xserver: Branch 'server-1.5-branch' - 2 commits

Wed Jun 11 16:27:25 PDT 2008

GL/glx/glxscreens.c |    7 ++++--
 dbe/dbe.c           |   53 ++++++++++++++++++++++++++--------------------------
 2 files changed, 32 insertions(+), 28 deletions(-)

New commits:
commit 336a46c51932b9af7732e575f7ff43e41e47649e
Author: George Sapountzis <gsap7 at yahoo.gr>
Date:   Fri May 23 22:39:35 2008 +0300

    glx: fix memory corruption with r5g6b5
    
    should cherry-pick to xserver-1.5
    (cherry picked from commit 6c72961d8fa1ab1543f1b3e2cc7d34ff6d254bf8)

diff --git a/GL/glx/glxscreens.c b/GL/glx/glxscreens.c
index 5859de0..cc7054a 100644
--- a/GL/glx/glxscreens.c
+++ b/GL/glx/glxscreens.c
@@ -420,10 +420,13 @@ findFirstSet(unsigned int v)
 static void
 initGlxVisual(VisualPtr visual, __GLXconfig *config)
 {
+    int maxBits;
+    maxBits = max(config->redBits, max(config->greenBits, config->blueBits));
+
     config->visualID = visual->vid;
     visual->class = glxConvertToXVisualType(config->visualType);
-    visual->bitsPerRGBValue = config->redBits;
-    visual->ColormapEntries = 1 << config->redBits;
+    visual->bitsPerRGBValue = maxBits;
+    visual->ColormapEntries = 1 << maxBits;
     visual->nplanes = config->redBits + config->greenBits + config->blueBits;
 
     visual->redMask = config->redMask;
commit 38f573566e3218bd385a4940a6f9be700bc4f937
Author: Dave Airlie <airlied at redhat.com>
Date:   Thu Jun 12 09:04:24 2008 +1000

    dbe: fix DoS reported by iDefense.
    
    This isn't a security problem just a user could DoS themselves for fun or profit.
    (cherry picked from commit 23e71ef71a178505494d4b410f9314acfff81524)

diff --git a/dbe/dbe.c b/dbe/dbe.c
index 8175a35..d34708d 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -229,6 +229,7 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
     xDbeSwapAction		swapAction;
     VisualID			visual;
     int				status;
+    int				add_index;
 
 
     REQUEST_SIZE_MATCH(xDbeAllocateBackBufferNameReq);
@@ -299,14 +300,6 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
             return(BadAlloc);
 	bzero(pDbeWindowPriv, sizeof(DbeWindowPrivRec));
 
-        /* Make the window priv a DBE window priv resource. */
-        if (!AddResource(stuff->buffer, dbeWindowPrivResType,
-            (pointer)pDbeWindowPriv))
-        {
-            xfree(pDbeWindowPriv);
-            return(BadAlloc);
-        }
-
         /* Fill out window priv information. */
         pDbeWindowPriv->pWindow      = pWin;
         pDbeWindowPriv->width        = pWin->drawable.width;
@@ -321,14 +314,15 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
         /* Initialize the buffer ID list. */ 
         pDbeWindowPriv->maxAvailableIDs = DBE_INIT_MAX_IDS;
         pDbeWindowPriv->IDs[0] = stuff->buffer;
-        for (i = 1; i < DBE_INIT_MAX_IDS; i++)
+
+        add_index = 0;
+        for (i = 0; i < DBE_INIT_MAX_IDS; i++)
         {
             pDbeWindowPriv->IDs[i] = DBE_FREE_ID_ELEMENT;
         }
 
-
         /* Actually connect the window priv to the window. */
-	dixSetPrivate(&pWin->devPrivates, dbeWindowPrivKey, pDbeWindowPriv);
+        dixSetPrivate(&pWin->devPrivates, dbeWindowPrivKey, pDbeWindowPriv);
 
     } /* if -- There is no buffer associated with the window. */
 
@@ -354,7 +348,6 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
             /* No more room in the ID array -- reallocate another array. */
             XID	*pIDs;
 
-
             /* Setup an array pointer for the realloc operation below. */
             if (pDbeWindowPriv->maxAvailableIDs == DBE_INIT_MAX_IDS)
             {
@@ -391,16 +384,7 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
             pDbeWindowPriv->maxAvailableIDs += DBE_INCR_MAX_IDS;
         }
 
-        /* Finally, record the buffer ID in the array. */
-        pDbeWindowPriv->IDs[i] = stuff->buffer;
-
-        /* Associate the new ID with an existing window priv. */
-        if (!AddResource(stuff->buffer, dbeWindowPrivResType,
-                         (pointer)pDbeWindowPriv))
-        {
-            pDbeWindowPriv->IDs[i] = DBE_FREE_ID_ELEMENT;
-            return(BadAlloc);
-        }
+	add_index = i;
 
     } /* else -- A buffer is already associated with the window. */
 
@@ -409,13 +393,26 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
     status = (*pDbeScreenPriv->AllocBackBufferName)(pWin, stuff->buffer,
                                                     stuff->swapAction);
 
-    if ((status != Success) && (pDbeWindowPriv->nBufferIDs == 0))
+    if (status == Success)
     {
+	pDbeWindowPriv->IDs[add_index] = stuff->buffer;
+        if (!AddResource(stuff->buffer, dbeWindowPrivResType,
+                         (pointer)pDbeWindowPriv))
+	{
+            pDbeWindowPriv->IDs[add_index] = DBE_FREE_ID_ELEMENT;
+
+            if (pDbeWindowPriv->nBufferIDs == 0) {
+                status = BadAlloc;
+                goto out_free;
+            }
+        }
+    } else {
         /* The DDX buffer allocation routine failed for the first buffer of
          * this window.
          */
-        xfree(pDbeWindowPriv);
-        return(status);
+        if (pDbeWindowPriv->nBufferIDs == 0) {
+            goto out_free;
+        }
     }
 
     /* Increment the number of buffers (XIDs) associated with this window. */
@@ -424,9 +421,13 @@ ProcDbeAllocateBackBufferName(ClientPtr client)
     /* Set swap action on all calls. */
     pDbeWindowPriv->swapAction = stuff->swapAction;
 
-
     return(status);
 
+out_free:
+    dixSetPrivate(&pWin->devPrivates, dbeWindowPrivKey, NULL);
+    xfree(pDbeWindowPriv);
+    return (status);
+
 } /* ProcDbeAllocateBackBufferName() */
 
 
