================== --- xorg-server-1.12.1.orig/hw/xnest/GCOps.c +++ xorg-server-1.12.1/hw/xnest/GCOps.c @@ -94,15 +94,26 @@ xnestPutImage(DrawablePtr pDrawable, GCP } } +static int +xnestIgnoreErrorHandler (Display *display, + XErrorEvent *event) +{ + return False; /* return value is ignored */ +} + void xnestGetImage(DrawablePtr pDrawable, int x, int y, int w, int h, unsigned int format, unsigned long planeMask, char *pImage) { XImage *ximage; int length; + int (*old_handler)(Display*, XErrorEvent*); + /* we may get BadMatch error when xnest window is minimized */ + old_handler = XSetErrorHandler (xnestIgnoreErrorHandler); ximage = XGetImage(xnestDisplay, xnestDrawable(pDrawable), x, y, w, h, planeMask, format); + XSetErrorHandler (old_handler); if (ximage) { length = ximage->bytes_per_line * ximage->height; ++++++ N_randr1_1-sig11.diff ++++++ Index: xorg-server-1.12.1/hw/xfree86/common/xf86RandR.c =================================================================== --- xorg-server-1.12.1.orig/hw/xfree86/common/xf86RandR.c +++ xorg-server-1.12.1/hw/xfree86/common/xf86RandR.c @@ -237,6 +237,9 @@ xf86RandRSetConfig(ScreenPtr pScreen, DeviceIntPtr dev; Bool view_adjusted = FALSE; + if (!scrp->vtSema) + return FALSE; + for (dev = inputInfo.devices; dev; dev = dev->next) { if (!IsMaster(dev) && !IsFloating(dev)) continue; ++++++ N_randr_fix_abi.patch ++++++ diff --git a/randr/randrstr.h b/randr/randrstr.h index 15299fd..03ed146 100644 --- a/randr/randrstr.h +++ b/randr/randrstr.h @@ -301,7 +301,6 @@ typedef struct _rrScrPriv { Bool changed; /* some config changed */ Bool configChanged; /* configuration changed */ Bool layoutChanged; /* screen layout changed */ - Bool resourcesChanged; /* screen resources change */ CARD16 minWidth, minHeight; CARD16 maxWidth, maxHeight; @@ -338,6 +337,7 @@ typedef struct _rrScrPriv { RRProviderDestroyProcPtr rrProviderDestroy; + Bool resourcesChanged; /* screen resources change */ } rrScrPrivRec, *rrScrPrivPtr; extern _X_EXPORT DevPrivateKeyRec rrPrivKeyRec; ++++++ N_sync-fix.patch ++++++ Index: xorg-server-1.12.1/Xext/sync.c =================================================================== --- xorg-server-1.12.1.orig/Xext/sync.c +++ xorg-server-1.12.1/Xext/sync.c @@ -2615,9 +2615,43 @@ static XSyncValue *pIdleTimeValueGreater static void IdleTimeQueryValue(pointer pCounter, CARD64 * pValue_return) { - CARD32 idle = GetTimeInMillis() - lastDeviceEventTime.milliseconds; + static CARD32 previousLastDeviceEventTimeMilliseconds = 0; + CARD32 now = GetTimeInMillis(); + CARD32 idle = now - lastDeviceEventTime.milliseconds; + CARD32 previousIdle = now - previousLastDeviceEventTimeMilliseconds; + SyncCounter *pIdleTimeCounter = (SyncCounter*)pCounter; XSyncIntsToValue(pValue_return, idle, 0); + if (pCounter == NULL) + { + return; + } + if (previousLastDeviceEventTimeMilliseconds == 0) + { + /* initialize static var when this function is invoked the first time. */ + previousLastDeviceEventTimeMilliseconds = lastDeviceEventTime.milliseconds; + return; + } + + if (previousLastDeviceEventTimeMilliseconds == lastDeviceEventTime.milliseconds) + { + /* no new user event, no need to change idle counter. */ + return; + } + previousLastDeviceEventTimeMilliseconds = lastDeviceEventTime.milliseconds; + + /* + * Some user event occured; now update idle counter with previous + * event time, so idle counter has the most up-to-date value with + * respect to previous user event (we need old and new counter + * value to compute if a transition occured). Recompute bracket + * values if this is system counter. + */ + + XSyncIntsToValue (&pIdleTimeCounter->value, previousIdle, 0); + if (IsSystemCounter(pIdleTimeCounter)) { + SyncComputeBracketValues(pIdleTimeCounter); + } } static void @@ -2700,7 +2734,7 @@ IdleTimeWakeupHandler(pointer env, int r if (!pIdleTimeValueLess && !pIdleTimeValueGreater) return; - IdleTimeQueryValue(NULL, &idle); + IdleTimeQueryValue(IdleTimeCounter, &idle); if ((pIdleTimeValueGreater && XSyncValueGreaterOrEqual(idle, *pIdleTimeValueGreater)) || ++++++ N_xorg-server-xdmcp.patch ++++++ Index: xorg-server-1.12.1/os/access.c =================================================================== --- xorg-server-1.12.1.orig/os/access.c +++ xorg-server-1.12.1/os/access.c @@ -714,7 +714,9 @@ DefineSelf(int fd) /* * ignore 'localhost' entries as they're not useful - * on the other end of the wire + * on the other end of the wire and because on hosts + * with shared home dirs they'll result in conflicting + * entries in ~/.Xauthority */ if (ifr->ifa_flags & IFF_LOOPBACK) continue; @@ -735,6 +737,14 @@ DefineSelf(int fd) else if (family == FamilyInternet6 && IN6_IS_ADDR_LOOPBACK((struct in6_addr *) addr)) continue; + + /* Ignore IPv6 link local addresses (fe80::/10), because + * they need a scope identifier, which we have no way + * of telling to the other end. + */ + if (family == FamilyInternet6 && + IN6_IS_ADDR_LINKLOCAL((struct in6_addr *)addr)) + continue; #endif XdmcpRegisterConnection(family, (char *) addr, len); #if defined(IPv6) && defined(AF_INET6) ++++++ N_zap_warning_xserver.diff ++++++ Index: xorg-server-1.12.1/hw/xfree86/common/xf86Config.c =================================================================== --- xorg-server-1.12.1.orig/hw/xfree86/common/xf86Config.c +++ xorg-server-1.12.1/hw/xfree86/common/xf86Config.c @@ -680,6 +680,7 @@ typedef enum { FLAG_NOTRAPSIGNALS, FLAG_DONTVTSWITCH, FLAG_DONTZAP, + FLAG_ZAPWARNING, FLAG_DONTZOOM, FLAG_DISABLEVIDMODE, FLAG_ALLOWNONLOCAL, @@ -717,6 +718,8 @@ static OptionInfoRec FlagOptions[] = { {0}, FALSE}, {FLAG_DONTZAP, "DontZap", OPTV_BOOLEAN, {0}, FALSE}, + { FLAG_ZAPWARNING, "ZapWarning", OPTV_BOOLEAN, + {0}, FALSE }, {FLAG_DONTZOOM, "DontZoom", OPTV_BOOLEAN, {0}, FALSE}, {FLAG_DISABLEVIDMODE, "DisableVidModeExtension", OPTV_BOOLEAN, @@ -805,6 +805,7 @@ configServerFlags(XF86ConfFlagsPtr flags xf86GetOptValBool(FlagOptions, FLAG_NOTRAPSIGNALS, &xf86Info.notrapSignals); xf86GetOptValBool(FlagOptions, FLAG_DONTVTSWITCH, &xf86Info.dontVTSwitch); xf86GetOptValBool(FlagOptions, FLAG_DONTZAP, &xf86Info.dontZap); + xf86GetOptValBool(FlagOptions, FLAG_ZAPWARNING, &xf86Info.ZapWarning); xf86GetOptValBool(FlagOptions, FLAG_DONTZOOM, &xf86Info.dontZoom); xf86GetOptValBool(FlagOptions, FLAG_IGNORE_ABI, &xf86Info.ignoreABI); Index: xorg-server-1.12.1/hw/xfree86/common/xf86Events.c =================================================================== --- xorg-server-1.12.1.orig/hw/xfree86/common/xf86Events.c +++ xorg-server-1.12.1/hw/xfree86/common/xf86Events.c @@ -182,13 +182,25 @@ xf86ProcessActionEvent(ActionEvent actio DebugF("ProcessActionEvent(%d,%x)\n", (int) action, arg); switch (action) { case ACTION_TERMINATE: - if (!xf86Info.dontZap) { - xf86Msg(X_INFO, "Server zapped. Shutting down.\n"); + if (xf86Info.dontZap) + break; + + if (xf86Info.ZapWarning) { + static struct timeval LastZap = { 0, 0}; + struct timeval NewZap; + + gettimeofday(&NewZap, NULL); + + if ((NewZap.tv_sec - LastZap.tv_sec) >= 2) { + xf86OSRingBell(30, 1000, 50); + LastZap = NewZap; + break; + } + } #ifdef XFreeXDGA - DGAShutdown(); + DGAShutdown(); #endif - GiveUp(0); - } + GiveUp(0); break; case ACTION_NEXT_MODE: if (!xf86Info.dontZoom) Index: xorg-server-1.12.1/hw/xfree86/common/xf86Globals.c =================================================================== --- xorg-server-1.12.1.orig/hw/xfree86/common/xf86Globals.c +++ xorg-server-1.12.1/hw/xfree86/common/xf86Globals.c @@ -108,6 +108,7 @@ xf86InfoRec xf86Info = { .autoVTSwitch = TRUE, .ShareVTs = FALSE, .dontZap = FALSE, + .ZapWarning = TRUE, .dontZoom = FALSE, .notrapSignals = FALSE, .caughtSignal = FALSE, Index: xorg-server-1.12.1/hw/xfree86/common/xf86Privstr.h =================================================================== --- xorg-server-1.12.1.orig/hw/xfree86/common/xf86Privstr.h +++ xorg-server-1.12.1/hw/xfree86/common/xf86Privstr.h @@ -70,6 +70,7 @@ typedef struct { Bool autoVTSwitch; Bool ShareVTs; Bool dontZap; + Bool ZapWarning; Bool dontZoom; Bool notrapSignals; /* don't exit cleanly - die at fault */ Bool caughtSignal; ++++++ README.updates ++++++ Xserver module update mechanism ------------------------------- If any corresponding Xserver module is found below "/usr/lib/xorg/modules/updates/" ("/usr/lib64/xorg/modules/updates/" on biarch 32/64 bit platforms) it will be favored over the one in "/usr/lib/xorg/modules/" ("/usr/lib64/xorg/modules/" on biarch 32/64 bit platforms). ++++++ U_Xi_fix_modifier_offset_in_XIPassiveGrab_swapping_function.patch ++++++

From 76b3be75b62657e346731444736f7e4d200beb5b Mon Sep 17 00:00:00 2001 From: Peter Hutterer <peter.hutterer@who-t.net> Date: Fri, 24 Jan 2014 16:51:02 +1000 Subject: [PATCH] Xi: fix modifier offset in XIPassiveGrab swapping function

