xserver: Branch 'server-1.7-branch' - 4 commits
Peter Hutterer
whot at kemper.freedesktop.org
Thu Oct 1 17:31:40 PDT 2009
exa/exa_migration_classic.c | 10 +++----
hw/xfree86/common/xf86DGA.c | 29 ++++++++++++---------
hw/xfree86/modes/xf86Crtc.c | 4 +--
hw/xfree86/modes/xf86Crtc.h | 8 ++++++
hw/xfree86/modes/xf86DiDGA.c | 15 +++++++++--
render/glyph.c | 57 +++++++++++++++++++++++--------------------
render/render.c | 6 +++-
7 files changed, 79 insertions(+), 50 deletions(-)
New commits:
commit 47c0b80915d67346ec63b36b659a96b77e777a71
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Thu Oct 1 10:03:42 2009 +1000
render: Fix crash in RenderAddGlyphs (#23645)
This patch fixes two bugs:
size is calculated as glyph height * padded_width. If the client submits
garbage, this may get above INT_MAX, resulting in a negative size if size is
unsigned. The sanity checks don't trigger for negative sizes and the server
goes and writes into random memory locations.
If the client submits glyphs with a width or height 0, the destination
pixmap is NULL, causing a null-pointer dereference. Since there's nothing to
composite if the width/height is 0, we might as well skip the whole thing
anyway.
Tested with Xvfb, Xephyr and Xorg.
X.Org Bug 23645 <http://bugs.freedesktop.org/show_bug.cgi?id=23645>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
Reviewed-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 622fc98fd08aba98369e6933c3ab8c9ff85385d5)
diff --git a/render/render.c b/render/render.c
index a306766..a32d797 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1043,7 +1043,7 @@ ProcRenderAddGlyphs (ClientPtr client)
CARD32 *gids;
xGlyphInfo *gi;
CARD8 *bits;
- int size;
+ unsigned int size;
int err;
int i, screen;
PicturePtr pSrc = NULL, pDst = NULL;
@@ -1131,6 +1131,10 @@ ProcRenderAddGlyphs (ClientPtr client)
ScreenPtr pScreen;
int error;
+ /* Skip work if it's invisibly small anyway */
+ if (!width || !height)
+ break;
+
pScreen = screenInfo.screens[screen];
pSrcPix = GetScratchPixmapHeader (pScreen,
width, height,
commit 30ebee3bfcadf915be98d407610c615e3e00f9c1
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Thu Oct 1 15:22:19 2009 +1000
render: set the glyph picture to NULL by default.
In a follow-up patch we may have glyphs with a NULL picture. To cope with
that, always set the pictures for glyphs to NULL at creation time and cope
with cleaning up such glyphs. Also, since compositing a NULL source doesn't
do a lot anyway, skip trying to do so.
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
Reviewed-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 758ab55d2defc78d0169fd61a7036eb9f889e9e7)
diff --git a/render/glyph.c b/render/glyph.c
index 6327c9f..7fcdfd9 100644
--- a/render/glyph.c
+++ b/render/glyph.c
@@ -282,7 +282,8 @@ FreeGlyphPicture(GlyphPtr glyph)
{
ScreenPtr pScreen = screenInfo.screens[i];
- FreePicture ((pointer) GlyphPicture (glyph)[i], 0);
+ if (GlyphPicture(glyph)[i])
+ FreePicture ((pointer) GlyphPicture (glyph)[i], 0);
ps = GetPictureScreenIfSet (pScreen);
if (ps)
@@ -414,6 +415,7 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
for (i = 0; i < screenInfo.numScreens; i++)
{
+ GlyphPicture(glyph)[i] = NULL;
ps = GetPictureScreenIfSet (screenInfo.screens[i]);
if (ps)
@@ -721,32 +723,35 @@ miGlyphs (CARD8 op,
glyph = *glyphs++;
pPicture = GlyphPicture (glyph)[pScreen->myNum];
- if (maskFormat)
+ if (pPicture)
{
- CompositePicture (PictOpAdd,
- pPicture,
- None,
- pMask,
- 0, 0,
- 0, 0,
- x - glyph->info.x,
- y - glyph->info.y,
- glyph->info.width,
- glyph->info.height);
- }
- else
- {
- CompositePicture (op,
- pSrc,
- pPicture,
- pDst,
- xSrc + (x - glyph->info.x) - xDst,
- ySrc + (y - glyph->info.y) - yDst,
- 0, 0,
- x - glyph->info.x,
- y - glyph->info.y,
- glyph->info.width,
- glyph->info.height);
+ if (maskFormat)
+ {
+ CompositePicture (PictOpAdd,
+ pPicture,
+ None,
+ pMask,
+ 0, 0,
+ 0, 0,
+ x - glyph->info.x,
+ y - glyph->info.y,
+ glyph->info.width,
+ glyph->info.height);
+ }
+ else
+ {
+ CompositePicture (op,
+ pSrc,
+ pPicture,
+ pDst,
+ xSrc + (x - glyph->info.x) - xDst,
+ ySrc + (y - glyph->info.y) - yDst,
+ 0, 0,
+ x - glyph->info.x,
+ y - glyph->info.y,
+ glyph->info.width,
+ glyph->info.height);
+ }
}
x += glyph->info.xOff;
commit 8026c5a08584419be3adecd5965dd03e793ddf81
Author: Michel Dänzer <daenzer at vmware.com>
Date: Thu Oct 1 15:17:11 2009 +1000
exa: avoid infinite loops if UTS sw fallbacks.
