xserver: Branch 'xorg-server-1.4-apple' - 3 commits

Jeremy Huddleston jeremyhu at kemper.freedesktop.org
Fri Dec 7 22:50:06 PST 2007 

 fb/fb.h                         |    7 +++++++
 fb/fbbltone.c                   |   32 +++++++++++++++++++++++++++-----
 miext/rootless/rootlessScreen.c |    2 ++
 3 files changed, 36 insertions(+), 5 deletions(-)

New commits:
commit 1e1073334af05288158469e0241367144634fe4e
Author: Ben Byer <bbyer at bbyer.local>
Date:   Fri Dec 7 22:26:17 2007 -0800

    Added code to check for null pointers on fb* invocations
    (cherry picked from commit 6f441d79c7c884c8cd9315f490f7833a877344aa)

diff --git a/fb/fb.h b/fb/fb.h
index df430b8..65fa173 100644
--- a/fb/fb.h
+++ b/fb/fb.h
@@ -168,6 +168,11 @@ typedef CARD32		    FbStip;
 
 typedef int		    FbStride;
 
+#define CHECK_NULL(ptr) \
+  if ((ptr) == NULL) {\
+    ErrorF("%s:%d: null pointer\n", __FILE__, __LINE__); \
+    return; \
+  }
 
 #ifdef FB_DEBUG
 extern void fbValidateDrawable(DrawablePtr d);
@@ -717,6 +722,7 @@ typedef struct {
     (pointer) = (FbBits *) _pPix->devPrivate.ptr; \
     (stride) = ((int) _pPix->devKind) / sizeof (FbBits); (void)(stride); \
     (bpp) = _pPix->drawable.bitsPerPixel;  (void)(bpp); \
+    CHECK_NULL(pointer); \
 }
 
 #define fbGetStipDrawable(pDrawable, pointer, stride, bpp, xoff, yoff) { \
@@ -734,6 +740,7 @@ typedef struct {
     (pointer) = (FbStip *) _pPix->devPrivate.ptr; \
     (stride) = ((int) _pPix->devKind) / sizeof (FbStip); (void)(stride); \
     (bpp) = _pPix->drawable.bitsPerPixel; (void)(bpp); \
+    CHECK_NULL(pointer); \
 }
 
 /*
commit 24c54f53ff97b7bc814f7cb33d88e28b9bf536dc
Author: Ben Byer <bbyer at bbyer.local>
Date:   Fri Dec 7 21:56:45 2007 -0800

    Added checks to avoid writing past the end of the buffer in fbBltOne
    (cherry picked from commit e5f54f122b2068ff7b94a979ebadac4cf8eef20f)

diff --git a/fb/fbbltone.c b/fb/fbbltone.c
index ffe6977..6dcc982 100644
--- a/fb/fbbltone.c
+++ b/fb/fbbltone.c
@@ -56,6 +56,13 @@
     } else \
 	bits = (src < srcEnd ? READ(src++) : 0); \
 }
+
+#define CHECK_BOUNDS(pointer, limit) \
+  if (dst > dstEnd) { \
+    ErrorF("WARNING: fbbltone tried to write over end of buffer (dst=%p dstEnd=%p)\n", \
+	   dst, dstEnd); \
+    return; \
+  }
     
 #ifndef FBNOPIXADDR
     
@@ -148,7 +155,7 @@ fbBltOne (FbStip    *src,
 	  FbBits    bgxor)
 {
     const FbBits    *fbBits;
-    FbBits	    *srcEnd;
+    FbBits	    *srcEnd, *dstEnd;
     int		    pixelsPerDst;		/* dst pixels per FbBits */
     int		    unitsPerSrc;		/* src patterns per FbStip */
     int		    leftShift, rightShift;	/* align source with dest */
@@ -181,9 +188,10 @@ fbBltOne (FbStip    *src,
 #endif
 
     /*
-     * Do not read past the end of the buffer!
+     * Do not read or write past the end of the buffer!
      */
     srcEnd = src + height * srcStride;
+    dstEnd = dst + height * dstStride;
 
     /*
      * Number of destination units in FbBits == number of stipple pixels
@@ -296,6 +304,7 @@ fbBltOne (FbStip    *src,
 	     */
 	    if (startmask)
 	    {
+	      CHECK_BOUNDS(dst, dstEnd);
 #if FB_UNIT > 32
 		if (pixelsPerDst == 16)
 		    mask = FbStipple16Bits(FbLeftStipBits(bits,16));
@@ -336,6 +345,7 @@ fbBltOne (FbStip    *src,
 			else
 #endif
 			    mask = fbBits[FbLeftStipBits(bits,pixelsPerDst)];
+			CHECK_BOUNDS(dst, dstEnd);
 			WRITE(dst, FbOpaqueStipple (mask, fgxor, bgxor));
 			dst++;
 			bits = FbStipLeft(bits, pixelsPerDst);
@@ -346,6 +356,7 @@ fbBltOne (FbStip    *src,
 #ifndef FBNOPIXADDR
 		    if (fbLane)
 		    {
+		      CHECK_BOUNDS(dst, dstEnd);
 			while (bits && n)
 			{
 			    switch (fbLane[FbLeftStipBits(bits,pixelsPerDst)]) {
@@ -366,6 +377,7 @@ fbBltOne (FbStip    *src,
 			    if (left || !transparent)
 			    {
 				mask = fbBits[left];
+				CHECK_BOUNDS(dst, dstEnd);
 				WRITE(dst, FbStippleRRop (READ(dst), mask,
 						          fgand, fgxor, bgand, bgxor));
 			    }
@@ -586,7 +598,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    FbBits	bgand,
 	    FbBits	bgxor)
 {
-    FbStip	*src, *srcEnd;
+    FbStip	*src, *srcEnd, *dstEnd;
     FbBits	leftMask, rightMask, mask;
     int		nlMiddle, nl;
     FbStip	stip, bits;
@@ -597,9 +609,10 @@ fbBltOne24 (FbStip	*srcLine,
     int		nDst;
     