The request is followed by mask_len 4-byte units, then followed by the actual modifiers. Also fix up the swapping test, which had the same issue. Reported-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c index eccec0a..8aba977 100644 --- a/Xi/xipassivegrab.c +++ b/Xi/xipassivegrab.c @@ -63,7 +63,7 @@ SProcXIPassiveGrabDevice(ClientPtr client) swaps(&stuff->mask_len); swaps(&stuff->num_modifiers); - mods = (uint32_t *) &stuff[1]; + mods = (uint32_t *) &stuff[1] + stuff->mask_len; for (i = 0; i < stuff->num_modifiers; i++, mods++) { swapl(mods); ++++++ U_Xi_unvalidated_lengths_in_Xinput_extension.patch ++++++ Subject: Xi: unvalidated lengths in Xinput extension References: bnc#907268, CVE-2014-8095 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Multiple functions in the Xinput extension handling of requests from clients failed to check that the length of the request sent by the client was large enough to perform all the required operations and thus could read or write to memory outside the bounds of the request buffer. This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE macro in include/dix.h for the common case of needing to ensure a request is large enough to include both the request itself and a minimum amount of extra data following the request header. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> --- Xi/chgdctl.c | 8 ++++++-- Xi/chgfctl.c | 2 ++ Xi/sendexev.c | 3 +++ Xi/xiallowev.c | 2 ++ Xi/xichangecursor.c | 2 +- Xi/xichangehierarchy.c | 35 ++++++++++++++++++++++++++++++++--- Xi/xigetclientpointer.c | 1 + Xi/xigrabdev.c | 9 ++++++++- Xi/xipassivegrab.c | 12 ++++++++++-- Xi/xiproperty.c | 14 ++++++-------- Xi/xiquerydevice.c | 1 + Xi/xiquerypointer.c | 2 ++ Xi/xiselectev.c | 8 ++++++++ Xi/xisetclientpointer.c | 3 ++- Xi/xisetdevfocus.c | 4 ++++ Xi/xiwarppointer.c | 2 ++ include/dix.h | 4 ++++ 17 files changed, 94 insertions(+), 18 deletions(-) diff --git a/Xi/chgdctl.c b/Xi/chgdctl.c index d078aa2..b3ee867 100644 --- a/Xi/chgdctl.c +++ b/Xi/chgdctl.c @@ -78,7 +78,7 @@ SProcXChangeDeviceControl(ClientPtr client) REQUEST(xChangeDeviceControlReq); swaps(&stuff->length); - REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); swaps(&stuff->control); ctl = (xDeviceCtl *) &stuff[1]; swaps(&ctl->control); @@ -115,7 +115,7 @@ ProcXChangeDeviceControl(ClientPtr client) xDeviceEnableCtl *e; REQUEST(xChangeDeviceControlReq); - REQUEST_AT_LEAST_SIZE(xChangeDeviceControlReq); + REQUEST_AT_LEAST_EXTRA_SIZE(xChangeDeviceControlReq, sizeof(xDeviceCtl)); len = stuff->length - bytes_to_int32(sizeof(xChangeDeviceControlReq)); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixManageAccess); @@ -192,6 +192,10 @@ ProcXChangeDeviceControl(ClientPtr client) break; case DEVICE_ENABLE: e = (xDeviceEnableCtl *) &stuff[1]; + if ((len != bytes_to_int32(sizeof(xDeviceEnableCtl)))) { + ret = BadLength; + goto out; + } if (IsXTestDevice(dev, NULL)) status = !Success; diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c index 6dcf60c..224c2ba 100644 --- a/Xi/chgfctl.c +++ b/Xi/chgfctl.c @@ -467,6 +467,8 @@ ProcXChangeFeedbackControl(ClientPtr client) xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); if (client->swapped) { + if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) + return BadLength; swaps(&f->num_keysyms); } if (len != diff --git a/Xi/sendexev.c b/Xi/sendexev.c index 3c21386..183f88d 100644 --- a/Xi/sendexev.c +++ b/Xi/sendexev.c @@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client) if (ret != Success) return ret; + if (stuff->num_events == 0) + return ret; + /* The client's event type must be one defined by an extension. */ first = ((xEvent *) &stuff[1]); diff --git a/Xi/xiallowev.c b/Xi/xiallowev.c index ebef233..ca263ef 100644 --- a/Xi/xiallowev.c +++ b/Xi/xiallowev.c @@ -48,6 +48,7 @@ int SProcXIAllowEvents(ClientPtr client) { REQUEST(xXIAllowEventsReq); + REQUEST_AT_LEAST_SIZE(xXIAllowEventsReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -55,6 +56,7 @@ SProcXIAllowEvents(ClientPtr client) if (stuff->length > 3) { xXI2_2AllowEventsReq *req_xi22 = (xXI2_2AllowEventsReq *) stuff; + REQUEST_AT_LEAST_SIZE(xXI2_2AllowEventsReq); swapl(&req_xi22->touchid); swapl(&req_xi22->grab_window); } diff --git a/Xi/xichangecursor.c b/Xi/xichangecursor.c index 7a1bb7a..8e6255b 100644 --- a/Xi/xichangecursor.c +++ b/Xi/xichangecursor.c @@ -57,11 +57,11 @@ int SProcXIChangeCursor(ClientPtr client) { REQUEST(xXIChangeCursorReq); + REQUEST_SIZE_MATCH(xXIChangeCursorReq); swaps(&stuff->length); swapl(&stuff->win); swapl(&stuff->cursor); swaps(&stuff->deviceid); - REQUEST_SIZE_MATCH(xXIChangeCursorReq); return (ProcXIChangeCursor(client)); } diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c index 9e36354..2732445 100644 --- a/Xi/xichangehierarchy.c +++ b/Xi/xichangehierarchy.c @@ -411,7 +411,7 @@ int ProcXIChangeHierarchy(ClientPtr client) { xXIAnyHierarchyChangeInfo *any; - int required_len = sizeof(xXIChangeHierarchyReq); + size_t len; /* length of data remaining in request */ int rc = Success; int flags[MAXDEVICES] = { 0 }; @@ -421,21 +421,46 @@ ProcXIChangeHierarchy(ClientPtr client) if (!stuff->num_changes) return rc; + if (stuff->length > (INT_MAX >> 2)) + return BadAlloc; + len = (stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo); + any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; while (stuff->num_changes--) { + if (len < sizeof(xXIAnyHierarchyChangeInfo)) { + rc = BadLength; + goto unwind; + } + SWAPIF(swaps(&any->type)); SWAPIF(swaps(&any->length)); - required_len += any->length; - if ((stuff->length * 4) < required_len) + if ((any->length > (INT_MAX >> 2)) || (len < (any->length << 2))) return BadLength; +#define CHANGE_SIZE_MATCH(type) \ + do { \ + if ((len < sizeof(type)) || (any->length != (sizeof(type) >> 2))) { \ + rc = BadLength; \ + goto unwind; \ + } \ + } while(0) + switch (any->type) { case XIAddMaster: { xXIAddMasterInfo *c = (xXIAddMasterInfo *) any; + /* Variable length, due to appended name string */ + if (len < sizeof(xXIAddMasterInfo)) { + rc = BadLength; + goto unwind; + } SWAPIF(swaps(&c->name_len)); + if (c->name_len > (len - sizeof(xXIAddMasterInfo))) { + rc = BadLength; + goto unwind; + } rc = add_master(client, c, flags); if (rc != Success) @@ -446,6 +471,7 @@ ProcXIChangeHierarchy(ClientPtr client) { xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; + CHANGE_SIZE_MATCH(xXIRemoveMasterInfo); rc = remove_master(client, r, flags); if (rc != Success) goto unwind; @@ -455,6 +481,7 @@ ProcXIChangeHierarchy(ClientPtr client) { xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; + CHANGE_SIZE_MATCH(xXIDetachSlaveInfo); rc = detach_slave(client, c, flags); if (rc != Success) goto unwind; @@ -464,6 +491,7 @@ ProcXIChangeHierarchy(ClientPtr client) { xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; + CHANGE_SIZE_MATCH(xXIAttachSlaveInfo); rc = attach_slave(client, c, flags); if (rc != Success) goto unwind; @@ -471,6 +499,7 @@ ProcXIChangeHierarchy(ClientPtr client) break; } + len -= any->length * 4; any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); } diff --git a/Xi/xigetclientpointer.c b/Xi/xigetclientpointer.c index 3c90d58..306dd39 100644 --- a/Xi/xigetclientpointer.c +++ b/Xi/xigetclientpointer.c @@ -50,6 +50,7 @@ int SProcXIGetClientPointer(ClientPtr client) { REQUEST(xXIGetClientPointerReq); + REQUEST_SIZE_MATCH(xXIGetClientPointerReq); swaps(&stuff->length); swapl(&stuff->win); diff --git a/Xi/xigrabdev.c b/Xi/xigrabdev.c index 63d95bc..e2a2ae3 100644 --- a/Xi/xigrabdev.c +++ b/Xi/xigrabdev.c @@ -47,6 +47,11 @@ int SProcXIGrabDevice(ClientPtr client) { REQUEST(xXIGrabDeviceReq); + /* + * Check here for at least the length of the struct we swap, then + * let ProcXIGrabDevice check the full size after we swap mask_len. + */ + REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -71,7 +76,7 @@ ProcXIGrabDevice(ClientPtr client) unsigned int pointer_mode; REQUEST(xXIGrabDeviceReq); - REQUEST_AT_LEAST_SIZE(xXIGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIGrabDeviceReq, ((size_t) stuff->mask_len) * 4); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess); if (ret != Success) @@ -131,6 +136,7 @@ int SProcXIUngrabDevice(ClientPtr client) { REQUEST(xXIUngrabDeviceReq); + REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -148,6 +154,7 @@ ProcXIUngrabDevice(ClientPtr client) TimeStamp time; REQUEST(xXIUngrabDeviceReq); + REQUEST_SIZE_MATCH(xXIUngrabDeviceReq); ret = dixLookupDevice(&dev, stuff->deviceid, client, DixGetAttrAccess); if (ret != Success) diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c index 700622d..9241ffd 100644 --- a/Xi/xipassivegrab.c +++ b/Xi/xipassivegrab.c @@ -53,6 +53,7 @@ SProcXIPassiveGrabDevice(ClientPtr client) uint32_t *mods; REQUEST(xXIPassiveGrabDeviceReq); + REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -63,6 +64,8 @@ SProcXIPassiveGrabDevice(ClientPtr client) swaps(&stuff->mask_len); swaps(&stuff->num_modifiers); + REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, + ((uint32_t) stuff->mask_len + stuff->num_modifiers) *4); mods = (uint32_t *) &stuff[1] + stuff->mask_len; for (i = 0; i < stuff->num_modifiers; i++, mods++) { @@ -92,7 +95,8 @@ ProcXIPassiveGrabDevice(ClientPtr client) int mask_len; REQUEST(xXIPassiveGrabDeviceReq); - REQUEST_AT_LEAST_SIZE(xXIPassiveGrabDeviceReq); + REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq, + ((uint32_t) stuff->mask_len + stuff->num_modifiers) * 4); if (stuff->deviceid == XIAllDevices) dev = inputInfo.all_devices; @@ -252,6 +256,7 @@ SProcXIPassiveUngrabDevice(ClientPtr client) uint32_t *modifiers; REQUEST(xXIPassiveUngrabDeviceReq); + REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq); swaps(&stuff->length); swapl(&stuff->grab_window); @@ -259,6 +264,8 @@ SProcXIPassiveUngrabDevice(ClientPtr client) swapl(&stuff->detail); swaps(&stuff->num_modifiers); + REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq, + ((uint32_t) stuff->num_modifiers) << 2); modifiers = (uint32_t *) &stuff[1]; for (i = 0; i < stuff->num_modifiers; i++, modifiers++) @@ -277,7 +284,8 @@ ProcXIPassiveUngrabDevice(ClientPtr client) int i, rc; REQUEST(xXIPassiveUngrabDeviceReq); - REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq); + REQUEST_FIXED_SIZE(xXIPassiveUngrabDeviceReq, + ((uint32_t) stuff->num_modifiers) << 2); if (stuff->deviceid == XIAllDevices) dev = inputInfo.all_devices; diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c index 463607d..8e8e4b0 100644 --- a/Xi/xiproperty.c +++ b/Xi/xiproperty.c @@ -1013,10 +1013,9 @@ int SProcXListDeviceProperties(ClientPtr client) { REQUEST(xListDevicePropertiesReq); + REQUEST_SIZE_MATCH(xListDevicePropertiesReq); swaps(&stuff->length); - - REQUEST_SIZE_MATCH(xListDevicePropertiesReq); return (ProcXListDeviceProperties(client)); } @@ -1037,10 +1036,10 @@ int SProcXDeleteDeviceProperty(ClientPtr client) { REQUEST(xDeleteDevicePropertyReq); + REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq); swaps(&stuff->length); swapl(&stuff->property); - REQUEST_SIZE_MATCH(xDeleteDevicePropertyReq); return (ProcXDeleteDeviceProperty(client)); } @@ -1048,13 +1047,13 @@ int SProcXGetDeviceProperty(ClientPtr client) { REQUEST(xGetDevicePropertyReq); + REQUEST_SIZE_MATCH(xGetDevicePropertyReq); swaps(&stuff->length); swapl(&stuff->property); swapl(&stuff->type); swapl(&stuff->longOffset); swapl(&stuff->longLength); - REQUEST_SIZE_MATCH(xGetDevicePropertyReq); return (ProcXGetDeviceProperty(client)); } @@ -1253,11 +1252,10 @@ int SProcXIListProperties(ClientPtr client) { REQUEST(xXIListPropertiesReq); + REQUEST_SIZE_MATCH(xXIListPropertiesReq); swaps(&stuff->length); swaps(&stuff->deviceid); - - REQUEST_SIZE_MATCH(xXIListPropertiesReq); return (ProcXIListProperties(client)); } @@ -1279,11 +1277,11 @@ int SProcXIDeleteProperty(ClientPtr client) { REQUEST(xXIDeletePropertyReq); + REQUEST_SIZE_MATCH(xXIDeletePropertyReq); swaps(&stuff->length); swaps(&stuff->deviceid); swapl(&stuff->property); - REQUEST_SIZE_MATCH(xXIDeletePropertyReq); return (ProcXIDeleteProperty(client)); } @@ -1291,6 +1289,7 @@ int SProcXIGetProperty(ClientPtr client) { REQUEST(xXIGetPropertyReq); + REQUEST_SIZE_MATCH(xXIGetPropertyReq); swaps(&stuff->length); swaps(&stuff->deviceid); @@ -1298,7 +1297,6 @@ SProcXIGetProperty(ClientPtr client) swapl(&stuff->type); swapl(&stuff->offset); swapl(&stuff->len); - REQUEST_SIZE_MATCH(xXIGetPropertyReq); return (ProcXIGetProperty(client)); } diff --git a/Xi/xiquerydevice.c b/Xi/xiquerydevice.c index 4e544f0..67a9a4f 100644 --- a/Xi/xiquerydevice.c +++ b/Xi/xiquerydevice.c @@ -54,6 +54,7 @@ int SProcXIQueryDevice(ClientPtr client) { REQUEST(xXIQueryDeviceReq); + REQUEST_SIZE_MATCH(xXIQueryDeviceReq); swaps(&stuff->length); swaps(&stuff->deviceid); diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c index e9bdd42..7ec0c85 100644 --- a/Xi/xiquerypointer.c +++ b/Xi/xiquerypointer.c @@ -63,6 +63,8 @@ int SProcXIQueryPointer(ClientPtr client) { REQUEST(xXIQueryPointerReq); + REQUEST_SIZE_MATCH(xXIQueryPointerReq); + swaps(&stuff->length); swaps(&stuff->deviceid); swapl(&stuff->win); diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c index 45a996e..168579f 100644 --- a/Xi/xiselectev.c +++ b/Xi/xiselectev.c @@ -114,6 +114,7 @@ int SProcXISelectEvents(ClientPtr client) { int i; + int len; xXIEventMask *evmask; REQUEST(xXISelectEventsReq); @@ -122,10 +123,17 @@ SProcXISelectEvents(ClientPtr client) swapl(&stuff->win); swaps(&stuff->num_masks); + len = stuff->length - bytes_to_int32(sizeof(xXISelectEventsReq)); evmask = (xXIEventMask *) &stuff[1]; for (i = 0; i < stuff->num_masks; i++) { + if (len < bytes_to_int32(sizeof(xXIEventMask))) + return BadLength; + len -= bytes_to_int32(sizeof(xXIEventMask)); swaps(&evmask->deviceid); swaps(&evmask->mask_len); + if (len < evmask->mask_len) + return BadLength; + len -= evmask->mask_len; evmask = (xXIEventMask *) (((char *) &evmask[1]) + evmask->mask_len * 4); } diff --git a/Xi/xisetclientpointer.c b/Xi/xisetclientpointer.c index 38ff51e..24d4a53 100644 --- a/Xi/xisetclientpointer.c +++ b/Xi/xisetclientpointer.c @@ -51,10 +51,11 @@ int SProcXISetClientPointer(ClientPtr client) { REQUEST(xXISetClientPointerReq); + REQUEST_SIZE_MATCH(xXISetClientPointerReq); + swaps(&stuff->length); swapl(&stuff->win); swaps(&stuff->deviceid); - REQUEST_SIZE_MATCH(xXISetClientPointerReq); return (ProcXISetClientPointer(client)); } diff --git a/Xi/xisetdevfocus.c b/Xi/xisetdevfocus.c index 372ec24..96a9a16 100644 --- a/Xi/xisetdevfocus.c +++ b/Xi/xisetdevfocus.c @@ -44,6 +44,8 @@ int SProcXISetFocus(ClientPtr client) { REQUEST(xXISetFocusReq); + REQUEST_AT_LEAST_SIZE(xXISetFocusReq); + swaps(&stuff->length); swaps(&stuff->deviceid); swapl(&stuff->focus); @@ -56,6 +58,8 @@ int SProcXIGetFocus(ClientPtr client) { REQUEST(xXIGetFocusReq); + REQUEST_AT_LEAST_SIZE(xXIGetFocusReq); + swaps(&stuff->length); swaps(&stuff->deviceid); diff --git a/Xi/xiwarppointer.c b/Xi/xiwarppointer.c index 3f051f7..780758a 100644 --- a/Xi/xiwarppointer.c +++ b/Xi/xiwarppointer.c @@ -56,6 +56,8 @@ int SProcXIWarpPointer(ClientPtr client) { REQUEST(xXIWarpPointerReq); + REQUEST_SIZE_MATCH(xXIWarpPointerReq); + swaps(&stuff->length); swapl(&stuff->src_win); swapl(&stuff->dst_win); diff --git a/include/dix.h b/include/dix.h index e0c6ed8..21176a8 100644 --- a/include/dix.h +++ b/include/dix.h @@ -74,6 +74,10 @@ SOFTWARE. if ((sizeof(req) >> 2) > client->req_len )\ return(BadLength) +#define REQUEST_AT_LEAST_EXTRA_SIZE(req, extra) \ + if (((sizeof(req) + ((uint64_t) extra)) >> 2) > client->req_len ) \ + return(BadLength) + #define REQUEST_FIXED_SIZE(req, n)\ if (((sizeof(req) >> 2) > client->req_len) || \ ((n >> 2) >= client->req_len) || \ -- 1.7.9.2 ++++++ U_Xv_unvalidated_lengths_in_XVideo_extension_swapped_procs.patch ++++++ Subject: Xv: unvalidated lengths in XVideo extension swapped procs References: bnc#907268, CVE-2014-8099 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> --- Xext/xvdisp.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c index 86f982a..c2d0fc9 100644 --- a/Xext/xvdisp.c +++ b/Xext/xvdisp.c @@ -1121,6 +1121,7 @@ static int SProcXvQueryExtension(ClientPtr client) { REQUEST(xvQueryExtensionReq); + REQUEST_SIZE_MATCH(xvQueryExtensionReq); swaps(&stuff->length); return XvProcVector[xv_QueryExtension] (client); } @@ -1129,6 +1130,7 @@ static int SProcXvQueryAdaptors(ClientPtr client) { REQUEST(xvQueryAdaptorsReq); + REQUEST_SIZE_MATCH(xvQueryAdaptorsReq); swaps(&stuff->length); swapl(&stuff->window); return XvProcVector[xv_QueryAdaptors] (client); @@ -1138,6 +1140,7 @@ static int SProcXvQueryEncodings(ClientPtr client) { REQUEST(xvQueryEncodingsReq); + REQUEST_SIZE_MATCH(xvQueryEncodingsReq); swaps(&stuff->length); swapl(&stuff->port); return XvProcVector[xv_QueryEncodings] (client); @@ -1147,6 +1150,7 @@ static int SProcXvGrabPort(ClientPtr client) { REQUEST(xvGrabPortReq); + REQUEST_SIZE_MATCH(xvGrabPortReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->time); @@ -1157,6 +1161,7 @@ static int SProcXvUngrabPort(ClientPtr client) { REQUEST(xvUngrabPortReq); + REQUEST_SIZE_MATCH(xvUngrabPortReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->time); @@ -1167,6 +1172,7 @@ static int SProcXvPutVideo(ClientPtr client) { REQUEST(xvPutVideoReq); + REQUEST_SIZE_MATCH(xvPutVideoReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1186,6 +1192,7 @@ static int SProcXvPutStill(ClientPtr client) { REQUEST(xvPutStillReq); + REQUEST_SIZE_MATCH(xvPutStillReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1205,6 +1212,7 @@ static int SProcXvGetVideo(ClientPtr client) { REQUEST(xvGetVideoReq); + REQUEST_SIZE_MATCH(xvGetVideoReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1224,6 +1232,7 @@ static int SProcXvGetStill(ClientPtr client) { REQUEST(xvGetStillReq); + REQUEST_SIZE_MATCH(xvGetStillReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1243,6 +1252,7 @@ static int SProcXvPutImage(ClientPtr client) { REQUEST(xvPutImageReq); + REQUEST_AT_LEAST_SIZE(xvPutImageReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1266,6 +1276,7 @@ static int SProcXvShmPutImage(ClientPtr client) { REQUEST(xvShmPutImageReq); + REQUEST_SIZE_MATCH(xvShmPutImageReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1293,6 +1304,7 @@ static int SProcXvSelectVideoNotify(ClientPtr client) { REQUEST(xvSelectVideoNotifyReq); + REQUEST_SIZE_MATCH(xvSelectVideoNotifyReq); swaps(&stuff->length); swapl(&stuff->drawable); return XvProcVector[xv_SelectVideoNotify] (client); @@ -1302,6 +1314,7 @@ static int SProcXvSelectPortNotify(ClientPtr client) { REQUEST(xvSelectPortNotifyReq); + REQUEST_SIZE_MATCH(xvSelectPortNotifyReq); swaps(&stuff->length); swapl(&stuff->port); return XvProcVector[xv_SelectPortNotify] (client); @@ -1311,6 +1324,7 @@ static int SProcXvStopVideo(ClientPtr client) { REQUEST(xvStopVideoReq); + REQUEST_SIZE_MATCH(xvStopVideoReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->drawable); @@ -1321,6 +1335,7 @@ static int SProcXvSetPortAttribute(ClientPtr client) { REQUEST(xvSetPortAttributeReq); + REQUEST_SIZE_MATCH(xvSetPortAttributeReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->attribute); @@ -1332,6 +1347,7 @@ static int SProcXvGetPortAttribute(ClientPtr client) { REQUEST(xvGetPortAttributeReq); + REQUEST_SIZE_MATCH(xvGetPortAttributeReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->attribute); @@ -1342,6 +1358,7 @@ static int SProcXvQueryBestSize(ClientPtr client) { REQUEST(xvQueryBestSizeReq); + REQUEST_SIZE_MATCH(xvQueryBestSizeReq); swaps(&stuff->length); swapl(&stuff->port); swaps(&stuff->vid_w); @@ -1355,6 +1372,7 @@ static int SProcXvQueryPortAttributes(ClientPtr client) { REQUEST(xvQueryPortAttributesReq); + REQUEST_SIZE_MATCH(xvQueryPortAttributesReq); swaps(&stuff->length); swapl(&stuff->port); return XvProcVector[xv_QueryPortAttributes] (client); @@ -1364,6 +1382,7 @@ static int SProcXvQueryImageAttributes(ClientPtr client) { REQUEST(xvQueryImageAttributesReq); + REQUEST_SIZE_MATCH(xvQueryImageAttributesReq); swaps(&stuff->length); swapl(&stuff->port); swapl(&stuff->id); @@ -1376,6 +1395,7 @@ static int SProcXvListImageFormats(ClientPtr client) { REQUEST(xvListImageFormatsReq); + REQUEST_SIZE_MATCH(xvListImageFormatsReq); swaps(&stuff->length); swapl(&stuff->port); return XvProcVector[xv_ListImageFormats] (client); -- 1.7.9.2 ++++++ U_dbe_Call_to_DDX_SwapBuffers_requires_address_of_int_not_unsigned_int.patch ++++++ Subject: dbe: Call to DDX SwapBuffers requires address of int, not unsigned int References: bnc#907268, CVE-2014-8097 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> When the local types used to walk the DBE request were changed, this changed the type of the parameter passed to the DDX SwapBuffers API, but there wasn't a matching change in the API definition. At this point, with the API frozen, I just stuck a new variable in with the correct type. Because we've already bounds-checked nStuff to be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will fit in a signed int without overflow. Signed-off-by: Keith Packard <keithp@keithp.com Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- dbe/dbe.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dbe/dbe.c b/dbe/dbe.c index df2ad5c..e5d928d 100644 --- a/dbe/dbe.c +++ b/dbe/dbe.c @@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client) int error; unsigned int i, j; unsigned int nStuff; + int nStuff_i; /* DDX API requires int for nStuff */ REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); nStuff = stuff->n; /* use local variable for performance. */ @@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client) * could deal with cross-screen synchronization. */ - while (nStuff > 0) { + nStuff_i = nStuff; + while (nStuff_i > 0) { pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow); - error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo); + error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo); if (error != Success) { free(swapInfo); return error; -- 1.8.4.5 ++++++ U_dbe_unvalidated_lengths_in_DbeSwapBuffers_calls.patch ++++++ Subject: dbe: unvalidated lengths in DbeSwapBuffers calls References: bnc#907268, CVE-2014-8097 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read from a buffer. The length is never validated, which can lead to out of bound reads, and possibly returning the data read from out of bounds to the misbehaving client via an X Error packet. SProcDbeSwapBuffers() swaps data (for correct endianness) before handing it off to the real proc. While doing the swapping, the length field is not validated, which can cause memory corruption. v2: reorder checks to avoid compilers optimizing out checks for overflow that happen after we'd already have done the overflowing multiplications. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> --- dbe/dbe.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/dbe/dbe.c b/dbe/dbe.c index 527588c..df2ad5c 100644 --- a/dbe/dbe.c +++ b/dbe/dbe.c @@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client) DbeSwapInfoPtr swapInfo; xDbeSwapInfo *dbeSwapInfo; int error; - register int i, j; - int nStuff; + unsigned int i, j; + unsigned int nStuff; REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); nStuff = stuff->n; /* use local variable for performance. */ if (nStuff == 0) { + REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); return Success; } if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) return BadAlloc; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); /* Get to the swap info appended to the end of the request. */ dbeSwapInfo = (xDbeSwapInfo *) &stuff[1]; @@ -914,13 +916,16 @@ static int SProcDbeSwapBuffers(ClientPtr client) { REQUEST(xDbeSwapBuffersReq); - register int i; + unsigned int i; xDbeSwapInfo *pSwapInfo; swaps(&stuff->length); REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); swapl(&stuff->n); + if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); if (stuff->n != 0) { pSwapInfo = (xDbeSwapInfo *) stuff + 1; -- 1.7.9.2 ++++++ U_dix_GetHosts_bounds_check_using_wrong_pointer_value.patch ++++++ Subject: dix: GetHosts bounds check using wrong pointer value References: bnc#907268, CVE-2014-8092 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> GetHosts saves the pointer to allocated memory in *data, and then wants to bounds-check writes to that region, but was mistakenly using a bare 'data' instead of '*data'. Also, data is declared as void **, so we need a cast to turn it into a byte pointer so we can actually do pointer comparisons. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- os/access.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os/access.c b/os/access.c index f393c8d..28f2d32 100644 --- a/os/access.c +++ b/os/access.c @@ -1308,7 +1308,7 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) } for (host = validhosts; host; host = host->next) { len = host->len; - if ((ptr + sizeof(xHostEntry) + len) > (data + n)) + if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) break; ((xHostEntry *) ptr)->family = host->family; ((xHostEntry *) ptr)->length = len; -- 1.8.4.5 ++++++ U_dix_Missing_parens_in_REQUEST_FIXED_SIZE_macro.patch ++++++ Subject: Missing parens in REQUEST_FIXED_SIZE macro References: bnc#907268, CVE-2014-8092 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> The 'n' parameter must be surrounded by parens in both places to prevent precedence from mis-computing things. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- include/dix.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/dix.h b/include/dix.h index 21176a8..921156b 100644 --- a/include/dix.h +++ b/include/dix.h @@ -80,7 +80,7 @@ SOFTWARE. #define REQUEST_FIXED_SIZE(req, n)\ if (((sizeof(req) >> 2) > client->req_len) || \ - ((n >> 2) >= client->req_len) || \ + (((n) >> 2) >= client->req_len) || \ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ return(BadLength) -- 1.8.4.5 ++++++ U_dix_integer_overflow_in_GetHosts.patch ++++++ Subject: dix: integer overflow in GetHosts() References: bnc#907268, CVE-2014-8092 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> --- os/access.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/os/access.c b/os/access.c index 5c510de..f393c8d 100644 --- a/os/access.c +++ b/os/access.c @@ -1296,6 +1296,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) for (host = validhosts; host; host = host->next) { nHosts++; n += pad_to_int32(host->len) + sizeof(xHostEntry); + /* Could check for INT_MAX, but in reality having more than 1mb of + hostnames in the access list is ridiculous */ + if (n >= 1048576) + break; } if (n) { *data = ptr = malloc(n); @@ -1304,6 +1308,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) } for (host = validhosts; host; host = host->next) { len = host->len; + if ((ptr + sizeof(xHostEntry) + len) > (data + n)) + break; ((xHostEntry *) ptr)->family = host->family; ((xHostEntry *) ptr)->length = len; ptr += sizeof(xHostEntry); -- 1.7.9.2 ++++++ U_dix_integer_overflow_in_ProcPutImage.patch ++++++ Subject: dix: integer overflow in ProcPutImage() References: bnc#907268, CVE-2014-8092 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> --- dix/dispatch.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dix/dispatch.c b/dix/dispatch.c index d844a09..55b978d 100644 --- a/dix/dispatch.c +++ b/dix/dispatch.c @@ -2000,6 +2000,9 @@ ProcPutImage(ClientPtr client) tmpImage = (char *) &stuff[1]; lengthProto = length; + if (lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + if ((bytes_to_int32(lengthProto * stuff->height) + bytes_to_int32(sizeof(xPutImageReq))) != client->req_len) return BadLength; -- 1.7.9.2 ++++++ U_dix_integer_overflow_in_REQUEST_FIXED_SIZE.patch ++++++ Subject: dix: integer overflow in REQUEST_FIXED_SIZE() References: bnc#907268, CVE-2014-8092 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Force use of 64-bit integers when evaluating data provided by clients in 32-bit fields which can overflow when added or multiplied during checks. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> --- include/dix.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/dix.h b/include/dix.h index 991a3ce..e0c6ed8 100644 --- a/include/dix.h +++ b/include/dix.h @@ -76,7 +76,8 @@ SOFTWARE. #define REQUEST_FIXED_SIZE(req, n)\ if (((sizeof(req) >> 2) > client->req_len) || \ - (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \ + ((n >> 2) >= client->req_len) || \ + ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ return(BadLength) #define LEGAL_NEW_RESOURCE(id,client)\ -- 1.7.9.2 ++++++ U_dix_integer_overflow_in_RegionSizeof.patch ++++++ Subject: dix: integer overflow in RegionSizeof() References: bnc#907268, CVE-2014-8092 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> RegionSizeof contains several integer overflows if a large length value is passed in. Once we fix it to return 0 on overflow, we also have to fix the callers to handle this error condition v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Julien Cristau <jcristau@debian.org> --- dix/region.c | 20 +++++++++++++------- include/regionstr.h | 10 +++++++--- 2 files changed, 20 insertions(+), 10 deletions(-) Index: xorg-server-1.15.2/dix/region.c =================================================================== --- xorg-server-1.15.2.orig/dix/region.c +++ xorg-server-1.15.2/dix/region.c @@ -169,7 +169,6 @@ Equipment Corporation. ((r1)->y1 <= (r2)->y1) && \ ((r1)->y2 >= (r2)->y2) ) -#define xallocData(n) malloc(RegionSizeof(n)) #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data) #define RECTALLOC_BAIL(pReg,n,bail) \ @@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->num #define DOWNSIZE(reg,numRects) \ if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \ { \ - RegDataPtr NewData; \ - NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \ + size_t NewSize = RegionSizeof(numRects); \ + RegDataPtr NewData = \ + (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \ if (NewData) \ { \ NewData->size = (numRects); \ @@ -345,17 +345,20 @@ Bool RegionRectAlloc(RegionPtr pRgn, int n) { RegDataPtr data; + size_t rgnSize; if (!pRgn->data) { n++; - pRgn->data = xallocData(n); + rgnSize = RegionSizeof(n); + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; if (!pRgn->data) return RegionBreak(pRgn); pRgn->data->numRects = 1; *RegionBoxptr(pRgn) = pRgn->extents; } else if (!pRgn->data->size) { - pRgn->data = xallocData(n); + rgnSize = RegionSizeof(n); + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; if (!pRgn->data) return RegionBreak(pRgn); pRgn->data->numRects = 0; @@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n) n = 250; } n += pRgn->data->numRects; - data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n)); + rgnSize = RegionSizeof(n); + data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL; if (!data) return RegionBreak(pRgn); pRgn->data = data; @@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle * { RegionPtr pRgn; + size_t rgnSize; RegDataPtr pData; BoxPtr pBox; int i; @@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle * } return pRgn; } - pData = xallocData(nrects); + rgnSize = RegionSizeof(nrects); + pData = (rgnSize > 0) ? malloc(rgnSize) : NULL; if (!pData) { RegionBreak(pRgn); return pRgn; Index: xorg-server-1.15.2/include/regionstr.h =================================================================== --- xorg-server-1.15.2.orig/include/regionstr.h +++ xorg-server-1.15.2/include/regionstr.h @@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg) static inline size_t RegionSizeof(int n) { - return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); + if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec))) + return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); + else + return 0; } static inline void @@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect (_pReg)->data = (RegDataPtr) NULL; } else { + size_t rgnSize; (_pReg)->extents = RegionEmptyBox; - if (((_size) > 1) && ((_pReg)->data = - (RegDataPtr) malloc(RegionSizeof(_size)))) { + if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) && + (((_pReg)->data = malloc(rgnSize)) != NULL)) { (_pReg)->data->size = (_size); (_pReg)->data->numRects = 0; } ++++++ U_dri2_integer_overflow_in_ProcDRI2GetBuffers.patch ++++++ Subject: dri2: integer overflow in ProcDRI2GetBuffers() References: bnc#907268, CVE-2014-8094 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> ProcDRI2GetBuffers() tries to validate a length field (count). There is an integer overflow in the validation. This can cause out of bound reads and memory corruption later on. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Julien Cristau <jcristau@debian.org> --- hw/xfree86/dri2/dri2ext.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c index ffd66fa..221ec53 100644 --- a/hw/xfree86/dri2/dri2ext.c +++ b/hw/xfree86/dri2/dri2ext.c @@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client) unsigned int *attachments; REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4); + if (stuff->count > (INT_MAX / 4)) + return BadLength; + if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, &pDrawable, &status)) return status; -- 1.7.9.2 ++++++ U_ephyr_add_output_option_support.patch ++++++