The upload in finish access can cause an infinite loop if
UTS returns FALSE in here.
Fixes fd.o bug #24246.
Signed-off-by: Dave Airlie <airlied at redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit b5fcc5553eb784c9f4826936e839079c0cdee55a)
diff --git a/exa/exa_migration_classic.c b/exa/exa_migration_classic.c
index 4819af8..6d7b9f5 100644
--- a/exa/exa_migration_classic.c
+++ b/exa/exa_migration_classic.c
@@ -242,11 +242,6 @@ exaCopyDirty(ExaMigrationPtr migrate, RegionPtr pValidDst, RegionPtr pValidSrc,
pBox++;
}
- if (access_prepared)
- exaFinishAccess(&pPixmap->drawable, fallback_index);
- else if (need_sync && sync)
- sync (pPixmap->drawable.pScreen);
-
pExaPixmap->offscreen = save_offscreen;
pPixmap->devKind = save_pitch;
@@ -261,6 +256,11 @@ exaCopyDirty(ExaMigrationPtr migrate, RegionPtr pValidDst, RegionPtr pValidSrc,
REGION_UNION(pScreen, pValidDst, pValidDst, &CopyReg);
REGION_UNINIT(pScreen, &CopyReg);
+
+ if (access_prepared)
+ exaFinishAccess(&pPixmap->drawable, fallback_index);
+ else if (need_sync && sync)
+ sync (pPixmap->drawable.pScreen);
}
/**
commit e182c1b4368c6958579732dd4ddc59de2b46359b
Author: Keith Packard <keithp at keithp.com>
Date: Wed Sep 30 11:40:19 2009 -0700
Re-fix DGA removal.
Removing DGA ended up breaking any drivers calling into the old
xf86DiDGAInit function as it tried to see if DGA was already enabled
and ended up crashing if the VT wasn't completely initialized. Oops.
Also, if the driver initializes DGA itself, have the DiDGA
initialization overwrite that information as the DiDGA code will call
ReInit on mode detect.
Signed-off-by: Keith Packard <keithp at keithp.com>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit db98b26ee145f70e732e2cf4a6ac3de77fdf4adc)
diff --git a/hw/xfree86/common/xf86DGA.c b/hw/xfree86/common/xf86DGA.c
index 42b7c58..804fd37 100644
--- a/hw/xfree86/common/xf86DGA.c
+++ b/hw/xfree86/common/xf86DGA.c
@@ -120,8 +120,22 @@ DGAInit(
DGAScreenKey = &DGAScreenKeyIndex;
- if(!(pScreenPriv = (DGAScreenPtr)xalloc(sizeof(DGAScreenRec))))
- return FALSE;
+ pScreenPriv = DGA_GET_SCREEN_PRIV(pScreen);
+
+ if (!pScreenPriv)
+ {
+ if(!(pScreenPriv = (DGAScreenPtr)xalloc(sizeof(DGAScreenRec))))
+ return FALSE;
+ dixSetPrivate(&pScreen->devPrivates, DGAScreenKey, pScreenPriv);
+ pScreenPriv->CloseScreen = pScreen->CloseScreen;
+ pScreen->CloseScreen = DGACloseScreen;
+ pScreenPriv->DestroyColormap = pScreen->DestroyColormap;
+ pScreen->DestroyColormap = DGADestroyColormap;
+ pScreenPriv->InstallColormap = pScreen->InstallColormap;
+ pScreen->InstallColormap = DGAInstallColormap;
+ pScreenPriv->UninstallColormap = pScreen->UninstallColormap;
+ pScreen->UninstallColormap = DGAUninstallColormap;
+ }
pScreenPriv->pScrn = pScrn;
pScreenPriv->numModes = num;
@@ -146,17 +160,6 @@ DGAInit(
modes[i].flags &= ~DGA_PIXMAP_AVAILABLE;
#endif
- dixSetPrivate(&pScreen->devPrivates, DGAScreenKey, pScreenPriv);