     /*
-     * Do not read past the end of the buffer!
+     * Do not read or write past the end of the buffer!
      */
     srcEnd = srcLine + height * srcStride;
+    dstEnd = dst + height * dstStride;
 
     srcLine += srcX >> FB_STIP_SHIFT;
     dst += dstX >> FB_SHIFT;
@@ -629,6 +642,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    if (leftMask)
 	    {
 		mask = fbStipple24Bits[rot >> 3][stip];
+		CHECK_BOUNDS(dst, dstEnd);
 		WRITE(dst, (READ(dst) & ~leftMask) |
 			    (FbOpaqueStipple (mask,
 					      FbRot24(fgxor, rot),
@@ -641,6 +655,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    while (nl--)
 	    {
 		mask = fbStipple24Bits[rot>>3][stip];
+		CHECK_BOUNDS(dst, dstEnd);
 		WRITE(dst, FbOpaqueStipple (mask,
 					    FbRot24(fgxor, rot),
 					    FbRot24(bgxor, rot)));
@@ -650,6 +665,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    if (rightMask)
 	    {
 		mask = fbStipple24Bits[rot >> 3][stip];
+		CHECK_BOUNDS(dst, dstEnd);
 		WRITE(dst, (READ(dst) & ~rightMask) |
 			    (FbOpaqueStipple (mask,
 					      FbRot24(fgxor, rot),
@@ -674,7 +690,8 @@ fbBltOne24 (FbStip	*srcLine,
 		if (stip)
 		{
 		    mask = fbStipple24Bits[rot >> 3][stip] & leftMask;
-		    WRITE(dst, (READ(dst) & ~mask) | (FbRot24(fgxor, rot) & mask));
+		    CHECK_BOUNDS(dst, dstEnd);
+			WRITE(dst, (READ(dst) & ~mask) | (FbRot24(fgxor, rot) & mask));
 		}
 		dst++;
 		fbNextStipBits (rot, stip);
@@ -685,6 +702,7 @@ fbBltOne24 (FbStip	*srcLine,
 		if (stip)
 		{
 		    mask = fbStipple24Bits[rot>>3][stip];
+			CHECK_BOUNDS(dst, dstEnd);
 		    WRITE(dst, (READ(dst) & ~mask) | (FbRot24(fgxor,rot) & mask));
 		}
 		dst++;
@@ -695,6 +713,7 @@ fbBltOne24 (FbStip	*srcLine,
 		if (stip)
 		{
 		    mask = fbStipple24Bits[rot >> 3][stip] & rightMask;
+			CHECK_BOUNDS(dst, dstEnd);
 		    WRITE(dst, (READ(dst) & ~mask) | (FbRot24(fgxor, rot) & mask));
 		}
 	    }
@@ -712,6 +731,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    if (leftMask)
 	    {
 		mask = fbStipple24Bits[rot >> 3][stip];
+		CHECK_BOUNDS(dst, dstEnd);
 		WRITE(dst, FbStippleRRopMask (READ(dst), mask,
 					      FbRot24(fgand, rot),
 					      FbRot24(fgxor, rot),
@@ -725,6 +745,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    while (nl--)
 	    {
 		mask = fbStipple24Bits[rot >> 3][stip];
+		CHECK_BOUNDS(dst, dstEnd);
 		WRITE(dst, FbStippleRRop (READ(dst), mask,
 					  FbRot24(fgand, rot),
 					  FbRot24(fgxor, rot),
@@ -736,6 +757,7 @@ fbBltOne24 (FbStip	*srcLine,
 	    if (rightMask)
 	    {
 		mask = fbStipple24Bits[rot >> 3][stip];
+		CHECK_BOUNDS(dst, dstEnd);
 		WRITE(dst, FbStippleRRopMask (READ(dst), mask,
 					      FbRot24(fgand, rot),
 					      FbRot24(fgxor, rot),
commit c8161d482adfbdf97be8482e985f1afe0bec24a9
Author: Ben Byer <bbyer at bbyer.local>
Date:   Fri Dec 7 21:55:42 2007 -0800

    Just a couple of small uninitialized pointer fixes
    (cherry picked from commit d12b650362da100ceaecb7e859cd4ef1908d4407)

diff --git a/miext/rootless/rootlessScreen.c b/miext/rootless/rootlessScreen.c
index 4af395e..503d57c 100644
--- a/miext/rootless/rootlessScreen.c
+++ b/miext/rootless/rootlessScreen.c
@@ -725,6 +725,8 @@ Bool RootlessInit(ScreenPtr pScreen, RootlessFrameProcsPtr procs)
         pScreen->devPrivates[rootlessScreenPrivateIndex].ptr;
 
     s->imp = procs;
+    s->colormap = NULL;
+    s->redisplay_expired = FALSE;
 
     RootlessWrap(pScreen);

More information about the xorg-commit mailing list