From 3a51418b2db353519a1779cf3cebbcc9afba2520 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?La=C3=A9rcio=20de=20Sousa?= <laerciosousa@sme-mogidascruzes.sp.gov.br> Date: Mon, 18 Aug 2014 08:45:43 -0300 Subject: ephyr: set screen size & origin from host X server output's CRTC geometry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit

If a given output is passed via new -output option, Xephyr will query host X server for its info. If the following conditions are met: a. RandR extension is enabled in host X server; b. supported RandR version in host X server is 1.2 or newer; c. the given output name is valid; d. the given output is connected; then Xephyr will get output's CRTC geometry and use it to set its own screen size and origin. It's just like starting Xephyr in fullscreen mode, but restricted to the given output's CRTC geometry (fake "Zaphod mode"). This is the main feature needed for Xephyr-based single-card multiseat setups where we don't have separate screens to start Xephyr in fullscreen mode safely. Signed-off-by: Laércio de Sousa <laerciosousa@sme-mogidascruzes.sp.gov.br> Reviewed-by: Keith Packard <keithp@keithp.com> Signed-off-by: Keith Packard <keithp@keithp.com> diff --git a/configure.ac b/configure.ac index f3d9654..cba7d24 100644 --- a/configure.ac +++ b/configure.ac @@ -2364,7 +2364,7 @@ if test "$KDRIVE" = yes; then AC_DEFINE(KDRIVE_MOUSE, 1, [Enable KDrive mouse driver]) fi - XEPHYR_REQUIRED_LIBS="xau xdmcp xcb xcb-shape xcb-aux xcb-image xcb-icccm xcb-shm xcb-keysyms" + XEPHYR_REQUIRED_LIBS="xau xdmcp xcb xcb-shape xcb-aux xcb-image xcb-icccm xcb-shm xcb-keysyms xcb-randr" if test "x$XV" = xyes; then XEPHYR_REQUIRED_LIBS="$XEPHYR_REQUIRED_LIBS xcb-xv" fi diff --git a/hw/kdrive/ephyr/ephyr.c b/hw/kdrive/ephyr/ephyr.c index b039c68..85d4193 100644 --- a/hw/kdrive/ephyr/ephyr.c +++ b/hw/kdrive/ephyr/ephyr.c @@ -111,13 +111,16 @@ Bool ephyrScreenInitialize(KdScreenInfo *screen) { EphyrScrPriv *scrpriv = screen->driver; + int x = 0, y = 0; int width = 640, height = 480; CARD32 redMask, greenMask, blueMask; - if (hostx_want_screen_size(screen, &width, &height) + if (hostx_want_screen_geometry(screen, &width, &height, &x, &y) || !screen->width || !screen->height) { screen->width = width; screen->height = height; + screen->x = x; + screen->y = y; } if (EphyrWantGrayScale) diff --git a/hw/kdrive/ephyr/ephyr.h b/hw/kdrive/ephyr/ephyr.h index 5c4936b..4e753f1 100644 --- a/hw/kdrive/ephyr/ephyr.h +++ b/hw/kdrive/ephyr/ephyr.h @@ -74,8 +74,10 @@ typedef struct _ephyrScrPriv { xcb_window_t peer_win; /* Used for GL; should be at most one */ xcb_image_t *ximg; Bool win_explicit_position; + int win_x, win_y; int win_width, win_height; int server_depth; + const char *output; /* Set via -output option */ unsigned char *fb_data; /* only used when host bpp != server bpp */ xcb_shm_segment_info_t shminfo; diff --git a/hw/kdrive/ephyr/ephyrinit.c b/hw/kdrive/ephyr/ephyrinit.c index e04c8dc..38acc52 100644 --- a/hw/kdrive/ephyr/ephyrinit.c +++ b/hw/kdrive/ephyr/ephyrinit.c @@ -47,6 +47,8 @@ extern KdPointerDriver LinuxEvdevMouseDriver; extern KdKeyboardDriver LinuxEvdevKeyboardDriver; #endif +void processScreenOrOutputArg(const char *screen_size, const char *output, char *parent_id); +void processOutputArg(const char *output, char *parent_id); void processScreenArg(const char *screen_size, char *parent_id); void @@ -134,6 +136,7 @@ ddxUseMsg(void) ErrorF("-parent <XID> Use existing window as Xephyr root win\n"); ErrorF("-sw-cursor Render cursors in software in Xephyr\n"); ErrorF("-fullscreen Attempt to run Xephyr fullscreen\n"); + ErrorF("-output <NAME> Attempt to run Xephyr fullscreen (restricted to given output geometry)\n"); ErrorF("-grayscale Simulate 8bit grayscale\n"); ErrorF("-resizeable Make Xephyr windows resizeable\n"); #ifdef GLAMOR @@ -154,7 +157,7 @@ ddxUseMsg(void) } void -processScreenArg(const char *screen_size, char *parent_id) +processScreenOrOutputArg(const char *screen_size, const char *output, char *parent_id) { KdCardInfo *card; @@ -178,13 +181,25 @@ processScreenArg(const char *screen_size, char *parent_id) use_geometry = (strchr(screen_size, '+') != NULL); EPHYR_DBG("screen number:%d\n", screen->mynum); - hostx_add_screen(screen, p_id, screen->mynum, use_geometry); + hostx_add_screen(screen, p_id, screen->mynum, use_geometry, output); } else { ErrorF("No matching card found!\n"); } } +void +processScreenArg(const char *screen_size, char *parent_id) +{ + processScreenOrOutputArg(screen_size, NULL, parent_id); +} + +void +processOutputArg(const char *output, char *parent_id) +{ + processScreenOrOutputArg("100x100+0+0", output, parent_id); +} + int ddxProcessArgument(int argc, char **argv, int i) { @@ -226,6 +241,15 @@ ddxProcessArgument(int argc, char **argv, int i) UseMsg(); exit(1); } + else if (!strcmp(argv[i], "-output")) { + if (i + 1 < argc) { + processOutputArg(argv[i + 1], NULL); + return 2; + } + + UseMsg(); + exit(1); + } else if (!strcmp(argv[i], "-sw-cursor")) { hostx_use_sw_cursor(); return 1; diff --git a/hw/kdrive/ephyr/hostx.c b/hw/kdrive/ephyr/hostx.c index 92a8ada..2161ad5 100644 --- a/hw/kdrive/ephyr/hostx.c +++ b/hw/kdrive/ephyr/hostx.c @@ -51,6 +51,7 @@ #include <xcb/xcb_image.h> #include <xcb/shape.h> #include <xcb/xcb_keysyms.h> +#include <xcb/randr.h> #ifdef XF86DRI #include <xcb/xf86dri.h> #include <xcb/glx.h> @@ -104,12 +105,15 @@ static void #define host_depth_matches_server(_vars) (HostX.depth == (_vars)->server_depth) int -hostx_want_screen_size(KdScreenInfo *screen, int *width, int *height) +hostx_want_screen_geometry(KdScreenInfo *screen, int *width, int *height, int *x, int *y) { EphyrScrPriv *scrpriv = screen->driver; if (scrpriv && (scrpriv->win_pre_existing != None || + scrpriv->output != NULL || HostX.use_fullscreen == TRUE)) { + *x = scrpriv->win_x; + *y = scrpriv->win_y; *width = scrpriv->win_width; *height = scrpriv->win_height; return 1; @@ -119,7 +123,7 @@ hostx_want_screen_size(KdScreenInfo *screen, int *width, int *height) } void -hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Bool use_geometry) +hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Bool use_geometry, const char *output) { EphyrScrPriv *scrpriv = screen->driver; int index = HostX.n_screens; @@ -132,6 +136,7 @@ hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Boo scrpriv->screen = screen; scrpriv->win_pre_existing = win_id; scrpriv->win_explicit_position = use_geometry; + scrpriv->output = output; } void @@ -211,6 +216,119 @@ hostx_want_preexisting_window(KdScreenInfo *screen) } void +hostx_get_output_geometry(const char *output, + int *x, int *y, + int *width, int *height) +{ + int i, name_len = 0, output_found = FALSE; + char *name = NULL; + xcb_generic_error_t *error; + xcb_randr_query_version_cookie_t version_c; + xcb_randr_query_version_reply_t *version_r; + xcb_randr_get_screen_resources_cookie_t screen_resources_c; + xcb_randr_get_screen_resources_reply_t *screen_resources_r; + xcb_randr_output_t *randr_outputs; + xcb_randr_get_output_info_cookie_t output_info_c; + xcb_randr_get_output_info_reply_t *output_info_r; + xcb_randr_get_crtc_info_cookie_t crtc_info_c; + xcb_randr_get_crtc_info_reply_t *crtc_info_r; + + /* First of all, check for extension */ + if (!xcb_get_extension_data(HostX.conn, &xcb_randr_id)->present) + { + fprintf(stderr, "\nHost X server does not support RANDR extension (or it's disabled).\n"); + exit(1); + } + + /* Check RandR version */ + version_c = xcb_randr_query_version(HostX.conn, 1, 2); + version_r = xcb_randr_query_version_reply(HostX.conn, + version_c, + &error); + + if (error != NULL || version_r == NULL) + { + fprintf(stderr, "\nFailed to get RandR version supported by host X server.\n"); + exit(1); + } + else if (version_r->major_version < 1 || version_r->minor_version < 2) + { + free(version_r); + fprintf(stderr, "\nHost X server doesn't support RandR 1.2, needed for -output usage.\n"); + exit(1); + } + + free(version_r); + + /* Get list of outputs from screen resources */ + screen_resources_c = xcb_randr_get_screen_resources(HostX.conn, + HostX.winroot); + screen_resources_r = xcb_randr_get_screen_resources_reply(HostX.conn, + screen_resources_c, + NULL); + randr_outputs = xcb_randr_get_screen_resources_outputs(screen_resources_r); + + for (i = 0; !output_found && i < screen_resources_r->num_outputs; i++) + { + /* Get info on the output */ + output_info_c = xcb_randr_get_output_info(HostX.conn, + randr_outputs[i], + XCB_CURRENT_TIME); + output_info_r = xcb_randr_get_output_info_reply(HostX.conn, + output_info_c, + NULL); + + /* Get output name */ + name_len = xcb_randr_get_output_info_name_length(output_info_r); + name = malloc(name_len + 1); + strncpy(name, (char*)xcb_randr_get_output_info_name(output_info_r), name_len); + name[name_len] = '\0'; + + if (!strcmp(name, output)) + { + output_found = TRUE; + + /* Check if output is connected */ + if (output_info_r->crtc == XCB_NONE) + { + free(name); + free(output_info_r); + free(screen_resources_r); + fprintf(stderr, "\nOutput %s is currently disabled (or not connected).\n", output); + exit(1); + } + + /* Get CRTC from output info */ + crtc_info_c = xcb_randr_get_crtc_info(HostX.conn, + output_info_r->crtc, + XCB_CURRENT_TIME); + crtc_info_r = xcb_randr_get_crtc_info_reply(HostX.conn, + crtc_info_c, + NULL); + + /* Get CRTC geometry */ + *x = crtc_info_r->x; + *y = crtc_info_r->y; + *width = crtc_info_r->width; + *height = crtc_info_r->height; + + free(crtc_info_r); + } + + free(name); + free(output_info_r); + } + + free(screen_resources_r); + + if (!output_found) + { + fprintf(stderr, "\nOutput %s not available in host X server.\n", output); + exit(1); + } +} + +void hostx_use_fullscreen(void) { HostX.use_fullscreen = TRUE; @@ -359,6 +477,8 @@ hostx_init(void) scrpriv->win = xcb_generate_id(HostX.conn); scrpriv->server_depth = HostX.depth; scrpriv->ximg = NULL; + scrpriv->win_x = 0; + scrpriv->win_y = 0; if (scrpriv->win_pre_existing != XCB_WINDOW_NONE) { xcb_get_geometry_reply_t *prewin_geom; @@ -416,6 +536,17 @@ hostx_init(void) hostx_set_fullscreen_hint(); } + else if (scrpriv->output) { + hostx_get_output_geometry(scrpriv->output, + &scrpriv->win_x, + &scrpriv->win_y, + &scrpriv->win_width, + &scrpriv->win_height); + + HostX.use_fullscreen = TRUE; + hostx_set_fullscreen_hint(); + } + tmpstr = getenv("RESOURCE_NAME"); if (tmpstr && (!ephyrResNameFromCmd)) @@ -759,6 +890,8 @@ hostx_screen_init(KdScreenInfo *screen, scrpriv->win_width = width; scrpriv->win_height = height; + scrpriv->win_x = x; + scrpriv->win_y = y; #ifdef GLAMOR if (ephyr_glamor) { diff --git a/hw/kdrive/ephyr/hostx.h b/hw/kdrive/ephyr/hostx.h index c554ca3..80894c8 100644 --- a/hw/kdrive/ephyr/hostx.h +++ b/hw/kdrive/ephyr/hostx.h @@ -74,7 +74,7 @@ typedef struct { } EphyrRect; int -hostx_want_screen_size(KdScreenInfo *screen, int *width, int *height); +hostx_want_screen_geometry(KdScreenInfo *screen, int *width, int *height, int *x, int *y); int hostx_want_host_cursor(void); @@ -83,6 +83,11 @@ void hostx_use_sw_cursor(void); void + hostx_get_output_geometry(const char *output, + int *x, int *y, + int *width, int *height); + +void hostx_use_fullscreen(void); int @@ -107,7 +112,7 @@ int hostx_init(void); void -hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Bool use_geometry); +hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Bool use_geometry, const char *output); void hostx_set_display_name(char *name); -- cgit v0.10.2 ++++++ U_ephyr_enable_screen_window_placement.patch ++++++

From 84b02469ef97e6f85d074d220a517d752180045f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?La=C3=A9rcio=20de=20Sousa?= <laerciosousa@sme-mogidascruzes.sp.gov.br> Date: Mon, 18 Aug 2014 08:45:42 -0300 Subject: ephyr: enable screen window placement following kdrive -screen option extended syntax MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit

With this patch, one can launch Xephyr with option "-screen WxH+X+Y" to place its window origin at (X,Y). This patch relies on a previous one that extends kdrive -screen option syntax to parse +X+Y substring as expected. If +X+Y is not passed in -screen argument string, let the WM place the window for us, as before. Signed-off-by: Laércio de Sousa <laerciosousa@sme-mogidascruzes.sp.gov.br> Reviewed-by: Keith Packard <keithp@keithp.com> Signed-off-by: Keith Packard <keithp@keithp.com> diff --git a/hw/kdrive/ephyr/ephyr.c b/hw/kdrive/ephyr/ephyr.c index d57e9f3..b039c68 100644 --- a/hw/kdrive/ephyr/ephyr.c +++ b/hw/kdrive/ephyr/ephyr.c @@ -242,7 +242,8 @@ ephyrMapFramebuffer(KdScreenInfo * screen) buffer_height = ephyrBufferHeight(screen); priv->base = - hostx_screen_init(screen, screen->width, screen->height, buffer_height, + hostx_screen_init(screen, screen->x, screen->y, + screen->width, screen->height, buffer_height, &priv->bytes_per_line, &screen->fb.bitsPerPixel); if ((scrpriv->randr & RR_Rotate_0) && !(scrpriv->randr & RR_Reflect_All)) { diff --git a/hw/kdrive/ephyr/ephyr.h b/hw/kdrive/ephyr/ephyr.h index dfd93c9..5c4936b 100644 --- a/hw/kdrive/ephyr/ephyr.h +++ b/hw/kdrive/ephyr/ephyr.h @@ -73,6 +73,7 @@ typedef struct _ephyrScrPriv { xcb_window_t win_pre_existing; /* Set via -parent option like xnest */ xcb_window_t peer_win; /* Used for GL; should be at most one */ xcb_image_t *ximg; + Bool win_explicit_position; int win_width, win_height; int server_depth; unsigned char *fb_data; /* only used when host bpp != server bpp */ diff --git a/hw/kdrive/ephyr/ephyrinit.c b/hw/kdrive/ephyr/ephyrinit.c index fc00010..e04c8dc 100644 --- a/hw/kdrive/ephyr/ephyrinit.c +++ b/hw/kdrive/ephyr/ephyrinit.c @@ -164,6 +164,7 @@ processScreenArg(const char *screen_size, char *parent_id) if (card) { KdScreenInfo *screen; unsigned long p_id = 0; + Bool use_geometry; screen = KdScreenInfoAdd(card); KdParseScreen(screen, screen_size); @@ -174,8 +175,10 @@ processScreenArg(const char *screen_size, char *parent_id) if (parent_id) { p_id = strtol(parent_id, NULL, 0); } + + use_geometry = (strchr(screen_size, '+') != NULL); EPHYR_DBG("screen number:%d\n", screen->mynum); - hostx_add_screen(screen, p_id, screen->mynum); + hostx_add_screen(screen, p_id, screen->mynum, use_geometry); } else { ErrorF("No matching card found!\n"); diff --git a/hw/kdrive/ephyr/hostx.c b/hw/kdrive/ephyr/hostx.c index 1c75974..92a8ada 100644 --- a/hw/kdrive/ephyr/hostx.c +++ b/hw/kdrive/ephyr/hostx.c @@ -119,7 +119,7 @@ hostx_want_screen_size(KdScreenInfo *screen, int *width, int *height) } void -hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num) +hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Bool use_geometry) { EphyrScrPriv *scrpriv = screen->driver; int index = HostX.n_screens; @@ -131,6 +131,7 @@ hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num) scrpriv->screen = screen; scrpriv->win_pre_existing = win_id; + scrpriv->win_explicit_position = use_geometry; } void @@ -637,6 +638,7 @@ hostx_set_cmap_entry(unsigned char idx, */ void * hostx_screen_init(KdScreenInfo *screen, + int x, int y, int width, int height, int buffer_height, int *bytes_per_line, int *bits_per_pixel) { @@ -648,8 +650,8 @@ hostx_screen_init(KdScreenInfo *screen, exit(1); } - EPHYR_DBG("host_screen=%p wxh=%dx%d, buffer_height=%d", - host_screen, width, height, buffer_height); + EPHYR_DBG("host_screen=%p x=%d, y=%d, wxh=%dx%d, buffer_height=%d", + host_screen, x, y, width, height, buffer_height); if (scrpriv->ximg != NULL) { /* Free up the image data if previously used @@ -740,6 +742,19 @@ hostx_screen_init(KdScreenInfo *screen, xcb_map_window(HostX.conn, scrpriv->win); + /* Set explicit window position if it was informed in + * -screen option (WxH+X or WxH+X+Y). Otherwise, accept the + * position set by WM. + * The trick here is putting this code after xcb_map_window() call, + * so these values won't be overriden by WM. */ + if (scrpriv->win_explicit_position) + { + uint32_t mask = XCB_CONFIG_WINDOW_X | XCB_CONFIG_WINDOW_Y; + uint32_t values[2] = {x, y}; + xcb_configure_window(HostX.conn, scrpriv->win, mask, values); + } + + xcb_aux_sync(HostX.conn); scrpriv->win_width = width; diff --git a/hw/kdrive/ephyr/hostx.h b/hw/kdrive/ephyr/hostx.h index e83323a..c554ca3 100644 --- a/hw/kdrive/ephyr/hostx.h +++ b/hw/kdrive/ephyr/hostx.h @@ -107,7 +107,7 @@ int hostx_init(void); void -hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num); +hostx_add_screen(KdScreenInfo *screen, unsigned long win_id, int screen_num, Bool use_geometry); void hostx_set_display_name(char *name); @@ -136,6 +136,7 @@ hostx_set_cmap_entry(unsigned char idx, unsigned char r, unsigned char g, unsigned char b); void *hostx_screen_init(KdScreenInfo *screen, + int x, int y, int width, int height, int buffer_height, int *bytes_per_line, int *bits_per_pixel); -- cgit v0.10.2 ++++++ U_fb_Fix_Bresenham_algorithms_for_commonly_used_small_segments.patch ++++++ Subject: fb: Fix Bresenham algorithms for commonly used small segments. Git-commit: 1b94fd77792310c80b0a2bcf4bf6d4e4c4c23bca Author: Alex Orange <crazycasta@gmail.com> Patch-Mainline: Upstream References: bnc#908258, bnc#856931, fdo#54168 Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=54168 Fix errors introducted in 863d528a9f76d0e8f122aebf19f8564a4c67a938. Said patch does indeed remove the problematic writes to bad memory, however it also introduces errors in the algoritm. This patch has the effect of reverting said patch and adding an if in the proper location to catch the out of bounds memory write without causing problems to the overall algorithm. Signed-off-by: Alex Orange <crazycasta@gmail.com> Reviewed-by: Peter Harris <pharris@opentext.com> Tested-by: Peter Harris <pharris@opentext.com> Signed-off-by: Keith Packard <keithp@keithp.com> --- fb/fbseg.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/fb/fbseg.c b/fb/fbseg.c index 36b17e3..c3c196a 100644 --- a/fb/fbseg.c +++ b/fb/fbseg.c @@ -65,12 +65,6 @@ fbBresSolid(DrawablePtr pDrawable, if (axis == X_AXIS) { bits = 0; while (len--) { - if (e >= 0) { - WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, bits)); - bits = 0; - dst += dstStride; - e += e3; - } bits |= mask; mask = fbBresShiftMask(mask, signdx, dstBpp); if (!mask) { @@ -80,12 +74,23 @@ fbBresSolid(DrawablePtr pDrawable, mask = mask0; } e += e1; + if (e >= 0) { + if (bits) { + WRITE(dst, FbDoMaskRRop (READ(dst), and, xor, bits)); + bits = 0; + } + dst += dstStride; + e += e3; + } } if (bits) WRITE(dst, FbDoMaskRRop(READ(dst), and, xor, bits)); } else { while (len--) { + WRITE(dst, FbDoMaskRRop(READ(dst), and, xor, mask)); + dst += dstStride; + e += e1; if (e >= 0) { e += e3; mask = fbBresShiftMask(mask, signdx, dstBpp); @@ -94,9 +99,6 @@ fbBresSolid(DrawablePtr pDrawable, mask = mask0; } } - WRITE(dst, FbDoMaskRRop(READ(dst), and, xor, mask)); - dst += dstStride; - e += e1; } } -- 1.8.4.5 ++++++ U_glx_Add_safe__add_mul_pad.patch ++++++ Subject: glx: Add safe_{add,mul,pad} (v3) References: bnc#907268, CVE-2014-8093 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> These are paranoid about integer overflow, and will return -1 if their operation would overflow a (signed) integer or if either argument is negative. Note that RenderLarge requests are sized with a uint32_t so in principle this could be sketchy there, but dix limits bigreqs to 128M so you shouldn't ever notice, and honestly if you're sending more than 2G of rendering commands you're already doing something very wrong. v2: Use INT_MAX for consistency with the rest of the server (jcristau) v3: Reject negative arguments (anholt) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/glxserver.h | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/glx/glxserver.h b/glx/glxserver.h index a324b29..9482601 100644 --- a/glx/glxserver.h +++ b/glx/glxserver.h @@ -228,6 +228,47 @@ extern void glxSwapQueryServerStringReply(ClientPtr client, * Routines for computing the size of variably-sized rendering commands. */ +static _X_INLINE int +safe_add(int a, int b) +{ + if (a < 0 || b < 0) + return -1; + + if (INT_MAX - a < b) + return -1; + + return a + b; +} + +static _X_INLINE int +safe_mul(int a, int b) +{ + if (a < 0 || b < 0) + return -1; + + if (a == 0 || b == 0) + return 0; + + if (a > INT_MAX / b) + return -1; + + return a * b; +} + +static _X_INLINE int +safe_pad(int a) +{ + int ret; + + if (a < 0) + return -1; + + if ((ret = safe_add(a, 3)) < 0) + return -1; + + return ret & (GLuint)~3; +} + extern int __glXTypeSize(GLenum enm); extern int __glXImageSize(GLenum format, GLenum type, GLenum target, GLsizei w, GLsizei h, GLsizei d, -- 1.7.9.2 ++++++ U_glx_Additional_paranoia_in___glXGetAnswerBuffer___GLX_GET_ANSWER_BUFFER.patch ++++++ Subject: glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) References: bnc#907268, CVE-2014-8093 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> If the computed reply size is negative, something went wrong, treat it as an error. v2: Be more careful about size_t being unsigned (Matthieu Herrb) v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/indirect_util.c | 7 ++++++- glx/unpack.h | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/glx/indirect_util.c b/glx/indirect_util.c index 926e57c..de81491 100644 --- a/glx/indirect_util.c +++ b/glx/indirect_util.c @@ -76,9 +76,14 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size, const unsigned mask = alignment - 1; if (local_size < required_size) { - const size_t worst_case_size = required_size + alignment; + size_t worst_case_size; intptr_t temp_buf; + if (required_size < SIZE_MAX - alignment) + worst_case_size = required_size + alignment; + else + return NULL; + if (cl->returnBufSize < worst_case_size) { void *temp = realloc(cl->returnBuf, worst_case_size); diff --git a/glx/unpack.h b/glx/unpack.h index 52fba74..2b1ebcf 100644 --- a/glx/unpack.h +++ b/glx/unpack.h @@ -83,7 +83,8 @@ extern xGLXSingleReply __glXReply; ** pointer. */ #define __GLX_GET_ANSWER_BUFFER(res,cl,size,align) \ - if ((size) > sizeof(answerBuffer)) { \ + if (size < 0) return BadLength; \ + else if ((size) > sizeof(answerBuffer)) { \ int bump; \ if ((cl)->returnBufSize < (size)+(align)) { \ (cl)->returnBuf = (GLbyte*)realloc((cl)->returnBuf, \ -- 1.7.9.2 ++++++ U_glx_Be_more_paranoid_about_variable_length_requests.patch ++++++ Subject: glx: Be more paranoid about variable-length requests References: bnc#907268, CVE-2014-8093 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> If the size computation routine returns -1 we should just reject the request outright. Clamping it to zero could give an attacker the opportunity to also mangle cmdlen in such a way that the subsequent length check passes, and the request would get executed, thus passing data we wanted to reject to the renderer. Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/glxcmds.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 8d3fa9f..0521b58 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -2060,7 +2060,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, client->swapped); if (extra < 0) { - extra = 0; + return BadLength; } if (cmdlen != __GLX_PAD(entry.bytes + extra)) { return BadLength; @@ -2177,7 +2177,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) extra = (*entry.varsize) (pc + __GLX_RENDER_LARGE_HDR_SIZE, client->swapped); if (extra < 0) { - extra = 0; + return BadLength; } /* large command's header is 4 bytes longer, so add 4 */ if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) { -- 1.7.9.2 ++++++ U_glx_Be_more_strict_about_rejecting_invalid_image_sizes.patch ++++++ Subject: glx: Be more strict about rejecting invalid image sizes References: bnc#907268, CVE-2014-8093 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Before this we'd just clamp the image size to 0, which was just hideously stupid; if the parameters were such that they'd overflow an integer, you'd allocate a small buffer, then pass huge values into (say) ReadPixels, and now you're scribbling over arbitrary server memory. Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/singlepix.c | 16 ++++++++-------- glx/singlepixswap.c | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) Index: xorg-server-1.14.3.901/glx/singlepix.c =================================================================== --- xorg-server-1.14.3.901.orig/glx/singlepix.c +++ xorg-server-1.14.3.901/glx/singlepix.c @@ -69,7 +69,7 @@ __glXDisp_ReadPixels(__GLXclientState * lsbFirst = *(GLboolean *) (pc + 25); compsize = __glReadPixels_size(format, type, width, height); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_LSB_FIRST, lsbFirst)); @@ -134,7 +134,7 @@ __glXDisp_GetTexImage(__GLXclientState * compsize = __glGetTexImage_size(target, level, format, type, width, height, depth); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -232,9 +232,9 @@ GetSeparableFilter(__GLXclientState * cl compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; if (compsize2 < 0) - compsize2 = 0; + return BadLength; compsize = __GLX_PAD(compsize); compsize2 = __GLX_PAD(compsize2); @@ -315,7 +315,7 @@ GetConvolutionFilter(__GLXclientState * */ compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -386,7 +386,7 @@ GetHistogram(__GLXclientState * cl, GLby */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -447,7 +447,7 @@ GetMinmax(__GLXclientState * cl, GLbyte compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -513,7 +513,7 @@ GetColorTable(__GLXclientState * cl, GLb */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); Index: xorg-server-1.14.3.901/glx/singlepixswap.c =================================================================== --- xorg-server-1.14.3.901.orig/glx/singlepixswap.c +++ xorg-server-1.14.3.901/glx/singlepixswap.c @@ -79,7 +79,7 @@ __glXDispSwap_ReadPixels(__GLXclientStat lsbFirst = *(GLboolean *) (pc + 25); compsize = __glReadPixels_size(format, type, width, height); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_LSB_FIRST, lsbFirst)); @@ -155,7 +155,7 @@ __glXDispSwap_GetTexImage(__GLXclientSta compsize = __glGetTexImage_size(target, level, format, type, width, height, depth); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -267,9 +267,9 @@ GetSeparableFilter(__GLXclientState * cl compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; if (compsize2 < 0) - compsize2 = 0; + return BadLength; compsize = __GLX_PAD(compsize); compsize2 = __GLX_PAD(compsize2); @@ -358,7 +358,7 @@ GetConvolutionFilter(__GLXclientState * */ compsize = __glGetTexImage_size(target, 1, format, type, width, height, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -437,7 +437,7 @@ GetHistogram(__GLXclientState * cl, GLby */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -505,7 +505,7 @@ GetMinmax(__GLXclientState * cl, GLbyte compsize = __glGetTexImage_size(target, 1, format, type, 2, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); @@ -577,7 +577,7 @@ GetColorTable(__GLXclientState * cl, GLb */ compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); if (compsize < 0) - compsize = 0; + return BadLength; CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); __GLX_GET_ANSWER_BUFFER(answer, cl, compsize, 1); ++++++ U_glx_Fix_image_size_computation_for_EXT_texture_integer.patch ++++++ Subject: glx: Fix image size computation for EXT_texture_integer References: bnc#907268, CVE-2014-8098 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Without this we'd reject the request with BadLength. Note that some old versions of Mesa had a bug in the same place, and would _send_ zero bytes of image data; these will now be rejected, correctly. Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/rensize.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/glx/rensize.c b/glx/rensize.c index ba22d10..9ff73c7 100644 --- a/glx/rensize.c +++ b/glx/rensize.c @@ -224,6 +224,11 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, case GL_ALPHA: case GL_LUMINANCE: case GL_INTENSITY: + case GL_RED_INTEGER_EXT: + case GL_GREEN_INTEGER_EXT: + case GL_BLUE_INTEGER_EXT: + case GL_ALPHA_INTEGER_EXT: + case GL_LUMINANCE_INTEGER_EXT: elementsPerGroup = 1; break; case GL_422_EXT: @@ -234,14 +239,19 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, case GL_DEPTH_STENCIL_MESA: case GL_YCBCR_MESA: case GL_LUMINANCE_ALPHA: + case GL_LUMINANCE_ALPHA_INTEGER_EXT: elementsPerGroup = 2; break; case GL_RGB: case GL_BGR: + case GL_RGB_INTEGER_EXT: + case GL_BGR_INTEGER_EXT: elementsPerGroup = 3; break; case GL_RGBA: case GL_BGRA: + case GL_RGBA_INTEGER_EXT: + case GL_BGRA_INTEGER_EXT: case GL_ABGR_EXT: elementsPerGroup = 4; break; -- 1.7.9.2 ++++++ U_glx_Fix_mask_truncation_in___glXGetAnswerBuffer.patch ++++++ Subject: glx: Fix mask truncation in __glXGetAnswerBuffer References: bnc#907268, CVE-2014-8093 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> On a system where sizeof(unsigned) != sizeof(intptr_t), the unary bitwise not operation will result in a mask that clears all high bits from temp_buf in the expression: temp_buf = (temp_buf + mask) & ~mask; Signed-off-by: Robert Morell <rmorell@nvidia.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/indirect_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/glx/indirect_util.c b/glx/indirect_util.c index de81491..9ba2815 100644 --- a/glx/indirect_util.c +++ b/glx/indirect_util.c @@ -73,7 +73,7 @@ __glXGetAnswerBuffer(__GLXclientState * cl, size_t required_size, void *local_buffer, size_t local_size, unsigned alignment) { void *buffer = local_buffer; - const unsigned mask = alignment - 1; + const intptr_t mask = alignment - 1; if (local_size < required_size) { size_t worst_case_size; -- 1.7.9.2 ++++++ U_glx_Integer_overflow_protection_for_non_generated_render_requests.patch ++++++ Subject: glx: Integer overflow protection for non-generated render requests (v3) References: bnc#907268, CVE-2014-8093 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> v2: Fix constants in __glXMap2fReqSize (Michal Srb) Validate w/h/d for proxy targets too (Keith Packard) v3: Fix Map[12]Size to correctly reject order == 0 (Julien Cristau) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/rensize.c | 77 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 41 insertions(+), 36 deletions(-) diff --git a/glx/rensize.c b/glx/rensize.c index 9ff73c7..d46334a 100644 --- a/glx/rensize.c +++ b/glx/rensize.c @@ -43,19 +43,11 @@ (((a & 0xff000000U)>>24) | ((a & 0xff0000U)>>8) | \ ((a & 0xff00U)<<8) | ((a & 0xffU)<<24)) -static int -Map1Size(GLint k, GLint order) -{ - if (order <= 0 || k < 0) - return -1; - return k * order; -} - int __glXMap1dReqSize(const GLbyte * pc, Bool swap) { GLenum target; - GLint order, k; + GLint order; target = *(GLenum *) (pc + 16); order = *(GLint *) (pc + 20); @@ -63,15 +55,16 @@ __glXMap1dReqSize(const GLbyte * pc, Bool swap) target = SWAPL(target); order = SWAPL(order); } - k = __glMap1d_size(target); - return 8 * Map1Size(k, order); + if (order < 1) + return -1; + return safe_mul(8, safe_mul(__glMap1d_size(target), order)); } int __glXMap1fReqSize(const GLbyte * pc, Bool swap) { GLenum target; - GLint order, k; + GLint order; target = *(GLenum *) (pc + 0); order = *(GLint *) (pc + 12); @@ -79,23 +72,24 @@ __glXMap1fReqSize(const GLbyte * pc, Bool swap) target = SWAPL(target); order = SWAPL(order); } - k = __glMap1f_size(target); - return 4 * Map1Size(k, order); + if (order < 1) + return -1; + return safe_mul(4, safe_mul(__glMap1f_size(target), order)); } static int Map2Size(int k, int majorOrder, int minorOrder) { - if (majorOrder <= 0 || minorOrder <= 0 || k < 0) + if (majorOrder < 1 || minorOrder < 1) return -1; - return k * majorOrder * minorOrder; + return safe_mul(k, safe_mul(majorOrder, minorOrder)); } int __glXMap2dReqSize(const GLbyte * pc, Bool swap) { GLenum target; - GLint uorder, vorder, k; + GLint uorder, vorder; target = *(GLenum *) (pc + 32); uorder = *(GLint *) (pc + 36); @@ -105,15 +99,14 @@ __glXMap2dReqSize(const GLbyte * pc, Bool swap) uorder = SWAPL(uorder); vorder = SWAPL(vorder); } - k = __glMap2d_size(target); - return 8 * Map2Size(k, uorder, vorder); + return safe_mul(8, Map2Size(__glMap2d_size(target), uorder, vorder)); } int __glXMap2fReqSize(const GLbyte * pc, Bool swap) { GLenum target; - GLint uorder, vorder, k; + GLint uorder, vorder; target = *(GLenum *) (pc + 0); uorder = *(GLint *) (pc + 12); @@ -123,8 +116,7 @@ __glXMap2fReqSize(const GLbyte * pc, Bool swap) uorder = SWAPL(uorder); vorder = SWAPL(vorder); } - k = __glMap2f_size(target); - return 4 * Map2Size(k, uorder, vorder); + return safe_mul(4, Map2Size(__glMap2f_size(target), uorder, vorder)); } /** @@ -175,14 +167,16 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, GLint bytesPerElement, elementsPerGroup, groupsPerRow; GLint groupSize, rowSize, padding, imageSize; + if (w == 0 || h == 0 || d == 0) + return 0; + if (w < 0 || h < 0 || d < 0 || (type == GL_BITMAP && (format != GL_COLOR_INDEX && format != GL_STENCIL_INDEX))) { return -1; } - if (w == 0 || h == 0 || d == 0) - return 0; + /* proxy targets have no data */ switch (target) { case GL_PROXY_TEXTURE_1D: case GL_PROXY_TEXTURE_2D: @@ -199,6 +193,12 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, return 0; } + /* real data has to have real sizes */ + if (imageHeight < 0 || rowLength < 0 || skipImages < 0 || skipRows < 0) + return -1; + if (alignment != 1 && alignment != 2 && alignment != 4 && alignment != 8) + return -1; + if (type == GL_BITMAP) { if (rowLength > 0) { groupsPerRow = rowLength; @@ -207,11 +207,14 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, groupsPerRow = w; } rowSize = bits_to_bytes(groupsPerRow); + if (rowSize < 0) + return -1; padding = (rowSize % alignment); if (padding) { rowSize += alignment - padding; } - return ((h + skipRows) * rowSize); + + return safe_mul(safe_add(h, skipRows), rowSize); } else { switch (format) { @@ -303,6 +306,7 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, default: return -1; } + /* known safe by the switches above, not checked */ groupSize = bytesPerElement * elementsPerGroup; if (rowLength > 0) { groupsPerRow = rowLength; @@ -310,18 +314,21 @@ __glXImageSize(GLenum format, GLenum type, GLenum target, else { groupsPerRow = w; } - rowSize = groupsPerRow * groupSize; + + if ((rowSize = safe_mul(groupsPerRow, groupSize)) < 0) + return -1; padding = (rowSize % alignment); if (padding) { rowSize += alignment - padding; } - if (imageHeight > 0) { - imageSize = (imageHeight + skipRows) * rowSize; - } - else { - imageSize = (h + skipRows) * rowSize; - } - return ((d + skipImages) * imageSize); + + if (imageHeight > 0) + h = imageHeight; + h = safe_add(h, skipRows); + + imageSize = safe_mul(h, rowSize); + + return safe_mul(safe_add(d, skipImages), imageSize); } } @@ -445,9 +452,7 @@ __glXSeparableFilter2DReqSize(const GLbyte * pc, Bool swap) /* XXX Should rowLength be used for either or both image? */ image1size = __glXImageSize(format, type, 0, w, 1, 1, 0, rowLength, 0, 0, alignment); - image1size = __GLX_PAD(image1size); image2size = __glXImageSize(format, type, 0, h, 1, 1, 0, rowLength, 0, 0, alignment); - return image1size + image2size; - + return safe_add(safe_pad(image1size), image2size); } -- 1.7.9.2 ++++++ U_glx_Length_checking_for_GLXRender_requests.patch ++++++ Subject: glx: Length checking for GLXRender requests (v2) References: bnc#907268, CVE-2014-8098 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> v2: Remove can't-happen comparison for cmdlen < 0 (Michal Srb) Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/glxcmds.