- pScreenPriv->CloseScreen = pScreen->CloseScreen;
- pScreen->CloseScreen = DGACloseScreen;
- pScreenPriv->DestroyColormap = pScreen->DestroyColormap;
- pScreen->DestroyColormap = DGADestroyColormap;
- pScreenPriv->InstallColormap = pScreen->InstallColormap;
- pScreen->InstallColormap = DGAInstallColormap;
- pScreenPriv->UninstallColormap = pScreen->UninstallColormap;
- pScreen->UninstallColormap = DGAUninstallColormap;
-
-
return TRUE;
}
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index c1e31e0..506fbb9 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -806,7 +806,7 @@ xf86CrtcScreenInit (ScreenPtr screen)
screen->CloseScreen = xf86CrtcCloseScreen;
#ifdef XFreeXDGA
- xf86DiDGAInit(screen, 0);
+ _xf86_di_dga_init_internal(screen);
#endif
#ifdef RANDR_13_INTERFACE
return RANDR_INTERFACE_VERSION;
@@ -1928,7 +1928,7 @@ xf86SetScrnInfoModes (ScrnInfoPtr scrn)
scrn->currentMode = scrn->modes;
#ifdef XFreeXDGA
if (scrn->pScreen)
- xf86DiDGAReInit(scrn->pScreen);
+ _xf86_di_dga_reinit_internal(scrn->pScreen);
#endif
}
diff --git a/hw/xfree86/modes/xf86Crtc.h b/hw/xfree86/modes/xf86Crtc.h
index 69afaa5..9baa956 100644
--- a/hw/xfree86/modes/xf86Crtc.h
+++ b/hw/xfree86/modes/xf86Crtc.h
@@ -833,6 +833,10 @@ xf86OutputGetEDID (xf86OutputPtr output, I2CBusPtr pDDCBus);
extern _X_EXPORT Bool
xf86DiDGAInit (ScreenPtr pScreen, unsigned long dga_address);
+/* this is the real function, used only internally */
+_X_INTERNAL Bool
+_xf86_di_dga_init_internal (ScreenPtr pScreen);
+
/**
* Re-initialize dga for this screen (as when the set of modes changes)
*/
@@ -841,6 +845,10 @@ extern _X_EXPORT Bool
xf86DiDGAReInit (ScreenPtr pScreen);
#endif
+/* This is the real function, used only internally */
+_X_INTERNAL Bool
+_xf86_di_dga_reinit_internal (ScreenPtr pScreen);
+
/*
* Set the subpixel order reported for the screen using
* the information from the outputs
diff --git a/hw/xfree86/modes/xf86DiDGA.c b/hw/xfree86/modes/xf86DiDGA.c
index 0f7b834..60fbdbf 100644
--- a/hw/xfree86/modes/xf86DiDGA.c
+++ b/hw/xfree86/modes/xf86DiDGA.c
@@ -175,6 +175,12 @@ static DGAFunctionRec xf86_dga_funcs = {
Bool
xf86DiDGAReInit (ScreenPtr pScreen)
{
+ return TRUE;
+}
+
+Bool
+_xf86_di_dga_reinit_internal (ScreenPtr pScreen)
+{
ScrnInfoPtr scrn = xf86Screens[pScreen->myNum];
xf86CrtcConfigPtr xf86_config = XF86_CRTC_CONFIG_PTR(scrn);
@@ -190,12 +196,15 @@ xf86DiDGAReInit (ScreenPtr pScreen)
Bool
xf86DiDGAInit (ScreenPtr pScreen, unsigned long dga_address)
{
+ return TRUE;
+}
+
+Bool
+_xf86_di_dga_init_internal (ScreenPtr pScreen)
+{
ScrnInfoPtr scrn = xf86Screens[pScreen->myNum];
xf86CrtcConfigPtr xf86_config = XF86_CRTC_CONFIG_PTR(scrn);
- if (DGAAvailable(pScreen->myNum))
- return TRUE;
-
xf86_config->dga_flags = 0;
xf86_config->dga_address = 0;
xf86_config->dga_width = 0;
More information about the xorg-commit
mailing list