xserver: Branch 'master' - 2 commits
Peter Hutterer
whot at kemper.freedesktop.org
Wed Sep 30 23:07:13 PDT 2009
render/glyph.c | 57 ++++++++++++++++++++++++++++++--------------------------
render/render.c | 6 ++++-
2 files changed, 36 insertions(+), 27 deletions(-)
New commits:
commit 622fc98fd08aba98369e6933c3ab8c9ff85385d5
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Thu Oct 1 10:03:42 2009 +1000
render: Fix crash in RenderAddGlyphs (#23645)
This patch fixes two bugs:
size is calculated as glyph height * padded_width. If the client submits
garbage, this may get above INT_MAX, resulting in a negative size if size is
unsigned. The sanity checks don't trigger for negative sizes and the server
goes and writes into random memory locations.
If the client submits glyphs with a width or height 0, the destination
pixmap is NULL, causing a null-pointer dereference. Since there's nothing to
composite if the width/height is 0, we might as well skip the whole thing
anyway.
Tested with Xvfb, Xephyr and Xorg.
X.Org Bug 23645 <http://bugs.freedesktop.org/show_bug.cgi?id=23645>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
Reviewed-by: Keith Packard <keithp at keithp.com>
diff --git a/render/render.c b/render/render.c
index a306766..a32d797 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1043,7 +1043,7 @@ ProcRenderAddGlyphs (ClientPtr client)
CARD32 *gids;
xGlyphInfo *gi;
CARD8 *bits;
- int size;
+ unsigned int size;
int err;
int i, screen;
PicturePtr pSrc = NULL, pDst = NULL;
@@ -1131,6 +1131,10 @@ ProcRenderAddGlyphs (ClientPtr client)
ScreenPtr pScreen;
int error;
+ /* Skip work if it's invisibly small anyway */
+ if (!width || !height)
+ break;
+
pScreen = screenInfo.screens[screen];
pSrcPix = GetScratchPixmapHeader (pScreen,
width, height,
commit 758ab55d2defc78d0169fd61a7036eb9f889e9e7
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Thu Oct 1 15:22:19 2009 +1000
render: set the glyph picture to NULL by default.
In a follow-up patch we may have glyphs with a NULL picture. To cope with
that, always set the pictures for glyphs to NULL at creation time and cope
with cleaning up such glyphs. Also, since compositing a NULL source doesn't
do a lot anyway, skip trying to do so.
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
Reviewed-by: Keith Packard <keithp at keithp.com>
diff --git a/render/glyph.c b/render/glyph.c
index 6327c9f..7fcdfd9 100644
--- a/render/glyph.c
+++ b/render/glyph.c
@@ -282,7 +282,8 @@ FreeGlyphPicture(GlyphPtr glyph)
{
ScreenPtr pScreen = screenInfo.screens[i];
- FreePicture ((pointer) GlyphPicture (glyph)[i], 0);
+ if (GlyphPicture(glyph)[i])
+ FreePicture ((pointer) GlyphPicture (glyph)[i], 0);
ps = GetPictureScreenIfSet (pScreen);
if (ps)
@@ -414,6 +415,7 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
for (i = 0; i < screenInfo.numScreens; i++)
{
+ GlyphPicture(glyph)[i] = NULL;
ps = GetPictureScreenIfSet (screenInfo.screens[i]);
if (ps)
@@ -721,32 +723,35 @@ miGlyphs (CARD8 op,
glyph = *glyphs++;
pPicture = GlyphPicture (glyph)[pScreen->myNum];
- if (maskFormat)
+ if (pPicture)
{
- CompositePicture (PictOpAdd,
- pPicture,
- None,
- pMask,
- 0, 0,
- 0, 0,
- x - glyph->info.x,
- y - glyph->info.y,
- glyph->info.width,
- glyph->info.height);
- }
- else
- {
- CompositePicture (op,
- pSrc,
- pPicture,
- pDst,
- xSrc + (x - glyph->info.x) - xDst,
- ySrc + (y - glyph->info.y) - yDst,
- 0, 0,
- x - glyph->info.x,
- y - glyph->info.y,
- glyph->info.width,
- glyph->info.height);
+ if (maskFormat)
+ {
+ CompositePicture (PictOpAdd,
+ pPicture,
+ None,
+ pMask,
+ 0, 0,
+ 0, 0,
+ x - glyph->info.x,
+ y - glyph->info.y,
+ glyph->info.width,
+ glyph->info.height);
+ }
+ else
+ {
+ CompositePicture (op,
+ pSrc,
+ pPicture,
+ pDst,
+ xSrc + (x - glyph->info.x) - xDst,
+ ySrc + (y - glyph->info.y) - yDst,
+ 0, 0,
+ x - glyph->info.x,
+ y - glyph->info.y,
+ glyph->info.width,
+ glyph->info.height);
+ }
}
x += glyph->info.xOff;
More information about the xorg-commit
mailing list