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 0521b58..4c2e616 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -2023,7 +2023,7 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) left = (req->length << 2) - sz_xGLXRenderReq; while (left > 0) { __GLXrenderSizeData entry; - int extra; + int extra = 0; __GLXdispatchRenderProcPtr proc; int err; @@ -2042,6 +2042,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) cmdlen = hdr->length; opcode = hdr->opcode; + if (left < cmdlen) + return BadLength; + /* ** Check for core opcodes and grab entry data. */ @@ -2055,6 +2058,10 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) return __glXError(GLXBadRenderRequest); } + if (cmdlen < entry.bytes) { + return BadLength; + } + if (entry.varsize) { /* variable size command */ extra = (*entry.varsize) (pc + __GLX_RENDER_HDR_SIZE, @@ -2062,17 +2069,9 @@ __glXDisp_Render(__GLXclientState * cl, GLbyte * pc) if (extra < 0) { return BadLength; } - if (cmdlen != __GLX_PAD(entry.bytes + extra)) { - return BadLength; - } } - else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry.bytes)) { - return BadLength; - } - } - if (left < cmdlen) { + + if (cmdlen != safe_pad(safe_add(entry.bytes, extra))) { return BadLength; } -- 1.7.9.2 ++++++ U_glx_Length_checking_for_RenderLarge_requests.patch ++++++ Subject: glx: Length checking for RenderLarge requests (v2) References: bnc#907268, CVE-2014-8098 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> This is a half-measure until we start passing request length into the varsize function, but it's better than the nothing we had before. v2: Verify that there's at least a large render header's worth of dataBytes (Julien Cristau) Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/glxcmds.c | 57 ++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 23 deletions(-) diff --git a/glx/glxcmds.c b/glx/glxcmds.c index 4c2e616..0e7efcc 100644 --- a/glx/glxcmds.c +++ b/glx/glxcmds.c @@ -2107,6 +2107,8 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXRenderLargeReq); + req = (xGLXRenderLargeReq *) pc; if (client->swapped) { __GLX_SWAP_SHORT(&req->length); @@ -2122,12 +2124,14 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) __glXResetLargeCommandStatus(cl); return error; } + if (safe_pad(req->dataBytes) < 0) + return BadLength; dataBytes = req->dataBytes; /* ** Check the request length. */ - if ((req->length << 2) != __GLX_PAD(dataBytes) + sz_xGLXRenderLargeReq) { + if ((req->length << 2) != safe_pad(dataBytes) + sz_xGLXRenderLargeReq) { client->errorValue = req->length; /* Reset in case this isn't 1st request. */ __glXResetLargeCommandStatus(cl); @@ -2137,7 +2141,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) if (cl->largeCmdRequestsSoFar == 0) { __GLXrenderSizeData entry; - int extra; + int extra = 0; size_t cmdlen; int err; @@ -2150,13 +2154,17 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) return __glXError(GLXBadLargeRequest); } + if (dataBytes < __GLX_RENDER_LARGE_HDR_SIZE) + return BadLength; + hdr = (__GLXrenderLargeHeader *) pc; if (client->swapped) { __GLX_SWAP_INT(&hdr->length); __GLX_SWAP_INT(&hdr->opcode); } - cmdlen = hdr->length; opcode = hdr->opcode; + if ((cmdlen = safe_pad(hdr->length)) < 0) + return BadLength; /* ** Check for core opcodes and grab entry data. @@ -2178,17 +2186,13 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) if (extra < 0) { return BadLength; } - /* large command's header is 4 bytes longer, so add 4 */ - if (cmdlen != __GLX_PAD(entry.bytes + 4 + extra)) { - return BadLength; - } } - else { - /* constant size command */ - if (cmdlen != __GLX_PAD(entry.bytes + 4)) { - return BadLength; - } + + /* the +4 is safe because we know entry.bytes is small */ + if (cmdlen != safe_pad(safe_add(entry.bytes + 4, extra))) { + return BadLength; } + /* ** Make enough space in the buffer, then copy the entire request. */ @@ -2215,6 +2219,7 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) ** We are receiving subsequent (i.e. not the first) requests of a ** multi request command. */ + int bytesSoFar; /* including this packet */ /* ** Check the request number and the total request count. @@ -2233,11 +2238,18 @@ __glXDisp_RenderLarge(__GLXclientState * cl, GLbyte * pc) /* ** Check that we didn't get too much data. */ - if ((cl->largeCmdBytesSoFar + dataBytes) > cl->largeCmdBytesTotal) { + if ((bytesSoFar = safe_add(cl->largeCmdBytesSoFar, dataBytes)) < 0) { + client->errorValue = dataBytes; + __glXResetLargeCommandStatus(cl); + return __glXError(GLXBadLargeRequest); + } + + if (bytesSoFar > cl->largeCmdBytesTotal) { client->errorValue = dataBytes; __glXResetLargeCommandStatus(cl); return __glXError(GLXBadLargeRequest); } + memcpy(cl->largeCmdBuf + cl->largeCmdBytesSoFar, pc, dataBytes); cl->largeCmdBytesSoFar += dataBytes; cl->largeCmdRequestsSoFar++; @@ -2241,17 +2253,16 @@ __glXDisp_RenderLarge(__GLXclientState * ** This is the last request; it must have enough bytes to complete ** the command. */ - /* NOTE: the two pad macros have been added below; they are needed - ** because the client library pads the total byte count, but not - ** the per-request byte counts. The Protocol Encoding says the - ** total byte count should not be padded, so a proposal will be - ** made to the ARB to relax the padding constraint on the total - ** byte count, thus preserving backward compatibility. Meanwhile, - ** the padding done below fixes a bug that did not allow - ** large commands of odd sizes to be accepted by the server. + /* NOTE: the pad macro below is needed because the client library + ** pads the total byte count, but not the per-request byte counts. + ** The Protocol Encoding says the total byte count should not be + ** padded, so a proposal will be made to the ARB to relax the + ** padding constraint on the total byte count, thus preserving + ** backward compatibility. Meanwhile, the padding done below + ** fixes a bug that did not allow large commands of odd sizes to + ** be accepted by the server. */ - if (__GLX_PAD(cl->largeCmdBytesSoFar) != - __GLX_PAD(cl->largeCmdBytesTotal)) { + if (safe_pad(cl->largeCmdBytesSoFar) != cl->largeCmdBytesTotal) { client->errorValue = dataBytes; __glXResetLargeCommandStatus(cl); return __glXError(GLXBadLargeRequest); ++++++ U_glx_Length_checking_for_non_generated_single_request.patch ++++++ Subject: glx: Length checking for non-generated single requests (v2) References: bnc#907268, CVE-2014-8098 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> v2: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v3: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/indirect_texture_compression.c | 4 ++++ glx/single2.c | 23 +++++++++++++++---- glx/single2swap.c | 19 ++++++++++++---- glx/singlepix.c | 44 ++++++++++++++++++++++++------------ glx/singlepixswap.c | 34 ++++++++++++++++++++++++---- 5 files changed, 95 insertions(+), 29 deletions(-) Index: xorg-server-1.14.3.901/glx/indirect_texture_compression.c =================================================================== --- xorg-server-1.14.3.901.orig/glx/indirect_texture_compression.c +++ xorg-server-1.14.3.901/glx/indirect_texture_compression.c @@ -47,6 +47,8 @@ __glXDisp_GetCompressedTexImageARB(struc __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error); ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + pc += __GLX_SINGLE_HDR_SIZE; if (cx != NULL) { const GLenum target = *(GLenum *) (pc + 0); @@ -93,6 +95,8 @@ __glXDispSwap_GetCompressedTexImageARB(s __glXForceCurrent(cl, bswap_32(req->contextTag), &error); ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + pc += __GLX_SINGLE_HDR_SIZE; if (cx != NULL) { const GLenum target = (GLenum) bswap_32(*(int *) (pc + 0)); Index: xorg-server-1.14.3.901/glx/single2.c =================================================================== --- xorg-server-1.14.3.901.orig/glx/single2.c +++ xorg-server-1.14.3.901/glx/single2.c @@ -49,11 +49,14 @@ int __glXDisp_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; GLsizei size; GLenum type; __GLXcontext *cx; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -80,10 +83,13 @@ __glXDisp_FeedbackBuffer(__GLXclientStat int __glXDisp_SelectBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; GLsizei size; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -108,7 +114,7 @@ __glXDisp_SelectBuffer(__GLXclientState int __glXDisp_RenderMode(__GLXclientState * cl, GLbyte * pc) { - ClientPtr client; + ClientPtr client = cl->client; xGLXRenderModeReply reply; __GLXcontext *cx; GLint nitems = 0, retBytes = 0, retval, newModeCheck; @@ -116,6 +122,8 @@ __glXDisp_RenderMode(__GLXclientState * GLenum newMode; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -192,7 +200,6 @@ __glXDisp_RenderMode(__GLXclientState * ** selection array, as per the API for glRenderMode itself. */ noChangeAllowed:; - client = cl->client; reply = (xGLXRenderModeReply) { .type = X_Reply, .sequenceNumber = client->sequence, @@ -211,9 +218,12 @@ __glXDisp_RenderMode(__GLXclientState * int __glXDisp_Flush(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; int error; + REQUEST_SIZE_MATCH(xGLXSingleReq); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -227,10 +237,12 @@ __glXDisp_Flush(__GLXclientState * cl, G int __glXDisp_Finish(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; - ClientPtr client; int error; + REQUEST_SIZE_MATCH(xGLXSingleReq); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -321,7 +333,7 @@ __glXcombine_strings(const char *cext_st int DoGetString(__GLXclientState * cl, GLbyte * pc, GLboolean need_swap) { - ClientPtr client; + ClientPtr client = cl->client; __GLXcontext *cx; GLenum name; const char *string; @@ -331,6 +343,8 @@ DoGetString(__GLXclientState * cl, GLbyt char *buf = NULL, *buf1 = NULL; GLint length = 0; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + /* If the client has the opposite byte order, swap the contextTag and * the name. */ @@ -347,7 +361,6 @@ DoGetString(__GLXclientState * cl, GLbyt pc += __GLX_SINGLE_HDR_SIZE; name = *(GLenum *) (pc + 0); string = (const char *) CALL_GetString(GET_DISPATCH(), (name)); - client = cl->client; if (string == NULL) string = ""; Index: xorg-server-1.14.3.901/glx/single2swap.c =================================================================== --- xorg-server-1.14.3.901.orig/glx/single2swap.c +++ xorg-server-1.14.3.901/glx/single2swap.c @@ -45,6 +45,7 @@ int __glXDispSwap_FeedbackBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; GLsizei size; GLenum type; @@ -52,6 +53,8 @@ __glXDispSwap_FeedbackBuffer(__GLXclient __GLXcontext *cx; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 8); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -81,12 +84,15 @@ __glXDispSwap_FeedbackBuffer(__GLXclient int __glXDispSwap_SelectBuffer(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; GLsizei size; __GLX_DECLARE_SWAP_VARIABLES; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -113,7 +119,7 @@ __glXDispSwap_SelectBuffer(__GLXclientSt int __glXDispSwap_RenderMode(__GLXclientState * cl, GLbyte * pc) { - ClientPtr client; + ClientPtr client = cl->client; __GLXcontext *cx; xGLXRenderModeReply reply; GLint nitems = 0, retBytes = 0, retval, newModeCheck; @@ -124,6 +130,8 @@ __glXDispSwap_RenderMode(__GLXclientStat __GLX_DECLARE_SWAP_ARRAY_VARIABLES; int error; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -204,7 +212,6 @@ __glXDispSwap_RenderMode(__GLXclientStat ** selection array, as per the API for glRenderMode itself. */ noChangeAllowed:; - client = cl->client; reply = (xGLXRenderModeReply) { .type = X_Reply, .sequenceNumber = client->sequence, @@ -228,11 +235,14 @@ __glXDispSwap_RenderMode(__GLXclientStat int __glXDispSwap_Flush(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; int error; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -247,12 +257,14 @@ __glXDispSwap_Flush(__GLXclientState * c int __glXDispSwap_Finish(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; __GLXcontext *cx; - ClientPtr client; int error; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_SIZE_MATCH(xGLXSingleReq); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -264,7 +276,6 @@ __glXDispSwap_Finish(__GLXclientState * cx->hasUnflushedCommands = GL_FALSE; /* Send empty reply packet to indicate finish is finished */ - client = cl->client; __GLX_BEGIN_REPLY(0); __GLX_PUT_RETVAL(0); __GLX_SWAP_REPLY_HEADER(); Index: xorg-server-1.14.3.901/glx/singlepix.c =================================================================== --- xorg-server-1.14.3.901.orig/glx/singlepix.c +++ xorg-server-1.14.3.901/glx/singlepix.c @@ -55,6 +55,8 @@ __glXDisp_ReadPixels(__GLXclientState * int error; char *answer, answerBuffer[200]; + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -107,6 +109,8 @@ __glXDisp_GetTexImage(__GLXclientState * char *answer, answerBuffer[200]; GLint width = 0, height = 0, depth = 1; + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -169,6 +173,8 @@ __glXDisp_GetPolygonStipple(__GLXclientS GLubyte answerBuffer[200]; char *answer; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { return error; @@ -231,15 +237,13 @@ GetSeparableFilter(__GLXclientState * cl compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); - if (compsize < 0) + if ((compsize = safe_pad(compsize)) < 0) return BadLength; - if (compsize2 < 0) + if ((compsize2 = safe_pad(compsize2)) < 0) return BadLength; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, swapBytes)); - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); __glXClearErrorOccured(); CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0), *(GLenum *) (pc + 4), @@ -265,7 +269,8 @@ int __glXDisp_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -273,7 +278,8 @@ int __glXDisp_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -343,7 +349,8 @@ int __glXDisp_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -351,7 +358,8 @@ int __glXDisp_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -411,7 +419,8 @@ int __glXDisp_GetHistogram(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -419,7 +428,8 @@ int __glXDisp_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -471,7 +481,8 @@ int __glXDisp_GetMinmax(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -479,7 +490,8 @@ int __glXDisp_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -540,7 +552,8 @@ int __glXDisp_GetColorTable(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -548,6 +561,7 @@ int __glXDisp_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); - + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } Index: xorg-server-1.14.3.901/glx/singlepixswap.c =================================================================== --- xorg-server-1.14.3.901.orig/glx/singlepixswap.c +++ xorg-server-1.14.3.901/glx/singlepixswap.c @@ -57,6 +57,8 @@ __glXDispSwap_ReadPixels(__GLXclientStat int error; char *answer, answerBuffer[200]; + REQUEST_FIXED_SIZE(xGLXSingleReq, 28); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -122,6 +124,8 @@ __glXDispSwap_GetTexImage(__GLXclientSta char *answer, answerBuffer[200]; GLint width = 0, height = 0, depth = 1; + REQUEST_FIXED_SIZE(xGLXSingleReq, 20); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -197,6 +201,8 @@ __glXDispSwap_GetPolygonStipple(__GLXcli __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_FIXED_SIZE(xGLXSingleReq, 4); + __GLX_SWAP_INT(&((xGLXSingleReq *) pc)->contextTag); cx = __glXForceCurrent(cl, __GLX_GET_SINGLE_CONTEXT_TAG(pc), &error); if (!cx) { @@ -266,15 +272,13 @@ GetSeparableFilter(__GLXclientState * cl compsize = __glGetTexImage_size(target, 1, format, type, width, 1, 1); compsize2 = __glGetTexImage_size(target, 1, format, type, height, 1, 1); - if (compsize < 0) + if ((compsize = safe_pad(compsize)) < 0) return BadLength; - if (compsize2 < 0) + if ((compsize2 = safe_pad(compsize2)) < 0) return BadLength; - compsize = __GLX_PAD(compsize); - compsize2 = __GLX_PAD(compsize2); CALL_PixelStorei(GET_DISPATCH(), (GL_PACK_SWAP_BYTES, !swapBytes)); - __GLX_GET_ANSWER_BUFFER(answer, cl, compsize + compsize2, 1); + __GLX_GET_ANSWER_BUFFER(answer, cl, safe_add(compsize, compsize2), 1); __glXClearErrorOccured(); CALL_GetSeparableFilter(GET_DISPATCH(), (*(GLenum *) (pc + 0), *(GLenum *) (pc + 4), @@ -302,7 +306,9 @@ int __glXDispSwap_GetSeparableFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetSeparableFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -310,7 +316,9 @@ int __glXDispSwap_GetSeparableFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetSeparableFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -388,7 +396,9 @@ int __glXDispSwap_GetConvolutionFilter(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetConvolutionFilter(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -396,7 +406,9 @@ int __glXDispSwap_GetConvolutionFilterEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetConvolutionFilter(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -463,7 +475,9 @@ int __glXDispSwap_GetHistogram(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetHistogram(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -471,7 +485,9 @@ int __glXDispSwap_GetHistogramEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetHistogram(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -529,7 +545,9 @@ int __glXDispSwap_GetMinmax(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetMinmax(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -537,7 +555,9 @@ int __glXDispSwap_GetMinmaxEXT(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetMinmax(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } @@ -605,7 +625,9 @@ int __glXDispSwap_GetColorTable(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_SINGLE_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXSingleReq, 16); return GetColorTable(cl, pc + __GLX_SINGLE_HDR_SIZE, tag); } @@ -613,6 +635,8 @@ int __glXDispSwap_GetColorTableSGI(__GLXclientState * cl, GLbyte * pc) { const GLXContextTag tag = __GLX_GET_VENDPRIV_CONTEXT_TAG(pc); + ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 16); return GetColorTable(cl, pc + __GLX_VENDPRIV_HDR_SIZE, tag); } ++++++ U_glx_Length_checking_for_non_generated_vendor_private_requests.patch ++++++ Subject: glx: Length-checking for non-generated vendor private requests References: bnc#907268, CVE-2014-8098 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/indirect_program.c | 2 ++ glx/swap_interval.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/glx/indirect_program.c b/glx/indirect_program.c index cda139e..5caee7b 100644 --- a/glx/indirect_program.c +++ b/glx/indirect_program.c @@ -56,6 +56,8 @@ DoGetProgramString(struct __GLXclientStateRec *cl, GLbyte * pc, __GLXcontext *const cx = __glXForceCurrent(cl, req->contextTag, &error); ClientPtr client = cl->client; + REQUEST_FIXED_SIZE(xGLXVendorPrivateWithReplyReq, 8); + pc += __GLX_VENDPRIV_HDR_SIZE; if (cx != NULL) { GLenum target; diff --git a/glx/swap_interval.c b/glx/swap_interval.c index 17bc992..2320550 100644 --- a/glx/swap_interval.c +++ b/glx/swap_interval.c @@ -46,6 +46,8 @@ DoSwapInterval(__GLXclientState * cl, GLbyte * pc, int do_swap) __GLXcontext *cx; GLint interval; + REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 4); + cx = __glXLookupContextByTag(cl, tag); if ((cx == NULL) || (cx->pGlxScreen == NULL)) { -- 1.7.9.2 ++++++ U_glx_Pass_remaining_request_length_into_varsize.patch ++++++ ++++ 930 lines (skipped) ++++++ U_glx_Request_length_checks_for_SetClientInfoARB.patch ++++++ Subject: glx: Request length checks for SetClientInfoARB References: bnc#907268, CVE-2014-8098 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/clientinfo.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/glx/clientinfo.c b/glx/clientinfo.c index 4aaa4c9..c5fef30 100644 --- a/glx/clientinfo.c +++ b/glx/clientinfo.c @@ -33,18 +33,21 @@ static int set_client_info(__GLXclientState * cl, xGLXSetClientInfoARBReq * req, unsigned bytes_per_version) { + ClientPtr client = cl->client; char *gl_extensions; char *glx_extensions; + REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq); + /* Verify that the size of the packet matches the size inferred from the * sizes specified for the various fields. */ - const unsigned expected_size = sz_xGLXSetClientInfoARBReq - + (req->numVersions * bytes_per_version) - + __GLX_PAD(req->numGLExtensionBytes) - + __GLX_PAD(req->numGLXExtensionBytes); + int size = sz_xGLXSetClientInfoARBReq; + size = safe_add(size, safe_mul(req->numVersions, bytes_per_version)); + size = safe_add(size, safe_pad(req->numGLExtensionBytes)); + size = safe_add(size, safe_pad(req->numGLXExtensionBytes)); - if (req->length != (expected_size / 4)) + if (size < 0 || req->length != (size / 4)) return BadLength; /* Verify that the actual length of the GL extension string matches what's @@ -80,8 +83,11 @@ __glXDisp_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_SetClientInfoARB(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc; + REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq); + req->length = bswap_16(req->length); req->numVersions = bswap_32(req->numVersions); req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes); @@ -99,8 +105,11 @@ __glXDisp_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_SetClientInfo2ARB(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; xGLXSetClientInfoARBReq *req = (xGLXSetClientInfoARBReq *) pc; + REQUEST_AT_LEAST_SIZE(xGLXSetClientInfoARBReq); + req->length = bswap_16(req->length); req->numVersions = bswap_32(req->numVersions); req->numGLExtensionBytes = bswap_32(req->numGLExtensionBytes); -- 1.7.9.2 ++++++ U_glx_Top_level_length_checking_for_swapped_VendorPrivate_requests.patch ++++++ Subject: glx: Top-level length checking for swapped VendorPrivate requests References: bnc#907268, CVE-2014-8098 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- glx/glxcmdsswap.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c index 5d179f3..9ec1222 100644 --- a/glx/glxcmdsswap.c +++ b/glx/glxcmdsswap.c @@ -958,11 +958,13 @@ __glXDispSwap_RenderLarge(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; xGLXVendorPrivateReq *req; GLint vendorcode; __GLXdispatchVendorPrivProcPtr proc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateReq); req = (xGLXVendorPrivateReq *) pc; __GLX_SWAP_SHORT(&req->length); @@ -985,11 +987,13 @@ __glXDispSwap_VendorPrivate(__GLXclientState * cl, GLbyte * pc) int __glXDispSwap_VendorPrivateWithReply(__GLXclientState * cl, GLbyte * pc) { + ClientPtr client = cl->client; xGLXVendorPrivateWithReplyReq *req; GLint vendorcode; __GLXdispatchVendorPrivProcPtr proc; __GLX_DECLARE_SWAP_VARIABLES; + REQUEST_AT_LEAST_SIZE(xGLXVendorPrivateWithReplyReq); req = (xGLXVendorPrivateWithReplyReq *) pc; __GLX_SWAP_SHORT(&req->length); -- 1.7.9.2 ++++++ U_kdrive_extend_screen_option_syntax.patch ++++++

