xserver: Branch 'xorg-server-1.2-apple' - 3 commits

Ben Byer bbyer at kemper.freedesktop.org
Fri Dec 7 22:26:51 PST 2007 

 fb/fb.h                         |    7 +++++++
 fb/fbbltone.c                   |   30 ++++++++++++++++++++++++++----
 miext/rootless/rootlessScreen.c |    2 ++
 3 files changed, 35 insertions(+), 4 deletions(-)

New commits:
commit 6f441d79c7c884c8cd9315f490f7833a877344aa
Author: Ben Byer <bbyer at bbyer.local>
Date:   Fri Dec 7 22:26:17 2007 -0800

    Added code to check for null pointers on fb* invocations

diff --git a/fb/fb.h b/fb/fb.h
index 3742cf0..ef7942f 100644
--- a/fb/fb.h
+++ b/fb/fb.h
@@ -133,6 +133,11 @@ typedef CARD32		    FbStip;
 
 typedef int		    FbStride;
 
+#define CHECK_NULL(ptr) \
+  if ((ptr) == NULL) {\
+    ErrorF("%s:%d: null pointer\n", __FILE__, __LINE__); \
+    return; \
+  }
 
 #ifdef FB_DEBUG
 extern void fbValidateDrawable(DrawablePtr d);
@@ -677,6 +682,7 @@ typedef struct {
     (pointer) = (FbBits *) _pPix->devPrivate.ptr; \
     (stride) = ((int) _pPix->devKind) / sizeof (FbBits); (void)(stride); \
     (bpp) = _pPix->drawable.bitsPerPixel;  (void)(bpp); \
+    CHECK_NULL(pointer); \
 }
 
 #define fbGetStipDrawable(pDrawable, pointer, stride, bpp, xoff, yoff) { \
@@ -693,6 +699,7 @@ typedef struct {
     (pointer) = (FbStip *) _pPix->devPrivate.ptr; \
     (stride) = ((int) _pPix->devKind) / sizeof (FbStip); (void)(stride); \
     (bpp) = _pPix->drawable.bitsPerPixel; (void)(bpp); \
+    CHECK_NULL(pointer); \
 }
 
 /*
commit e5f54f122b2068ff7b94a979ebadac4cf8eef20f
Author: Ben Byer <bbyer at bbyer.local>
Date:   Fri Dec 7 21:56:45 2007 -0800

    Added checks to avoid writing past the end of the buffer in fbBltOne

diff --git a/fb/fbbltone.c b/fb/fbbltone.c
index f06357a..44e020c 100644
--- a/fb/fbbltone.c
+++ b/fb/fbbltone.c
@@ -58,6 +58,13 @@
     } else \
 	bits = (src < srcEnd ? *src++ : 0); \
 }
+
+#define CHECK_BOUNDS(pointer, limit) \
+  if (dst > dstEnd) { \
+    ErrorF("WARNING: fbbltone tried to write over end of buffer (dst=%p dstEnd=%p)\n", \
+	   dst, dstEnd); \
+    return; \
+  }
     
 #ifndef FBNOPIXADDR
     
@@ -150,7 +157,7 @@ fbBltOne (FbStip    *src,
 	  FbBits    bgxor)
 {
     const FbBits    *fbBits;
-    FbBits	    *srcEnd;
+    FbBits	    *srcEnd, *dstEnd;
     int		    pixelsPerDst;		/* dst pixels per FbBits */
     int		    unitsPerSrc;		/* src patterns per FbStip */
     int		    leftShift, rightShift;	/* align source with dest */
@@ -183,9 +190,10 @@ fbBltOne (FbStip    *src,
 #endif
 
     /*
-     * Do not read past the end of the buffer!
+     * Do not read or write past the end of the buffer!
      */
     srcEnd = src + height * srcStride;
+    dstEnd = dst + height * dstStride;
 
     /*
      * Number of destination units in FbBits == number of stipple pixels
@@ -298,6 +306,7 @@ fbBltOne (FbStip    *src,
 	     */
 	    if (startmask)
 	    {
+	      CHECK_BOUNDS(dst, dstEnd);
 #if FB_UNIT > 32
 		if (pixelsPerDst == 16)
 		    mask = FbStipple16Bits(FbLeftStipBits(bits,16));
@@ -338,6 +347,7 @@ fbBltOne (FbStip    *src,
 			else
 #endif
 			    mask = fbBits[FbLeftStipBits(bits,pixelsPerDst)];
+			CHECK_BOUNDS(dst, dstEnd);
 			*dst = FbOpaqueStipple (mask, fgxor, bgxor);
 			dst++;
 			bits = FbStipLeft(bits, pixelsPerDst);
@@ -348,6 +358,7 @@ fbBltOne (FbStip    *src,
 #ifndef FBNOPIXADDR
 		    if (fbLane)
 		    {
+		      CHECK_BOUNDS(dst, dstEnd);
 			while (bits && n)
 			{
 			    switch (fbLane[FbLeftStipBits(bits,pixelsPerDst)]) {
@@ -368,6 +379,7 @@ fbBltOne (FbStip    *src,
 			    if (left || !transparent)
 			    {
 				mask = fbBits[left];
+				CHECK_BOUNDS(dst, dstEnd);
 				*dst = FbStippleRRop (*dst, mask,
 						      fgand, fgxor, bgand, bgxor);
 			    }
@@ -588,7 +600,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    FbBits	bgand,
 	    FbBits	bgxor)
 {
-    FbStip	*src, *srcEnd;
+    FbStip	*src, *srcEnd, *dstEnd;
     FbBits	leftMask, rightMask, mask;
     int		nlMiddle, nl;
     FbStip	stip, bits;
@@ -599,9 +611,10 @@ fbBltOne24 (FbStip	*srcLine,
     int		nDst;
     
