Hello community, here is the log from the commit of package xorg-x11-server for openSUSE:Factory checked in at Fri Mar 18 09:51:13 CET 2011. -------- --- xorg-x11-server/xorg-x11-server.changes 2011-02-26 11:57:51.000000000 +0100 +++ /mounts/work_src_done/STABLE/xorg-x11-server/xorg-x11-server.changes 2011-03-17 18:02:04.000000000 +0100 @@ -1,0 +2,14 @@ +Thu Mar 17 16:55:16 UTC 2011 - sndirsch@novell.com + +- Replace-malloc-with-calloc-to-initialize-the-buffers.patch + * Replace malloc with calloc to initialize the buffers[] as NULL + in do_get_buffers function (bnc #673595) + +------------------------------------------------------------------- +Thu Mar 17 13:35:55 UTC 2011 - sndirsch@novell.com + +- record-avoid-crash-when-calling-RecordFlushReplyBuff.patch + * record: avoid crash when calling RecordFlushReplyBuffer + recursively (bnc #673575) + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- Replace-malloc-with-calloc-to-initialize-the-buffers.patch record-avoid-crash-when-calling-RecordFlushReplyBuff.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xorg-x11-server.spec ++++++ --- /var/tmp/diff_new_pack.lOJAvN/_old 2011-03-18 09:48:51.000000000 +0100 +++ /var/tmp/diff_new_pack.lOJAvN/_new 2011-03-18 09:48:51.000000000 +0100 @@ -32,7 +32,7 @@ %endif Url: http://xorg.freedesktop.org/ Version: 7.6_%{dirsuffix} -Release: 18 +Release: 19 License: GPLv2+ ; MIT License (or similar) BuildRoot: %{_tmppath}/%{name}-%{version}-build Group: System/X11/Servers/XF86_4 @@ -122,6 +122,8 @@ Patch223: use-last-screen.patch Patch224: pad-size-of-system-memory-copy-for-1x1-pixmaps Patch225: xorg-server-stop-cpu-eating.diff +Patch226: record-avoid-crash-when-calling-RecordFlushReplyBuff.patch +Patch227: Replace-malloc-with-calloc-to-initialize-the-buffers.patch %if %moblin Patch300: moblin-use_preferred_mode_for_all_outputs.diff %endif @@ -255,6 +257,8 @@ %patch223 -p1 %patch224 -p1 %patch225 -p1 +%patch226 -p1 +%patch227 -p1 %if %moblin %patch300 -p1 %endif ++++++ Replace-malloc-with-calloc-to-initialize-the-buffers.patch ++++++
From a73c28f0bdafb1c5cb8129179188a99c0ca052e2 Mon Sep 17 00:00:00 2001 From: Justin Dou <Justin.Dou@intel.com> Date: Thu, 10 Feb 2011 16:27:29 -0500 Subject: [PATCH] Replace malloc with calloc to initialize the buffers[] as NULL in do_get_buffers function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
The calling for allocate_or_reuse_buffer may fail due to some reason, e.g. out of memory. If the buffers[] were not initialized to be NULL, the following err_out may try to access an illegal memory, which will cause X crash afterward. Reviewed-by: Kristian Høgsberg <krh@bitplanet.net> Signed-off-by: Justin Dou <Justin.Dou@intel.com> Signed-off-by: Keith Packard <keithp@keithp.com> --- hw/xfree86/dri2/dri2.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c index 39996f9..9ca378f 100644 --- a/hw/xfree86/dri2/dri2.c +++ b/hw/xfree86/dri2/dri2.c @@ -403,7 +403,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height, && (pDraw->height == pPriv->height) && (pPriv->serialNumber == DRI2DrawableSerial(pDraw)); - buffers = malloc((count + 1) * sizeof(buffers[0])); + buffers = calloc((count + 1), sizeof(buffers[0])); for (i = 0; i < count; i++) { const unsigned attachment = *(attachments++); -- 1.7.4.1 ++++++ record-avoid-crash-when-calling-RecordFlushReplyBuff.patch ++++++
From 0801afbd7c2c644c672b37f8463f1a0cbadebd2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erkki=20Sepp=C3=A4l=C3=A4?= <erkki.seppala@vincit.fi> Date: Thu, 10 Feb 2011 15:35:14 +0200 Subject: [PATCH] record: avoid crash when calling RecordFlushReplyBuffer recursively MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
RecordFlushReplyBuffer can call itself recursively through WriteClient->CallCallbacks->_CallCallbacks->RecordFlushAllContexts when the recording client's buffer cannot be completely emptied in one WriteClient. When a such a recursion occurs, it will not be broken out of which results in segmentation fault when the stack is exhausted. This patch adds a counter (a flag, really) that guards against this situation, to break out of the recursion. One alternative to this change would be to change _CallCallbacks to check the corresponding counter before the callback loop, but that might affect existing behavior, which may be relied upon. Reviewed-by: Rami Ylimäki <rami.ylimaki@vincit.fi> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Keith Packard <keithp@keithp.com> --- record/record.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/record/record.c b/record/record.c index 6a93d7a..facaebb 100644 --- a/record/record.c +++ b/record/record.c @@ -77,6 +77,7 @@ typedef struct { char bufCategory; /* category of protocol in replyBuffer */ int numBufBytes; /* number of bytes in replyBuffer */ char replyBuffer[REPLY_BUF_SIZE]; /* buffered recorded protocol */ + int inFlush; /* are we inside RecordFlushReplyBuffer */ } RecordContextRec, *RecordContextPtr; /* RecordMinorOpRec - to hold minor opcode selections for extension requests @@ -245,8 +246,9 @@ RecordFlushReplyBuffer( int len2 ) { - if (!pContext->pRecordingClient || pContext->pRecordingClient->clientGone) + if (!pContext->pRecordingClient || pContext->pRecordingClient->clientGone || pContext->inFlush) return; + ++pContext->inFlush; if (pContext->numBufBytes) WriteToClient(pContext->pRecordingClient, pContext->numBufBytes, (char *)pContext->replyBuffer); @@ -255,6 +257,7 @@ RecordFlushReplyBuffer( WriteToClient(pContext->pRecordingClient, len1, (char *)data1); if (len2) WriteToClient(pContext->pRecordingClient, len2, (char *)data2); + --pContext->inFlush; } /* RecordFlushReplyBuffer */ @@ -1938,6 +1941,7 @@ ProcRecordCreateContext(ClientPtr client) pContext->numBufBytes = 0; pContext->pBufClient = NULL; pContext->continuedReply = 0; + pContext->inFlush = 0; err = RecordRegisterClients(pContext, client, (xRecordRegisterClientsReq *)stuff); -- 1.7.4.1 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org