From 376f4de8ae927748417046390c24afbda24b0583 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?La=C3=A9rcio=20de=20Sousa?= <laerciosousa@sme-mogidascruzes.sp.gov.br> Date: Mon, 18 Aug 2014 08:45:41 -0300 Subject: kdrive: add support to +X+Y syntax in -screen option parsing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit

This patch enhances current -screen option parsing for kdrive-based applications. It can parse strings like <WIDTH>x<HEIGHT>+<XOFFSET>+<YOFFSET>, storing X and Y offsets in KdScreenInfo instances. For negative values, this patch supports +-X+-Y (not -X-Y) syntax. It will allow e.g. proper Xephyr window placement for multiseat purposes. Signed-off-by: Laércio de Sousa <laerciosousa@sme-mogidascruzes.sp.gov.br> Reviewed-by: Keith Packard <keithp@keithp.com> Signed-off-by: Keith Packard <keithp@keithp.com> diff --git a/hw/kdrive/src/kdrive.c b/hw/kdrive/src/kdrive.c index b5b91c0..5dbff3f 100644 --- a/hw/kdrive/src/kdrive.c +++ b/hw/kdrive/src/kdrive.c @@ -300,6 +300,8 @@ KdParseScreen(KdScreenInfo * screen, const char *arg) screen->softCursor = kdSoftCursor; screen->origin = kdOrigin; screen->randr = RR_Rotate_0; + screen->x = 0; + screen->y = 0; screen->width = 0; screen->height = 0; screen->width_mm = 0; @@ -313,7 +315,7 @@ KdParseScreen(KdScreenInfo * screen, const char *arg) return; for (i = 0; i < 2; i++) { - arg = KdParseFindNext(arg, "x/@XY", save, &delim); + arg = KdParseFindNext(arg, "x/+@XY", save, &delim); if (!save[0]) return; @@ -321,7 +323,7 @@ KdParseScreen(KdScreenInfo * screen, const char *arg) mm = 0; if (delim == '/') { - arg = KdParseFindNext(arg, "x@XY", save, &delim); + arg = KdParseFindNext(arg, "x+@XY", save, &delim); if (!save[0]) return; mm = atoi(save); @@ -335,7 +337,8 @@ KdParseScreen(KdScreenInfo * screen, const char *arg) screen->height = pixels; screen->height_mm = mm; } - if (delim != 'x' && delim != '@' && delim != 'X' && delim != 'Y' && + if (delim != 'x' && delim != '+' && delim != '@' && + delim != 'X' && delim != 'Y' && (delim != '\0' || i == 0)) return; } @@ -346,6 +349,18 @@ KdParseScreen(KdScreenInfo * screen, const char *arg) kdSoftCursor = FALSE; kdSubpixelOrder = SubPixelUnknown; + if (delim == '+') { + arg = KdParseFindNext(arg, "+@xXY", save, &delim); + if (save[0]) + screen->x = atoi(save); + } + + if (delim == '+') { + arg = KdParseFindNext(arg, "@xXY", save, &delim); + if (save[0]) + screen->y = atoi(save); + } + if (delim == '@') { arg = KdParseFindNext(arg, "xXY", save, &delim); if (save[0]) { @@ -425,7 +440,7 @@ KdUseMsg(void) { ErrorF("\nTinyX Device Dependent Usage:\n"); ErrorF - ("-screen WIDTH[/WIDTHMM]xHEIGHT[/HEIGHTMM][@ROTATION][X][Y][xDEPTH/BPP[xFREQ]] Specify screen characteristics\n"); + ("-screen WIDTH[/WIDTHMM]xHEIGHT[/HEIGHTMM][+[-]XOFFSET][+[-]YOFFSET][@ROTATION][X][Y][xDEPTH/BPP[xFREQ]] Specify screen characteristics\n"); ErrorF ("-rgba rgb/bgr/vrgb/vbgr/none Specify subpixel ordering for LCD panels\n"); ErrorF diff --git a/hw/kdrive/src/kdrive.h b/hw/kdrive/src/kdrive.h index 08b1681..066a134 100644 --- a/hw/kdrive/src/kdrive.h +++ b/hw/kdrive/src/kdrive.h @@ -89,6 +89,8 @@ typedef struct _KdScreenInfo { ScreenPtr pScreen; void *driver; Rotation randr; /* rotation and reflection */ + int x; + int y; int width; int height; int rate; -- cgit v0.10.2 ++++++ U_randr_dont_directly_set_changed_bits_in_randr_screen.patch ++++++

From f9c8248b8326ad01f33f31531c6b2479baf80f02 Mon Sep 17 00:00:00 2001 From: Dave Airlie <airlied@redhat.com> Date: Wed, 9 Jan 2013 14:23:57 +1000 Subject: [PATCH] randr: don't directly set changed bits in randr screen

Introduce a wrapper interface so we can fix things up for multi-gpu situations later. This just introduces the API for now. Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Dave Airlie <airlied@redhat.com> diff --git a/randr/randr.c b/randr/randr.c index f0decfc..11f88b2 100644 --- a/randr/randr.c +++ b/randr/randr.c @@ -464,6 +464,14 @@ TellChanged(WindowPtr pWin, pointer value) return WT_WALKCHILDREN; } +void +RRSetChanged(ScreenPtr pScreen) +{ + rrScrPriv(pScreen); + + pScrPriv->changed = TRUE; +} + /* * Something changed; send events and adjust pointer position */ diff --git a/randr/randrstr.h b/randr/randrstr.h index 2517479..2babfed 100644 --- a/randr/randrstr.h +++ b/randr/randrstr.h @@ -486,6 +486,10 @@ extern _X_EXPORT void RRDeliverScreenEvent(ClientPtr client, WindowPtr pWin, ScreenPtr pScreen); /* randr.c */ +/* set a screen change on the primary screen */ +extern _X_EXPORT void +RRSetChanged(ScreenPtr pScreen); + /* * Send all pending events */ diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c index 721b05a..2f76b62 100644 --- a/randr/rrcrtc.c +++ b/randr/rrcrtc.c @@ -39,7 +39,7 @@ RRCrtcChanged(RRCrtcPtr crtc, Bool layoutChanged) if (pScreen) { rrScrPriv(pScreen); - pScrPriv->changed = TRUE; + RRSetChanged(pScreen); /* * Send ConfigureNotify on any layout change */ diff --git a/randr/rrinfo.c b/randr/rrinfo.c index 1408d6f..fc57bd4 100644 --- a/randr/rrinfo.c +++ b/randr/rrinfo.c @@ -225,7 +225,7 @@ RRScreenSetSizeRange(ScreenPtr pScreen, pScrPriv->minHeight = minHeight; pScrPriv->maxWidth = maxWidth; pScrPriv->maxHeight = maxHeight; - pScrPriv->changed = TRUE; + RRSetChanged(pScreen); pScrPriv->configChanged = TRUE; } diff --git a/randr/rroutput.c b/randr/rroutput.c index 88781ba..922d61f 100644 --- a/randr/rroutput.c +++ b/randr/rroutput.c @@ -36,7 +36,7 @@ RROutputChanged(RROutputPtr output, Bool configChanged) output->changed = TRUE; if (pScreen) { rrScrPriv(pScreen); - pScrPriv->changed = TRUE; + RRSetChanged(pScreen); if (configChanged) pScrPriv->configChanged = TRUE; } diff --git a/randr/rrscreen.c b/randr/rrscreen.c index 39340cc..36179ae 100644 --- a/randr/rrscreen.c +++ b/randr/rrscreen.c @@ -143,7 +143,7 @@ RRScreenSizeNotify(ScreenPtr pScreen) pScrPriv->height = pScreen->height; pScrPriv->mmWidth = pScreen->mmWidth; pScrPriv->mmHeight = pScreen->mmHeight; - pScrPriv->changed = TRUE; + RRSetChanged(pScreen); /* pScrPriv->sizeChanged = TRUE; */ RRTellChanged(pScreen); ++++++ U_randr_report_changes_when_we_disconnect_a_GPU_slave.patch ++++++

From 9d26e8eaf5a2d7c3e65670ac20254c60f665c463 Mon Sep 17 00:00:00 2001 From: Dave Airlie <airlied@redhat.com> Date: Wed, 9 Jan 2013 14:26:35 +1000 Subject: [PATCH] randr: report changes when we disconnect a GPU slave

When we disconnect an output/offload slave set the changed bits, so a later TellChanged can do something. Then when we remove a GPU slave device, sent change notification to the protocol screen. This allows hot unplugged USB devices to disappear in clients. Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Dave Airlie <airlied@redhat.com> diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c index 9034dad..bcb65ff 100644 --- a/hw/xfree86/common/xf86platformBus.c +++ b/hw/xfree86/common/xf86platformBus.c @@ -47,6 +47,7 @@ #include "Pci.h" #include "xf86platformBus.h" +#include "randrstr.h" int platformSlotClaimed; int xf86_num_platform_devices; @@ -499,7 +500,7 @@ xf86platformRemoveDevice(int index) xf86UnclaimPlatformSlot(&xf86_platform_devices[index], NULL); xf86_remove_platform_device(index); - + RRTellChanged(xf86Screens[0]->pScreen); out: return; } diff --git a/hw/xfree86/modes/xf86RandR12.c b/hw/xfree86/modes/xf86RandR12.c index 25beee6..2817aaa 100644 --- a/hw/xfree86/modes/xf86RandR12.c +++ b/hw/xfree86/modes/xf86RandR12.c @@ -1896,10 +1896,12 @@ xf86RandR14ProviderDestroy(ScreenPtr screen, RRProviderPtr provider) if (config->randr_provider->offload_sink) { DetachOffloadGPU(screen); config->randr_provider->offload_sink = NULL; + RRSetChanged(screen); } else if (config->randr_provider->output_source) { DetachOutputGPU(screen); config->randr_provider->output_source = NULL; + RRSetChanged(screen); } else if (screen->current_master) DetachUnboundGPU(screen); ++++++ U_randr_unvalidated_lengths_in_RandR_extension_swapped_procs.patch ++++++ Subject: randr: unvalidated lengths in RandR extension swapped procs References: bnc#907268, CVE-2014-8101 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> --- randr/rrsdispatch.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/randr/rrsdispatch.c b/randr/rrsdispatch.c index 08c3b6a..47558cf 100644 --- a/randr/rrsdispatch.c +++ b/randr/rrsdispatch.c @@ -27,6 +27,7 @@ SProcRRQueryVersion(ClientPtr client) { REQUEST(xRRQueryVersionReq); + REQUEST_SIZE_MATCH(xRRQueryVersionReq); swaps(&stuff->length); swapl(&stuff->majorVersion); swapl(&stuff->minorVersion); @@ -38,6 +39,7 @@ SProcRRGetScreenInfo(ClientPtr client) { REQUEST(xRRGetScreenInfoReq); + REQUEST_SIZE_MATCH(xRRGetScreenInfoReq); swaps(&stuff->length); swapl(&stuff->window); return (*ProcRandrVector[stuff->randrReqType]) (client); @@ -69,6 +71,7 @@ SProcRRSelectInput(ClientPtr client) { REQUEST(xRRSelectInputReq); + REQUEST_SIZE_MATCH(xRRSelectInputReq); swaps(&stuff->length); swapl(&stuff->window); swaps(&stuff->enable); @@ -152,6 +155,7 @@ SProcRRConfigureOutputProperty(ClientPtr client) { REQUEST(xRRConfigureOutputPropertyReq); + REQUEST_AT_LEAST_SIZE(xRRConfigureOutputPropertyReq); swaps(&stuff->length); swapl(&stuff->output); swapl(&stuff->property); -- 1.7.9.2 ++++++ U_render_check_request_size_before_reading_it.patch ++++++ Subject: render: check request size before reading it References: bnc#907268, CVE-2014-8100 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Otherwise we may be reading outside of the client request. Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- render/render.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/render/render.c b/render/render.c index e3031da..200e0c8 100644 --- a/render/render.c +++ b/render/render.c @@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client) REQUEST(xRenderQueryVersionReq); + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); + pRenderClient->major_version = stuff->majorVersion; pRenderClient->minor_version = stuff->minorVersion; - REQUEST_SIZE_MATCH(xRenderQueryVersionReq); - if ((stuff->majorVersion * 1000 + stuff->minorVersion) < (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) { rep.majorVersion = stuff->majorVersion; -- 1.7.9.2 ++++++ U_render_unvalidated_lengths_in_Render_extn_swapped_procs.patch ++++++ Subject: render: unvalidated lengths in Render extn. swapped procs References: bnc#907268, CVE-2014-8100 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> --- render/render.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/render/render.c b/render/render.c index 200e0c8..723f380 100644 --- a/render/render.c +++ b/render/render.c @@ -1995,7 +1995,7 @@ static int SProcRenderQueryVersion(ClientPtr client) { REQUEST(xRenderQueryVersionReq); - + REQUEST_SIZE_MATCH(xRenderQueryVersionReq); swaps(&stuff->length); swapl(&stuff->majorVersion); swapl(&stuff->minorVersion); @@ -2006,6 +2006,7 @@ static int SProcRenderQueryPictFormats(ClientPtr client) { REQUEST(xRenderQueryPictFormatsReq); + REQUEST_SIZE_MATCH(xRenderQueryPictFormatsReq); swaps(&stuff->length); return (*ProcRenderVector[stuff->renderReqType]) (client); } @@ -2014,6 +2015,7 @@ static int SProcRenderQueryPictIndexValues(ClientPtr client) { REQUEST(xRenderQueryPictIndexValuesReq); + REQUEST_AT_LEAST_SIZE(xRenderQueryPictIndexValuesReq); swaps(&stuff->length); swapl(&stuff->format); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2029,6 +2031,7 @@ static int SProcRenderCreatePicture(ClientPtr client) { REQUEST(xRenderCreatePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderCreatePictureReq); swaps(&stuff->length); swapl(&stuff->pid); swapl(&stuff->drawable); @@ -2042,6 +2045,7 @@ static int SProcRenderChangePicture(ClientPtr client) { REQUEST(xRenderChangePictureReq); + REQUEST_AT_LEAST_SIZE(xRenderChangePictureReq); swaps(&stuff->length); swapl(&stuff->picture); swapl(&stuff->mask); @@ -2053,6 +2057,7 @@ static int SProcRenderSetPictureClipRectangles(ClientPtr client) { REQUEST(xRenderSetPictureClipRectanglesReq); + REQUEST_AT_LEAST_SIZE(xRenderSetPictureClipRectanglesReq); swaps(&stuff->length); swapl(&stuff->picture); swaps(&stuff->xOrigin); @@ -2065,6 +2070,7 @@ static int SProcRenderFreePicture(ClientPtr client) { REQUEST(xRenderFreePictureReq); + REQUEST_SIZE_MATCH(xRenderFreePictureReq); swaps(&stuff->length); swapl(&stuff->picture); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2074,6 +2080,7 @@ static int SProcRenderComposite(ClientPtr client) { REQUEST(xRenderCompositeReq); + REQUEST_SIZE_MATCH(xRenderCompositeReq); swaps(&stuff->length); swapl(&stuff->src); swapl(&stuff->mask); @@ -2093,6 +2100,7 @@ static int SProcRenderScale(ClientPtr client) { REQUEST(xRenderScaleReq); + REQUEST_SIZE_MATCH(xRenderScaleReq); swaps(&stuff->length); swapl(&stuff->src); swapl(&stuff->dst); @@ -2193,6 +2201,7 @@ static int SProcRenderCreateGlyphSet(ClientPtr client) { REQUEST(xRenderCreateGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderCreateGlyphSetReq); swaps(&stuff->length); swapl(&stuff->gsid); swapl(&stuff->format); @@ -2203,6 +2212,7 @@ static int SProcRenderReferenceGlyphSet(ClientPtr client) { REQUEST(xRenderReferenceGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderReferenceGlyphSetReq); swaps(&stuff->length); swapl(&stuff->gsid); swapl(&stuff->existing); @@ -2213,6 +2223,7 @@ static int SProcRenderFreeGlyphSet(ClientPtr client) { REQUEST(xRenderFreeGlyphSetReq); + REQUEST_SIZE_MATCH(xRenderFreeGlyphSetReq); swaps(&stuff->length); swapl(&stuff->glyphset); return (*ProcRenderVector[stuff->renderReqType]) (client); @@ -2227,6 +2238,7 @@ SProcRenderAddGlyphs(ClientPtr client) xGlyphInfo *gi; REQUEST(xRenderAddGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderAddGlyphsReq); swaps(&stuff->length); swapl(&stuff->glyphset); swapl(&stuff->nglyphs); @@ -2261,6 +2273,7 @@ static int SProcRenderFreeGlyphs(ClientPtr client) { REQUEST(xRenderFreeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderFreeGlyphsReq); swaps(&stuff->length); swapl(&stuff->glyphset); SwapRestL(stuff); @@ -2278,6 +2291,7 @@ SProcRenderCompositeGlyphs(ClientPtr client) int size; REQUEST(xRenderCompositeGlyphsReq); + REQUEST_AT_LEAST_SIZE(xRenderCompositeGlyphsReq); switch (stuff->renderReqType) { default: -- 1.7.9.2 ++++++ U_revert_dri2_realloc_dri2_drawable_if-pixmap_serial_changes.patch ++++++

From 77e51d5bbb97eb5c9d9dbff9a7c44d7e53620e68 Mon Sep 17 00:00:00 2001 From: Eric Anholt <eric@anholt.net> Date: Mon, 17 Jun 2013 22:51:19 +0000 Subject: Revert "DRI2: re-allocate DRI2 drawable if pixmap serial changes"