     /*
-     * Do not read past the end of the buffer!
+     * Do not read or write past the end of the buffer!
      */
     srcEnd = srcLine + height * srcStride;
+    dstEnd = dst + height * dstStride;
 
     srcLine += srcX >> FB_STIP_SHIFT;
     dst += dstX >> FB_SHIFT;
@@ -631,6 +644,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    if (leftMask)
 	    {
 		mask = fbStipple24Bits[rot >> 3][stip];
+		CHECK_BOUNDS(dst, dstEnd);
 		*dst = (*dst & ~leftMask) | (FbOpaqueStipple (mask,
 							      FbRot24(fgxor, rot),
 							      FbRot24(bgxor, rot))
@@ -642,6 +656,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    while (nl--)
 	    {
 		mask = fbStipple24Bits[rot>>3][stip];
+		CHECK_BOUNDS(dst, dstEnd);
 		*dst = FbOpaqueStipple (mask, 
 					FbRot24(fgxor, rot),
 					FbRot24(bgxor, rot));
@@ -651,6 +666,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    if (rightMask)
 	    {
 		mask = fbStipple24Bits[rot >> 3][stip];
+		CHECK_BOUNDS(dst, dstEnd);
 		*dst = (*dst & ~rightMask) | (FbOpaqueStipple (mask,
 							       FbRot24(fgxor, rot),
 							       FbRot24(bgxor, rot))
@@ -674,6 +690,7 @@ fbBltOne24 (FbStip	*srcLine,
 		if (stip)
 		{
 		    mask = fbStipple24Bits[rot >> 3][stip] & leftMask;
+		    CHECK_BOUNDS(dst, dstEnd);
 		    *dst = (*dst & ~mask) | (FbRot24(fgxor, rot) & mask);
 		}
 		dst++;
@@ -685,6 +702,7 @@ fbBltOne24 (FbStip	*srcLine,
 		if (stip)
 		{
 		    mask = fbStipple24Bits[rot>>3][stip];
+		    CHECK_BOUNDS(dst, dstEnd);
 		    *dst = (*dst & ~mask) | (FbRot24(fgxor,rot) & mask);
 		}
 		dst++;
@@ -695,6 +713,7 @@ fbBltOne24 (FbStip	*srcLine,
 		if (stip)
 		{
 		    mask = fbStipple24Bits[rot >> 3][stip] & rightMask;
+		    CHECK_BOUNDS(dst, dstEnd);
 		    *dst = (*dst & ~mask) | (FbRot24(fgxor, rot) & mask);
 		}
 	    }
@@ -712,6 +731,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    if (leftMask)
 	    {
 		mask = fbStipple24Bits[rot >> 3][stip];
+		CHECK_BOUNDS(dst, dstEnd);
 		*dst = FbStippleRRopMask (*dst, mask,
 					  FbRot24(fgand, rot),
 					  FbRot24(fgxor, rot),
@@ -725,6 +745,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    while (nl--)
 	    {
 		mask = fbStipple24Bits[rot >> 3][stip];
+		CHECK_BOUNDS(dst, dstEnd);
 		*dst = FbStippleRRop (*dst, mask,
 				      FbRot24(fgand, rot),
 				      FbRot24(fgxor, rot),
@@ -736,6 +757,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    if (rightMask)
 	    {
 		mask = fbStipple24Bits[rot >> 3][stip];
+		CHECK_BOUNDS(dst, dstEnd);
 		*dst = FbStippleRRopMask (*dst, mask,
 					  FbRot24(fgand, rot),
 					  FbRot24(fgxor, rot),
commit d12b650362da100ceaecb7e859cd4ef1908d4407
Author: Ben Byer <bbyer at bbyer.local>
Date:   Fri Dec 7 21:55:42 2007 -0800

    Just a couple of small uninitialized pointer fixes

diff --git a/miext/rootless/rootlessScreen.c b/miext/rootless/rootlessScreen.c
index 4af395e..503d57c 100644
--- a/miext/rootless/rootlessScreen.c
+++ b/miext/rootless/rootlessScreen.c
@@ -725,6 +725,8 @@ Bool RootlessInit(ScreenPtr pScreen, RootlessFrameProcsPtr procs)
         pScreen->devPrivates[rootlessScreenPrivateIndex].ptr;
 
     s->imp = procs;
+    s->colormap = NULL;
+    s->redisplay_expired = FALSE;
 
     RootlessWrap(pScreen);

More information about the xorg-commit mailing list