This reverts commit 3209b094a3b1466b579e8020e12a4f3fa78a5f3f. After a long debug session by Paul Berry, it appears that this was the commit that has been producing sporadic failures in piglit front buffer rendering tests for the last several years. GetBuffers may return fresh buffers with invalid contents at a couple reasonable times: - When first asked for a non-fake-front buffer. - When the drawable size is changed, an Invalidate has been sent, and obviously the app needs to redraw the whole buffer. - After a glXSwapBuffers(), GL allows the backbuffer to be undefined, and an Invalidate was sent to tell the GL that it should grab these appropriate new buffers to avoid stalling. But with the patch being reverted, GetBuffers would also return fresh invalid buffers when the drawable serial number changed, which is approximately "whenever, for any reason". The app is not expecting invalid buffer contents "whenever", nor is it valid. Because the GL usually only GetBuffers after an Invalidate is sent, and the new buffer allocation only happened during a GetBuffers, most apps saw no problems. But apps that do (fake-)frontbuffer rendering do frequently ask the server for the front buffer (since we drop the fake front allocation when we're not doing front buffer rendering), and if the drawable serial got bumped midway through a draw, the server would pointlessly ditch the front *and* backbuffer full of important drawing, resulting in bad rendering. The patch was originally to fix bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=28365 Specifically: To reproduce, start with a large-ish display (i.e. 1680x1050 on my laptop), use the patched glxgears from bug 28252 to add the -override option. Then run glxgears -override -geometry 640x480 to create a 640x480 window in the top left corner, which will work fine. Next, run xrandr -s 640x480 and watch the fireworks. I've tested with an override-redirect glxgears, both with vblank sync enabled and disabled, both with gnome-shell and no window manager at all, before and after this patch. The only problem observed was that before and after the revert, sometimes when alt-tabbing to kill my gears after completing the test gnome-shell would get confused about override-redirectness of the glxgears window (according to a log message) and apparently not bother doing any further compositing. Signed-off-by: Eric Anholt <eric@anholt.net> Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> Tested-by: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Keith Packard <keithp@keithp.com> --- diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c index 40963c3..0b047f0 100644 --- a/hw/xfree86/dri2/dri2.c +++ b/hw/xfree86/dri2/dri2.c @@ -99,7 +99,6 @@ typedef struct _DRI2Drawable { CARD64 last_swap_msc; /* msc at completion of most recent swap */ CARD64 last_swap_ust; /* ust at completion of most recent swap */ int swap_limit; /* for N-buffering */ - unsigned long serialNumber; Bool needInvalidate; int prime_id; PixmapPtr prime_slave_pixmap; @@ -189,19 +188,6 @@ DRI2GetDrawable(DrawablePtr pDraw) } } -static unsigned long -DRI2DrawableSerial(DrawablePtr pDraw) -{ - ScreenPtr pScreen = pDraw->pScreen; - PixmapPtr pPix; - - if (pDraw->type != DRAWABLE_WINDOW) - return pDraw->serialNumber; - - pPix = pScreen->GetWindowPixmap((WindowPtr) pDraw); - return pPix->drawable.serialNumber; -} - static DRI2DrawablePtr DRI2AllocateDrawable(DrawablePtr pDraw) { @@ -235,7 +221,6 @@ DRI2AllocateDrawable(DrawablePtr pDraw) pPriv->last_swap_msc = 0; pPriv->last_swap_ust = 0; xorg_list_init(&pPriv->reference_list); - pPriv->serialNumber = DRI2DrawableSerial(pDraw); pPriv->needInvalidate = FALSE; pPriv->redirectpixmap = NULL; pPriv->prime_slave_pixmap = NULL; @@ -493,7 +478,6 @@ allocate_or_reuse_buffer(DrawablePtr pDraw, DRI2ScreenPtr ds, || attachment == DRI2BufferFrontLeft || !dimensions_match || (pPriv->buffers[old_buf]->format != format)) { *buffer = create_buffer (pDraw, attachment, format); - pPriv->serialNumber = DRI2DrawableSerial(pDraw); return TRUE; } @@ -559,8 +543,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height, ds = DRI2GetScreen(pDraw->pScreen); dimensions_match = (pDraw->width == pPriv->width) - && (pDraw->height == pPriv->height) - && (pPriv->serialNumber == DRI2DrawableSerial(pDraw)); + && (pDraw->height == pPriv->height); buffers = calloc((count + 1), sizeof(buffers[0])); if (!buffers) -- cgit v0.9.0.2-2-gbebe ++++++ U_unchecked_malloc_may_allow_unauthed_client_to_crash_Xserver.patch ++++++ Subject: unchecked malloc may allow unauthed client to crash Xserver References: bnc#907268, CVE-2014-8091 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> authdes_ezdecode() calls malloc() using a length provided by the connection handshake sent by a newly connected client in order to authenticate to the server, so should be treated as untrusted. It didn't check if malloc() failed before writing to the newly allocated buffer, so could lead to a server crash if the server fails to allocate memory (up to UINT16_MAX bytes, since the len field is a CARD16 in the X protocol). Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> --- os/rpcauth.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/os/rpcauth.c b/os/rpcauth.c index d60ea35..413cc61 100644 --- a/os/rpcauth.c +++ b/os/rpcauth.c @@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len) SVCXPRT xprt; temp_inmsg = malloc(len); + if (temp_inmsg == NULL) { + why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ + return NULL; + } memmove(temp_inmsg, inmsg, len); memset((char *) &msg, 0, sizeof(msg)); -- 1.7.9.2 ++++++ U_xcmisc_unvalidated_length_in_SProcXCMiscGetXIDList.patch ++++++ Subject: xcmisc: unvalidated length in SProcXCMiscGetXIDList() References: bnc#907268, CVE-2014-8096 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> --- Xext/xcmisc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/Xext/xcmisc.c b/Xext/xcmisc.c index 034bfb6..1e91010 100644 --- a/Xext/xcmisc.c +++ b/Xext/xcmisc.c @@ -167,6 +167,7 @@ static int SProcXCMiscGetXIDList(ClientPtr client) { REQUEST(xXCMiscGetXIDListReq); + REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); swaps(&stuff->length); swapl(&stuff->count); -- 1.7.9.2 ++++++ U_xfixes_unvalidated_length_in_SProcXFixesSelectSelectionInput.patch ++++++ Subject: xfixes: unvalidated length in SProcXFixesSelectSelectionInput References: bnc#907268, CVE-2014-8102 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> --- xfixes/select.c | 1 + 1 file changed, 1 insertion(+) diff --git a/xfixes/select.c b/xfixes/select.c index c088ed3..e964d58 100644 --- a/xfixes/select.c +++ b/xfixes/select.c @@ -201,6 +201,7 @@ SProcXFixesSelectSelectionInput(ClientPtr client) { REQUEST(xXFixesSelectSelectionInputReq); + REQUEST_SIZE_MATCH(xXFixesSelectSelectionInputReq); swaps(&stuff->length); swapl(&stuff->window); swapl(&stuff->selection); -- 1.7.9.2 ++++++ U_xkb-check-strings-length-against-request-size.patch ++++++ Git-commit: cc830bd3a5b44796f1e8721f336dca4f565a8130 Author: Olivier Fourdan <ofourdan@redhat.com> Subject: xkb: Check strings length against request size References: bnc#915810, CVE-2015-0255 Signed-off-by: Michal Srb <msrb@suse.com> Ensure that the given strings length in an XkbSetGeometry request remain within the limits of the size of the request. Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> --- xkb/xkb.c | 65 +++++++++++++++++++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 25 deletions(-) Index: xorg-server-1.15.2/xkb/xkb.c =================================================================== --- xorg-server-1.15.2.orig/xkb/xkb.c +++ xorg-server-1.15.2/xkb/xkb.c @@ -4957,26 +4957,29 @@ ProcXkbGetGeometry(ClientPtr client) /***====================================================================***/ -static char * -_GetCountedString(char **wire_inout, Bool swap) +static Status +_GetCountedString(char **wire_inout, ClientPtr client, char **str) { - char *wire, *str; - CARD16 len, *plen; + char *wire, *next; + CARD16 len; wire = *wire_inout; - plen = (CARD16 *) wire; - if (swap) { - swaps(plen); - } - len = *plen; - str = malloc(len + 1); - if (str) { - memcpy(str, &wire[2], len); - str[len] = '\0'; + len = *(CARD16 *) wire; + if (client->swapped) { + swaps(&len); } - wire += XkbPaddedSize(len + 2); - *wire_inout = wire; - return str; + next = wire + XkbPaddedSize(len + 2); + /* Check we're still within the size of the request */ + if (client->req_len < + bytes_to_int32(next - (char *) client->requestBuffer)) + return BadValue; + *str = malloc(len + 1); + if (!*str) + return BadAlloc; + memcpy(*str, &wire[2], len); + *(*str + len) = '\0'; + *wire_inout = next; + return Success; } static Status @@ -4986,6 +4989,7 @@ _CheckSetDoodad(char **wire_inout, char *wire; xkbDoodadWireDesc *dWire; XkbDoodadPtr doodad; + Status status; dWire = (xkbDoodadWireDesc *) (*wire_inout); wire = (char *) &dWire[1]; @@ -5033,8 +5037,14 @@ _CheckSetDoodad(char **wire_inout, doodad->text.width = dWire->text.width; doodad->text.height = dWire->text.height; doodad->text.color_ndx = dWire->text.colorNdx; - doodad->text.text = _GetCountedString(&wire, client->swapped); - doodad->text.font = _GetCountedString(&wire, client->swapped); + status = _GetCountedString(&wire, client, &doodad->text.text); + if (status != Success) + return status; + status = _GetCountedString(&wire, client, &doodad->text.font); + if (status != Success) { + free (doodad->text.text); + return status; + } break; case XkbIndicatorDoodad: if (dWire->indicator.onColorNdx >= geom->num_colors) { @@ -5069,7 +5079,9 @@ _CheckSetDoodad(char **wire_inout, } doodad->logo.color_ndx = dWire->logo.colorNdx; doodad->logo.shape_ndx = dWire->logo.shapeNdx; - doodad->logo.logo_name = _GetCountedString(&wire, client->swapped); + status = _GetCountedString(&wire, client, &doodad->logo.logo_name); + if (status != Success) + return status; break; default: client->errorValue = _XkbErrCode2(0x4F, dWire->any.type); @@ -5301,18 +5313,20 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe char *wire; wire = (char *) &req[1]; - geom->label_font = _GetCountedString(&wire, client->swapped); + status = _GetCountedString(&wire, client, &geom->label_font); + if (status != Success) + return status; for (i = 0; i < req->nProperties; i++) { char *name, *val; - name = _GetCountedString(&wire, client->swapped); - if (!name) - return BadAlloc; - val = _GetCountedString(&wire, client->swapped); - if (!val) { + status = _GetCountedString(&wire, client, &name); + if (status != Success) + return status; + status = _GetCountedString(&wire, client, &val); + if (status != Success) { free(name); - return BadAlloc; + return status; } if (XkbAddGeomProperty(geom, name, val) == NULL) { free(name); @@ -5346,9 +5360,9 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSe for (i = 0; i < req->nColors; i++) { char *name; - name = _GetCountedString(&wire, client->swapped); - if (!name) - return BadAlloc; + status = _GetCountedString(&wire, client, &name); + if (status != Success) + return status; if (!XkbAddGeomColor(geom, name, geom->num_colors)) { free(name); return BadAlloc; ++++++ n_Xvnc-pthread.diff ++++++ --- xorg-server-1.10.4/hw/vnc/Makefile.am.orig 2011-09-06 15:25:27.000000000 +0000 +++ xorg-server-1.10.4/hw/vnc/Makefile.am 2011-09-06 15:26:40.000000000 +0000 @@ -37,6 +37,7 @@ JPEG_LIBS = -ljpeg CRYPT_LIBS = -lcrypt Z_LIBS = -lz +PTHREAD_LIBS = -lpthread AM_CFLAGS = $(DIX_CFLAGS) $(XVNC_CFLAGS) -I$(top_srcdir)/hw/dmx/vnc -DCHROMIUM=1 @@ -48,7 +49,8 @@ $(CRYPT_LIBS) \ $(XSERVER_SYS_LIBS) \ $(VNCMODULES_LIBS) \ - $(Z_LIBS) + $(Z_LIBS) \ + $(PTHREAD_LIBS) relink: ++++++ n_autoconf-On-Linux-give-fbdev-driver-a-higher-precedence-than-vesa.patch ++++++ From: Egbert Eich <Egbert Eich eich@suse.de> Date: Thu Aug 8 21:43:44 2013 +0200 Subject: [PATCH]autoconf: On Linux give fbdev driver a higher precedence than vesa Patch-Mainline: never Git-commit: ccda2310eedf55215de792cdd5a793e3bf58fed1 Git-repo: References: Signed-off-by: Egbert Eich <eich@suse.com> At SUSE we want to perfer the fbdev driver over the VESA driver at autoconfiguration as it is expected that fbdev will work in allmost all situations where no native driver can be found - even under UEFI and with secure boot. Signed-off-by: Egbert Eich <Egbert Eich eich@suse.de> --- hw/xfree86/common/xf86AutoConfig.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/hw/xfree86/common/xf86AutoConfig.c b/hw/xfree86/common/xf86AutoConfig.c index 2da792e..252fe37 100644 --- a/hw/xfree86/common/xf86AutoConfig.c +++ b/hw/xfree86/common/xf86AutoConfig.c @@ -277,26 +277,26 @@ listPossibleVideoDrivers(char *matches[], int nmatches) if (i < (nmatches - 1)) i = xf86PciMatchDriver(matches, nmatches); #endif + +#if defined(__linux__) + matches[i++] = xnfstrdup("modesetting"); +#endif /* Fallback to platform default hardware */ if (i < (nmatches - 1)) { -#if defined(__i386__) || defined(__amd64__) || defined(__hurd__) - matches[i++] = xnfstrdup("vesa"); -#elif defined(__sparc__) && !defined(sun) +#if defined(__sparc__) && !defined(sun) matches[i++] = xnfstrdup("sunffb"); +#else + matches[i++] = xnfstrdup("fbdev"); #endif } -#if defined(__linux__) - matches[i++] = xnfstrdup("modesetting"); -#endif - #if !defined(sun) /* Fallback to platform default frame buffer driver */ if (i < (nmatches - 1)) { #if !defined(__linux__) && defined(__sparc__) matches[i++] = xnfstrdup("wsfb"); -#else - matches[i++] = xnfstrdup("fbdev"); +#elif defined(__i386__) || defined(__amd64__) || defined(__hurd__) + matches[i++] = xnfstrdup("vesa"); #endif } #endif /* !sun */ ++++++ n_xorg-x11-server-rpmmacros.patch ++++++ Index: xorg-server-1.12.1/configure.ac =================================================================== --- xorg-server-1.12.1.orig/configure.ac +++ xorg-server-1.12.1/configure.ac @@ -2232,4 +2232,5 @@ test/Makefile test/xi2/Makefile xserver.ent xorg-server.pc +xorg-x11-server.macros ]) ++++++ pre_checkin.sh ++++++ #!/bin/sh # pre_checking.sh # Licensed under the same condition as the xorg-server. # This script updates the .spec file (based on .spec.in) and inject versioned ABI Symbols from the X-Server, # stored in a template file xorg-server-provides. The content of this file is verified during build, as the # same script runs then again, extracting ABI versions from the source to be built. This ensures we can't # publish a package with wrong ABI Versions being provided as part of the RPM Metadata. # Driver-, Input and extension-packages are supposed to use the provided macros to ensure correct Requires. # extract ABI Versions... this function is copied from configure.ac extract_abi() { grep ^.define.*${1}_VERSION ${xorg_src}/hw/xfree86/common/xf86Module.h | tr '(),' ' .' | awk '{ print $4$5 }' } if [ "$1" == "--tar" ]; then tmpdir=$(mktemp -d) tar xf "$2" -C ${tmpdir} xorg_src=${tmpdir}/* elif [ "$1" == "--verify" ]; then xorg_src="$2" prv_ext=".build" else echo "Wrong usage of this script" echo "$0 can be started in two ways:" echo "1: $0 --tar {xorg-server-xxxx.tar.bz2}" echo "2: $0 --verify {source-folder}" echo "Variant 1 creates the file xorg-server-provides to be included in the src rpm" echo "Variant 2 is being called during build to ensure the ABI provides match the expectations." echo "" echo "" echo "Trying to guess the right tarball" sh $0 --tar xorg-server-*.tar.bz2 echo "... Please verify if the result makes sense" exit 2 fi abi_ansic=`extract_abi ANSIC` abi_videodrv=`extract_abi VIDEODRV` abi_xinput=`extract_abi XINPUT` abi_extension=`extract_abi EXTENSION` A="Provides: X11_ABI_XINPUT = ${abi_xinput}\nProvides: X11_ABI_VIDEODRV = ${abi_videodrv}\nProvides: X11_ABI_ANSIC = ${abi_ansic}\nProvides: X11_ABI_EXTENSION = ${abi_extension}" echo -e $A > xorg-server-provides${prv_ext} if [ "$1" == "--tar" ]; then if [ -d ${tmpdir} ]; then rm -rf ${tmpdir} fi elif [ "$1" == "--verify" ]; then diff "$3" xorg-server-provides${prv_ext} if [ $? -gt 0 ]; then echo "The ABI verification failed... please run $0 before checking in" exit 1 fi fi ++++++ sysconfig.displaymanager.template ++++++ ## Type: string(Xorg) ## Path: Desktop/Display manager ## Default: "Xorg" # DISPLAYMANAGER_XSERVER="Xorg" ++++++ u_aarch64-support.patch ++++++ Subject: Basic support for aarch64 Author: Andreas Schwab <schwab@suse.de> Index: xorg-server-1.13.2/hw/xfree86/common/compiler.h =================================================================== --- xorg-server-1.13.2.orig/hw/xfree86/common/compiler.h +++ xorg-server-1.13.2/hw/xfree86/common/compiler.h @@ -1351,7 +1351,7 @@ stl_u(unsigned long val, unsigned int *p #else /* ix86 */ #if !defined(__SUNPRO_C) -#if !defined(FAKEIT) && !defined(__mc68000__) && !defined(__arm__) && !defined(__sh__) && !defined(__hppa__) && !defined(__s390__) && !defined(__m32r__) +#if !defined(FAKEIT) && !defined(__mc68000__) && !defined(__arm__) && !defined(__sh__) && !defined(__hppa__) && !defined(__s390__) && !defined(__m32r__) && !defined(__aarch64__) #ifdef GCCUSESGAS /* Index: xorg-server-1.13.2/hw/xfree86/os-support/linux/lnx_video.c =================================================================== --- xorg-server-1.13.2.orig/hw/xfree86/os-support/linux/lnx_video.c +++ xorg-server-1.13.2/hw/xfree86/os-support/linux/lnx_video.c @@ -58,7 +58,8 @@ static Bool ExtendedEnabled = FALSE; !defined(__sparc__) && \ !defined(__mips__) && \ !defined(__nds32__) && \ - !defined(__arm__) + !defined(__arm__) && \ + !defined(__aarch64__) /* * Due to conflicts with "compiler.h", don't rely on <sys/io.h> to declare Index: xorg-server-1.13.2/include/servermd.h =================================================================== --- xorg-server-1.13.2.orig/include/servermd.h +++ xorg-server-1.13.2/include/servermd.h @@ -286,6 +286,20 @@ SOFTWARE. #define GLYPHPADBYTES 4 #endif /* linux/s390 */ +#ifdef __aarch64__ + +#ifdef __AARCH64EL__ +#define IMAGE_BYTE_ORDER LSBFirst +#define BITMAP_BIT_ORDER LSBFirst +#endif +#ifdef __AARCH64EB__ +#define IMAGE_BYTE_ORDER MSBFirst +#define BITMAP_BIT_ORDER MSBFirst +#endif +#define GLYPHPADBYTES 4 + +#endif /* __aarch64__ */ + /* size of buffer to use with GetImage, measured in bytes. There's obviously * a trade-off between the amount of heap used and the number of times the * ddx routine has to be called. ++++++ u_disable-acpi-code.patch ++++++ From: Adam Jackson <ajax@redhat.com> Date: Wed, 9 Nov 2011 11:52:06 +1000 Subject: [PATCH 2/7] Don't build the ACPI code. No good can come of this. --- configure.ac | 1 - 1 file changed, 1 deletion(-) diff --git a/configure.ac b/configure.ac index a12783c..54f4464 100644 --- a/configure.ac +++ b/configure.ac @@ -1620,7 +1620,6 @@ if test "x$XORG" = xyes; then linux_alpha=yes ;; i*86|amd64*|x86_64*|ia64*) - linux_acpi="yes" ;; *) ;; -- 1.7.10.1 ++++++ u_dri2_fix-detection-of-wrong-prime_id-in-getscreenprime.patch ++++++ Subject: [PATCH] dri2: Fix wrong prime_id detection in GetScreenPrime. Author: Michal Srb <msrb@suse.com> Patch-Mainline: To be upstreamed References: bnc#846352 Checking the iterating variable ("slave") against null can not detect if the xorg_list_for_each_entry finished without break being invoked - it will be always non-null. This caused segfault whenever someone tried to use DRI_PRIME with incorrect id. Restructurize it to work as expected. diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c index 729a323..5b2c662 100644 --- a/hw/xfree86/dri2/dri2.c +++ b/hw/xfree86/dri2/dri2.c @@ -156,11 +156,9 @@ GetScreenPrime(ScreenPtr master, int prime_id) ds = DRI2GetScreen(slave); if (ds->prime_id == prime_id) - break; + return slave; } - if (!slave) - return master; - return slave; + return master; } static DRI2ScreenPtr ++++++ u_exa-only-draw-valid-trapezoids.patch ++++++ Author: Maarten Lankhorst <maarten.lankhorst@canonical.com> Subject: exa: only draw valid trapezoids Patch-Mainline: To be upstreamed References: bnc#853846 CVE-2013-6424 Signed-off-by: Michal Srb <msrb@suse.com> diff --git a/exa/exa_render.c b/exa/exa_render.c index 172e2b5..807eeba 100644 --- a/exa/exa_render.c +++ b/exa/exa_render.c @@ -1141,7 +1141,8 @@ exaTrapezoids(CARD8 op, PicturePtr pSrc, PicturePtr pDst, exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST); for (; ntrap; ntrap--, traps++) - (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); + if (xTrapezoidValid(traps)) + (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST); xRel = bounds.x1 + xSrc - xDst; diff --git a/render/picture.h b/render/picture.h index c85353a..fcd6401 100644 --- a/render/picture.h +++ b/render/picture.h @@ -211,7 +211,7 @@ typedef pixman_fixed_t xFixed; /* whether 't' is a well defined not obviously empty trapezoid */ #define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \ (t)->right.p1.y != (t)->right.p2.y && \ - (int) ((t)->bottom - (t)->top) > 0) + ((t)->bottom > (t)->top)) /* * Standard NTSC luminance conversions: ++++++ u_randr_allow_rrselectinput_for_providerchange_and_resourcechange_events.patch ++++++

From 6d0da2a4d5c31d055674f482d3d1afe308ed8eeb Mon Sep 17 00:00:00 2001 From: Michal Srb <msrb@suse.com> Date: Mon, 7 Oct 2013 17:55:30 +0300 Subject: [PATCH] randr: Allow RRSelectInput for ProviderChange and ResourceChange events.

From 0ad777cecd414d4c4b3326cc25580833535b0c0b Mon Sep 17 00:00:00 2001 From: Michal Srb <msrb@suse.com> Date: Fri, 4 Oct 2013 17:46:50 +0300 Subject: [PATCH] randr: deliver Output and Crtc events of attached output

Reviewed-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Michal Srb <msrb@suse.com> diff --git a/randr/rrdispatch.c b/randr/rrdispatch.c index 7fbc9f0..f050d38 100644 --- a/randr/rrdispatch.c +++ b/randr/rrdispatch.c @@ -92,7 +92,9 @@ ProcRRSelectInput(ClientPtr client) RRCrtcChangeNotifyMask | RROutputChangeNotifyMask | RROutputPropertyNotifyMask | - RRProviderPropertyNotifyMask)) { + RRProviderChangeNotifyMask | + RRProviderPropertyNotifyMask | + RRResourceChangeNotifyMask)) { ScreenPtr pScreen = pWin->drawable.pScreen; rrScrPriv(pScreen); ++++++ u_randr_deliver_output_and_crtc_events_of_attached_output.patch ++++++ providers. Consider all attached output providers when looking for changed outputs and crtcs. Reviewed-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Michal Srb <msrb@suse.com> diff --git a/randr/randr.c b/randr/randr.c index 9cec6f6..3c51427 100755 --- a/randr/randr.c +++ b/randr/randr.c @@ -478,6 +478,16 @@ TellChanged(WindowPtr pWin, pointer value) if (crtc->changed) RRDeliverCrtcEvent(client, pWin, crtc); } + + xorg_list_for_each_entry(iter, &pScreen->output_slave_list, output_head) { + pSlaveScrPriv = rrGetScrPriv(iter); + for (i = 0; i < pSlaveScrPriv->numCrtcs; i++) { + RRCrtcPtr crtc = pSlaveScrPriv->crtcs[i]; + + if (crtc->changed) + RRDeliverCrtcEvent(client, pWin, crtc); + } + } } if (pRREvent->mask & RROutputChangeNotifyMask) { @@ -487,6 +497,16 @@ TellChanged(WindowPtr pWin, pointer value) if (output->changed) RRDeliverOutputEvent(client, pWin, output); } + + xorg_list_for_each_entry(iter, &pScreen->output_slave_list, output_head) { + pSlaveScrPriv = rrGetScrPriv(iter); + for (i = 0; i < pSlaveScrPriv->numOutputs; i++) { + RROutputPtr output = pSlaveScrPriv->outputs[i]; + + if (output->changed) + RRDeliverOutputEvent(client, pWin, output); + } + } } if (pRREvent->mask & RRProviderChangeNotifyMask) { @@ -581,6 +601,10 @@ RRTellChanged(ScreenPtr pScreen) xorg_list_for_each_entry(iter, &master->output_slave_list, output_head) { pSlaveScrPriv = rrGetScrPriv(iter); pSlaveScrPriv->provider->changed = FALSE; + for (i = 0; i < pSlaveScrPriv->numOutputs; i++) + pSlaveScrPriv->outputs[i]->changed = FALSE; + for (i = 0; i < pSlaveScrPriv->numCrtcs; i++) + pSlaveScrPriv->crtcs[i]->changed = FALSE; } xorg_list_for_each_entry(iter, &master->offload_slave_list, offload_head) { pSlaveScrPriv = rrGetScrPriv(iter); ++++++ u_randr_send_rrproviderchangenotify_event.patch ++++++

From 6ec75c2f85c14c805f4433a17a56774594d8641c Mon Sep 17 00:00:00 2001 From: Michal Srb <msrb@suse.com> Date: Fri, 4 Oct 2013 15:59:34 +0300 Subject: [PATCH] randr: send RRProviderChangeNotify event

Send RRProviderChangeNotify event when a provider becomes output source or offload sink. Reviewed-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Michal Srb <msrb@suse.com> diff --git a/randr/randr.c b/randr/randr.c old mode 100644 new mode 100755 index cb6fce7..fa0a4da --- a/randr/randr.c +++ b/randr/randr.c @@ -426,6 +426,8 @@ TellChanged(WindowPtr pWin, pointer value) RREventPtr *pHead, pRREvent; ClientPtr client; ScreenPtr pScreen = pWin->drawable.pScreen; + ScreenPtr iter; + rrScrPrivPtr pSlaveScrPriv; rrScrPriv(pScreen); int i; @@ -460,6 +462,24 @@ TellChanged(WindowPtr pWin, pointer value) RRDeliverOutputEvent(client, pWin, output); } } + + if (pRREvent->mask & RRProviderChangeNotifyMask) { + xorg_list_for_each_entry(iter, &pScreen->output_slave_list, output_head) { + pSlaveScrPriv = rrGetScrPriv(iter); + if (pSlaveScrPriv->provider->changed) + RRDeliverProviderEvent(client, pWin, pSlaveScrPriv->provider); + } + xorg_list_for_each_entry(iter, &pScreen->offload_slave_list, offload_head) { + pSlaveScrPriv = rrGetScrPriv(iter); + if (pSlaveScrPriv->provider->changed) + RRDeliverProviderEvent(client, pWin, pSlaveScrPriv->provider); + } + xorg_list_for_each_entry(iter, &pScreen->unattached_list, unattached_head) { + pSlaveScrPriv = rrGetScrPriv(iter); + if (pSlaveScrPriv->provider->changed) + RRDeliverProviderEvent(client, pWin, pSlaveScrPriv->provider); + } + } } return WT_WALKCHILDREN; } @@ -496,6 +516,8 @@ RRTellChanged(ScreenPtr pScreen) rrScrPriv(pScreen); rrScrPrivPtr mastersp; int i; + ScreenPtr iter; + rrScrPrivPtr pSlaveScrPriv; if (pScreen->isGPU) { master = pScreen->current_master; @@ -519,6 +541,20 @@ RRTellChanged(ScreenPtr pScreen) pScrPriv->outputs[i]->changed = FALSE; for (i = 0; i < pScrPriv->numCrtcs; i++) pScrPriv->crtcs[i]->changed = FALSE; + + xorg_list_for_each_entry(iter, &master->output_slave_list, output_head) { + pSlaveScrPriv = rrGetScrPriv(iter); + pSlaveScrPriv->provider->changed = FALSE; + } + xorg_list_for_each_entry(iter, &master->offload_slave_list, offload_head) { + pSlaveScrPriv = rrGetScrPriv(iter); + pSlaveScrPriv->provider->changed = FALSE; + } + xorg_list_for_each_entry(iter, &master->unattached_list, unattached_head) { + pSlaveScrPriv = rrGetScrPriv(iter); + pSlaveScrPriv->provider->changed = FALSE; + } + if (mastersp->layoutChanged) { pScrPriv->layoutChanged = FALSE; RRPointerScreenConfigured(master); diff --git a/randr/randrstr.h b/randr/randrstr.h old mode 100644 new mode 100755 index 2babfed..c933349 --- a/randr/randrstr.h +++ b/randr/randrstr.h @@ -164,6 +164,7 @@ struct _rrProvider { int nameLength; RRPropertyPtr properties; Bool pendingProperties; + Bool changed; struct _rrProvider *offload_sink; struct _rrProvider *output_source; }; @@ -923,6 +924,9 @@ RRProviderSetCapabilities(RRProviderPtr provider, uint32_t capabilities); extern _X_EXPORT Bool RRProviderLookup(XID id, RRProviderPtr *provider_p); +extern _X_EXPORT void +RRDeliverProviderEvent(ClientPtr client, WindowPtr pWin, RRProviderPtr provider); + /* rrproviderproperty.c */ extern _X_EXPORT void diff --git a/randr/rrprovider.c b/randr/rrprovider.c old mode 100644 new mode 100755 index b321e62..2334ad2 --- a/randr/rrprovider.c +++ b/randr/rrprovider.c @@ -304,6 +304,9 @@ ProcRRSetProviderOutputSource(ClientPtr client) pScrPriv->rrProviderSetOutputSource(pScreen, provider, source_provider); + provider->changed = TRUE; + RRSetChanged(pScreen); + RRTellChanged (pScreen); return Success; @@ -333,6 +336,9 @@ ProcRRSetProviderOffloadSink(ClientPtr client) pScrPriv->rrProviderSetOffloadSink(pScreen, provider, sink_provider); + provider->changed = TRUE; + RRSetChanged(pScreen); + RRTellChanged (pScreen); return Success; @@ -357,6 +363,7 @@ RRProviderCreate(ScreenPtr pScreen, const char *name, provider->nameLength = nameLength; memcpy(provider->name, name, nameLength); provider->name[nameLength] = '\0'; + provider->changed = FALSE; if (!AddResource (provider->id, RRProviderType, (pointer) provider)) return NULL; @@ -416,3 +423,21 @@ RRProviderLookup(XID id, RRProviderPtr *provider_p) return TRUE; return FALSE; } + +void +RRDeliverProviderEvent(ClientPtr client, WindowPtr pWin, RRProviderPtr provider) +{ + ScreenPtr pScreen = pWin->drawable.pScreen; + + rrScrPriv(pScreen); + + xRRProviderChangeNotifyEvent pe = { + .type = RRNotify + RREventBase, + .subCode = RRNotify_ProviderChange, + .timestamp = pScrPriv->lastSetTime.milliseconds, + .window = pWin->drawable.id, + .provider = provider->id + }; + + WriteEventsToClient(client, 1, (xEvent *) &pe); +} ++++++ u_randr_send_rrresourcechangenotify_event.patch ++++++

From 7fa3e6ac35602ba7025e9283e9b2a7ab21ab77fb Mon Sep 17 00:00:00 2001 From: Michal Srb <msrb@suse.com> Date: Fri, 4 Oct 2013 16:11:18 +0300 Subject: [PATCH] randr: send RRResourceChangeNotify event

Send RRResourceChangeNotify event when provider, output or crtc was created or destroyed. I.e. when the list of resources returned by RRGetScreenResources and RRGetProviders changes. Reviewed-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Michal Srb <msrb@suse.com> diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c old mode 100644 new mode 100755 index e368dee..33b2b7d --- a/hw/xfree86/common/xf86platformBus.c +++ b/hw/xfree86/common/xf86platformBus.c @@ -466,6 +466,9 @@ xf86platformAddDevice(int index) /* attach unbound to 0 protocol screen */ AttachUnboundGPU(xf86Screens[0]->pScreen, xf86GPUScreens[i]->pScreen); + RRResourcesChanged(xf86Screens[0]->pScreen); + RRTellChanged(xf86Screens[0]->pScreen); + return 0; } @@ -508,6 +511,8 @@ xf86platformRemoveDevice(int index) xf86UnclaimPlatformSlot(&xf86_platform_devices[index], NULL); xf86_remove_platform_device(index); + + RRResourcesChanged(xf86Screens[0]->pScreen); RRTellChanged(xf86Screens[0]->pScreen); out: return; diff --git a/randr/randr.c b/randr/randr.c index fa0a4da..9cec6f6 100755 --- a/randr/randr.c +++ b/randr/randr.c @@ -420,6 +420,32 @@ RRExtensionInit(void) #endif } +void +RRResourcesChanged(ScreenPtr pScreen) +{ + rrScrPriv(pScreen); + pScrPriv->resourcesChanged = TRUE; + + RRSetChanged(pScreen); +} + +static void +RRDeliverResourceEvent(ClientPtr client, WindowPtr pWin) +{ + ScreenPtr pScreen = pWin->drawable.pScreen; + + rrScrPriv(pScreen); + + xRRResourceChangeNotifyEvent re = { + .type = RRNotify + RREventBase, + .subCode = RRNotify_ResourceChange, + .timestamp = pScrPriv->lastSetTime.milliseconds, + .window = pWin->drawable.id + }; + + WriteEventsToClient(client, 1, (xEvent *) &re); +} + static int TellChanged(WindowPtr pWin, pointer value) { @@ -480,6 +506,12 @@ TellChanged(WindowPtr pWin, pointer value) RRDeliverProviderEvent(client, pWin, pSlaveScrPriv->provider); } } + + if (pRREvent->mask & RRResourceChangeNotifyMask) { + if (pScrPriv->resourcesChanged) { + RRDeliverResourceEvent(client, pWin); + } + } } return WT_WALKCHILDREN; } @@ -536,7 +568,11 @@ RRTellChanged(ScreenPtr pScreen) } pScrPriv->changed = FALSE; mastersp->changed = FALSE; + WalkTree(master, TellChanged, (pointer) master); + + mastersp->resourcesChanged = FALSE; + for (i = 0; i < pScrPriv->numOutputs; i++) pScrPriv->outputs[i]->changed = FALSE; for (i = 0; i < pScrPriv->numCrtcs; i++) diff --git a/randr/randrstr.h b/randr/randrstr.h index c933349..15299fd 100755 --- a/randr/randrstr.h +++ b/randr/randrstr.h @@ -301,6 +301,7 @@ typedef struct _rrScrPriv { Bool changed; /* some config changed */ Bool configChanged; /* configuration changed */ Bool layoutChanged; /* screen layout changed */ + Bool resourcesChanged; /* screen resources change */ CARD16 minWidth, minHeight; CARD16 maxWidth, maxHeight; @@ -486,6 +487,9 @@ extern _X_EXPORT int extern _X_EXPORT void RRDeliverScreenEvent(ClientPtr client, WindowPtr pWin, ScreenPtr pScreen); +extern _X_EXPORT void + RRResourcesChanged(ScreenPtr pScreen); + /* randr.c */ /* set a screen change on the primary screen */ extern _X_EXPORT void diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c old mode 100644 new mode 100755 index 2f76b62..99b3dca --- a/randr/rrcrtc.c +++ b/randr/rrcrtc.c @@ -102,6 +102,8 @@ RRCrtcCreate(ScreenPtr pScreen, void *devPrivate) crtc->pScreen = pScreen; pScrPriv->crtcs[pScrPriv->numCrtcs++] = crtc; + RRResourcesChanged(pScreen); + return crtc; } @@ -669,6 +671,8 @@ RRCrtcDestroyResource(pointer value, XID pid) break; } } + + RRResourcesChanged(pScreen); } if (crtc->scanout_pixmap) diff --git a/randr/rroutput.c b/randr/rroutput.c old mode 100644 new mode 100755 index 922d61f..2b0b82f --- a/randr/rroutput.c +++ b/randr/rroutput.c @@ -101,6 +101,9 @@ RROutputCreate(ScreenPtr pScreen, return NULL; pScrPriv->outputs[pScrPriv->numOutputs++] = output; + + RRResourcesChanged(pScreen); + return output; } @@ -355,6 +358,8 @@ RROutputDestroyResource(pointer value, XID pid) break; } } + + RRResourcesChanged(pScreen); } if (output->modes) { for (m = 0; m < output->numModes; m++) ++++++ u_vgaHW-no-legacy.patch ++++++ Author: Andreas Schwab <schwab@suse.de> Subject: disable DACDelay on non-vga-hardware users Patch-Mainline: To be upstreamed Signed-Off-By: Marcus Meissner <meissner@suse.de> --- hw/xfree86/vgahw/vgaHW.h +++ hw/xfree86/vgahw/vgaHW.h @@ -168,11 +168,15 @@ typedef struct _vgaHWRec { #define BITS_PER_GUN 6 #define COLORMAP_SIZE 256 +#if defined(__powerpc__) || defined(__arm__) || defined(__s390__) || defined(__nds32__) +#define DACDelay(hw) /* No legacy VGA support */ +#else #define DACDelay(hw) \ do { \ (hw)->readST01((hw)); \ (hw)->readST01((hw)); \ } while (0) +#endif /* Function Prototypes */ ++++++ u_xserver_xvfb-randr.patch ++++++ Author: Lambros Lambrou <lambroslambrou@google.com> Subject: xvfb: add randr support Patch-Mainline: To be upstreamed References: bnc#823410 fdo#26391 Signed-off-by: Michal Srb <msrb@suse.cz> --- a/hw/vfb/InitOutput.c +++ b/hw/vfb/InitOutput.c @@ -66,6 +66,7 @@ #include "dix.h" #include "miline.h" #include "glx_extinit.h" +#include "randrstr.h" #define VFB_DEFAULT_WIDTH 1280 #define VFB_DEFAULT_HEIGHT 1024 @@ -812,6 +813,165 @@ } static Bool +vfbRROutputValidateMode(ScreenPtr pScreen, + RROutputPtr output, + RRModePtr mode) +{ + rrScrPriv(pScreen); + + if (pScrPriv->minWidth <= mode->mode.width && + pScrPriv->maxWidth >= mode->mode.width && + pScrPriv->minHeight <= mode->mode.height && + pScrPriv->maxHeight >= mode->mode.height) + return TRUE; + else + return FALSE; +} + +static Bool +vfbRRScreenSetSize(ScreenPtr pScreen, + CARD16 width, + CARD16 height, + CARD32 mmWidth, + CARD32 mmHeight) +{ + WindowPtr root = pScreen->root; + WindowPtr layer; + WindowPtr child; + BoxRec box; + + pScreen->width = width; + pScreen->height = height; + pScreen->mmWidth = mmWidth; + pScreen->mmHeight = mmHeight; + + // Resize the root window & adjust its clipping + box.x1 = 0; + box.y1 = 0; + box.x2 = pScreen->width; + box.y2 = pScreen->height; + REGION_INIT(pScreen, &root->winSize, &box, 1); + REGION_INIT(pScreen, &root->borderSize, &box, 1); + REGION_RESET(pScreen, &root->borderClip, &box); + root->drawable.width = pScreen->width; + root->drawable.height = pScreen->height; + REGION_BREAK (pScreen, &root->clipList); + + // Update the clipping regions of all windows + for (child = root->firstChild; child; child = child->nextSib) + (*pScreen->MarkOverlappedWindows)(child, child, &layer); + + if (root->firstChild) + { + (*pScreen->MarkOverlappedWindows)(root->firstChild, + root->firstChild, + (WindowPtr *)NULL); + } + else + { + (*pScreen->MarkWindow) (root); + } + + (*pScreen->ValidateTree)(root, NullWindow, VTOther); + (*pScreen->HandleExposures)(root); + + // Reposition top-level windows to fit new root size + // XXX I assume this is what it does, but I'm not sure + ResizeChildrenWinSize (root, 0, 0, 0, 0); + + + // Check the pointer position + WindowsRestructured (); + + RRScreenSizeNotify (pScreen); + RRTellChanged(pScreen); + + // Flush resulting events, etc to clients + FlushAllOutput (); + + return TRUE; +} + +static Bool +vfbRRCrtcSet(ScreenPtr pScreen, + RRCrtcPtr crtc, + RRModePtr mode, + int x, + int y, + Rotation rotation, + int numOutput, + RROutputPtr *outputs) +{ + return RRCrtcNotify(crtc, mode, x, y, rotation, NULL, numOutput, outputs); +} + +static Bool +vfbRRGetInfo(ScreenPtr pScreen, Rotation *rotations) +{ + return TRUE; +} + +static Bool +vfbRandRInit(ScreenPtr pScreen) +{ + rrScrPrivPtr pScrPriv; +#if RANDR_12_INTERFACE + RRModePtr mode; + RRCrtcPtr crtc; + RROutputPtr output; + xRRModeInfo modeInfo; + char name[64]; +#endif + + if (!RRScreenInit (pScreen)) + return FALSE; + pScrPriv = rrGetScrPriv(pScreen); + pScrPriv->rrGetInfo = vfbRRGetInfo; +#if RANDR_12_INTERFACE + pScrPriv->rrCrtcSet = vfbRRCrtcSet; + pScrPriv->rrScreenSetSize = vfbRRScreenSetSize; + pScrPriv->rrOutputSetProperty = NULL; +#if RANDR_13_INTERFACE + pScrPriv->rrOutputGetProperty = NULL; +#endif + pScrPriv->rrOutputValidateMode = vfbRROutputValidateMode; + pScrPriv->rrModeDestroy = NULL; + + RRScreenSetSizeRange (pScreen, + 1, 1, + pScreen->width, pScreen->height); + + sprintf (name, "%dx%d", pScreen->width, pScreen->height); + memset (&modeInfo, '\0', sizeof (modeInfo)); + modeInfo.width = pScreen->width; + modeInfo.height = pScreen->height; + modeInfo.nameLength = strlen (name); + + mode = RRModeGet (&modeInfo, name); + if (!mode) + return FALSE; + + crtc = RRCrtcCreate (pScreen, NULL); + if (!crtc) + return FALSE; + + output = RROutputCreate (pScreen, "screen", 6, NULL); + if (!output) + return FALSE; + if (!RROutputSetClones (output, NULL, 0)) + return FALSE; + if (!RROutputSetModes (output, &mode, 1, 0)) + return FALSE; + if (!RROutputSetCrtcs (output, &crtc, 1)) + return FALSE; + if (!RROutputSetConnection (output, RR_Connected)) + return FALSE; + RRCrtcNotify (crtc, mode, 0, 0, RR_Rotate_0, NULL, 1, &output); +#endif + return TRUE; +} + +static Bool vfbScreenInit(ScreenPtr pScreen, int argc, char **argv) { vfbScreenInfoPtr pvfb = &vfbScreens[pScreen->myNum]; @@ -885,6 +1045,9 @@ if (!ret) return FALSE; + if (!vfbRandRInit(pScreen)) + return FALSE; + pScreen->InstallColormap = vfbInstallColormap; pScreen->UninstallColormap = vfbUninstallColormap; pScreen->ListInstalledColormaps = vfbListInstalledColormaps; ++++++ xorg-backtrace ++++++ #!/usr/bin/perl $version = "1.0"; $timeout = 5; @pkgs = ( "xorg-x11-server", "xorg-x11-driver-video", "xorg-x11-driver-input", "libpixman-1-0", "libpciaccess0" ); $xtracmds= "/etc/X11/xorg-backtrace-cmds"; $pid=$ARGV[0]; if ($pid == 0) { print "Usage: $0 <pid>\n"; exit 1; } if (! -e "/usr/bin/gdb") { print "Install gdb to get reasonable backtraces\n"; exit 2; } $SIG{ALRM} = sub { die "timeout starting gdb" }; alarm $timeout; open STDERR, ">&STDOUT"; use FileHandle; use IPC::Open2; $gdb = open2 (*R, *W, "/usr/bin/gdb -n -p $pid"); $SIG{ALRM} = sub { kill QUIT, $gdb; sleep 1; kill KILL, $gdb; die "timeout using gdb" }; alarm $timeout; print "\n==================== GDB Backtrace ============\n\n"; print "Done by $0 V$version\n\n"; $needpkgs=0; for $p (@pkgs) { next if system ("rpm", "-q", "--quiet", "$p-debuginfo") == 0 && system ("rpm", "-q", "--quiet", "$p-debugsource") == 0; print "Install following debug packages to improve backtrace:\n" unless $needpkgs; $needpkgs++; print "\t$p-debug*\n"; } print "\n" if $needpkgs; print W "set prompt\necho \\n===info\\n\n"; #print W "info files\necho ===files\\n\n"; print W "thread apply all bt full\necho ===btend\\n\n"; $_=<R>; # GNU gdb version print; while (<R>) { last if /^===info/; print if /^This GDB was configured as/; } #print "\n==================== Files ====================\n\n"; #while (<R>) { # last if /^===files/; # print; #} print "\n==================== Backtrace ================\n"; $fno = ""; $fls = 0; $o = ""; $use = 0; while (<R>) { last if /^===btend/; if (/^#(\d+)\s/) { $fno = $1; $o .= "\n"; $o .= "===l".($fno-1)."\n" if $use; $o .= "\n"; $fls = $fno+1 if /\bxorg_backtrace \(/ || /\bOsSigHandler \(/; $use = 1; } $line{$fno} = $1 if $line{$fno} == 0 && /:(\d+)\s*$/; $o .= $_; $use = 0 if /^No symbol table info available/; } $o .="\n===l$fno"; for $i ($fls..$fno) { print W "frame $i\necho ===fs$i\\n\nlist\necho ===fe$i\\n\n"; while (<R>) { last if /^===fs$i\b/; } $r = ""; while (<R>) { last if /^===fe$i\b/; $r .= $_; } if ($line{$i} > 0) { $r =~ s/^$line{$i}\b/$line{$i} */m; } $o =~ s/^===l$i$/$r/m; } if ($fls > 0) { for $i (0..$fls-1) { $o =~ s/^(#$i\s.*?)\n.*?\n#/$1\n\n#/ms; } } $o =~ s/^===l.*$//mg; print "$o"; if (-e $xtracmds) { print W "source -v $xtracmds\necho ===cmds\\n\n"; print "\n==================== Extra Commands ===========\n\n"; while (<R>) { last if /^===cmds/; print unless /^\+echo ===cmds/; } } print "\n==================== Backtrace End ============\n\n"; close R; close W; exit 0; ++++++ xorg-server-provides ++++++ Provides: X11_ABI_XINPUT = 19.1 Provides: X11_ABI_VIDEODRV = 14.1 Provides: X11_ABI_ANSIC = 0.4 Provides: X11_ABI_EXTENSION = 7.0 ++++++ xorg-x11-server.macros.in ++++++ # RPM macros for XOrg ABI Definitions # Add a Requires for the correct VIDEO Driver ABI %x11_abi_videodrv_req \ Requires: X11_ABI_VIDEODRV = @abi_videodrv@ %x11_abi_xinput_req \ Requires: X11_ABI_XINPUT = @abi_xinput@ %x11_abi_ansic_req \ Requires: X11_ABI_ANSIC = @abi_ansic@ %x11_abi_extension_req \ Requires: X11_ABI_EXTENSION = @abi_extension@ -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org