xserver: Branch 'server-1.7-nominations' - 6 commits
Julien Cristau
jcristau at kemper.freedesktop.org
Sat Aug 21 12:43:56 PDT 2010
Xext/xace.c | 170 +++++++++++++++++-----------------------
fb/fbbits.h | 2
hw/xfree86/common/xf86RandR.c | 4
hw/xfree86/ddc/interpret_edid.c | 2
render/render.c | 8 +
xkb/xkbUtils.c | 4
6 files changed, 89 insertions(+), 101 deletions(-)
New commits:
commit 7c544986656713b5bbdb936bb7c3cb5a83d9f833
Author: Keith Packard <keithp at keithp.com>
Date: Fri Aug 20 10:01:48 2010 -0700
fb: make isClipped always reject negative coordinates (bug 11503)
A window with either dimension > 32767 can be positioned such that
coordinates > 32767 are visible on the screen. Attempts to draw to
those pixels will generate coordinates wrapped around to negative
values.
The optimized clipping macro, 'isClipped', in fbbits.h, computes
clipping in window space rather than screen space using int16 values,
and so it too has coordinates wrapped around to negative values and
hence ends up accepting the wrapped drawing coordinates.
Two possible fixes for this problem
1) Detect wrapped region coordinates and clip those to 32767.
2) Detect negative incoming coordinates and reject those
This patch takes the second approach as it is much shorter, simply
detecting when either X or Y incoming coordinate is negative, which
can never be 'within' any drawable.
Signed-off-by: Keith Packard <keithp at keithp.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit 3e56efcfb63677cd8574e1e435e61d96f79ea536)
diff --git a/fb/fbbits.h b/fb/fbbits.h
index 44991f1..b8af785 100644
--- a/fb/fbbits.h
+++ b/fb/fbbits.h
@@ -25,7 +25,7 @@
* underlying datatypes instead of masks
*/
-#define isClipped(c,ul,lr) ((((c) - (ul)) | ((lr) - (c))) & 0x80008000)
+#define isClipped(c,ul,lr) (((c) | ((c) - (ul)) | ((lr) - (c))) & 0x80008000)
#ifdef HAVE_DIX_CONFIG_H
#include <dix-config.h>
commit f43e105ee8741c8be49a602b08752f2390f094f7
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date: Fri Aug 20 13:51:04 2010 +0100
edid: Adjust rounding of max_clock
A simple hack to accommodate various EDID who have detailed modes that
exceed the EDID's max pixel clock. The pixel clock is only defined in
units of 10MHz and often appears as the maximum pixel code of the
detailed modes, rounded to the nearest 10MHz. Adjusting the max_clock to
include an extra 5MHz prevents the parser from rejecting the detailed
modes.
The kernel uses the same fuzz and by including it in X we can use the
same modes in X as for the console.
Fixes:
Bug 23833 - X uses different refresh rate to that set by kernel module
https://bugs.freedesktop.org/show_bug.cgi?id=23833
In the future, we will want to try harder to keep the KMS modes but at
the same time we need to apply the restrictions as specified by the
user's configuration, and need to fill in modes for fullscreen games on
fixed-mode panels.
Reported-and-tested-by: Fabio Pedretti <fabio.ped at libero.it>
Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
Reviewed-by: Alex Deucher <alexdeucher at gmail.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 951605b4660290044fb238bcf1d6d9e498567e8c)
diff --git a/hw/xfree86/ddc/interpret_edid.c b/hw/xfree86/ddc/interpret_edid.c
index 12a5254..f48ed52 100644
--- a/hw/xfree86/ddc/interpret_edid.c
+++ b/hw/xfree86/ddc/interpret_edid.c
@@ -385,7 +385,7 @@ get_monitor_ranges(Uchar *c, struct monitor_ranges *r)
r->max_h = MAX_H;
r->max_clock = 0;
if(MAX_CLOCK != 0xff) /* is specified? */
- r->max_clock = MAX_CLOCK * 10;
+ r->max_clock = MAX_CLOCK * 10 + 5;
if (HAVE_2ND_GTF) {
r->gtf_2nd_f = F_2ND_GTF;
r->gtf_2nd_c = C_2ND_GTF;
commit d5248f036470150bd68148755b47abbbae3bfb33
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Jun 28 18:08:50 2010 -0400
render: Bounds check for nglyphs in ProcRenderAddGlyphs (#28801)
Signed-off-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 5725849a1b427cd4a72b84e57f211edb35838718)
diff --git a/render/render.c b/render/render.c
index 3f7edf7..b78c75b 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1085,6 +1085,14 @@ ProcRenderAddGlyphs (ClientPtr client)
gi = (xGlyphInfo *) (gids + nglyphs);
bits = (CARD8 *) (gi + nglyphs);
remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs;
+
+ /* protect against bad nglyphs */
+ if (gi < stuff || gi > ((CARD32 *)stuff + client->req_len) ||
+ bits < stuff || bits > ((CARD32 *)stuff + client->req_len)) {
+ err = BadLength;
+ goto bail;
+ }
+
for (i = 0; i < nglyphs; i++)
{
size_t padded_width;
commit 845f0bb1b941e770d88c40afe029e2fedd8655d9
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date: Tue Aug 10 19:30:20 2010 +0100
xace: Invalid reference to out-of-scope data.
The callback data passed by reference to the hook was allocated on stack
within the scope of the case statement. The compiler is free to reuse
any of that stack space whilst making the function call so we may end up
passing garbage into the callback.
References:
Bug 18451 - Xorg server 1.5.2 SEGV during XFixesGetCursorImage()
https://bugs.freedesktop.org/show_bug.cgi?id=18451
v2: Drop the unrelated hunk that snuck in when ammending the commit
message.
Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 6dae7f3792611aace1df0cca63bf50c50d93de43)
diff --git a/Xext/xace.c b/Xext/xace.c
index bf0e98f..414eb4a 100644
--- a/Xext/xace.c
+++ b/Xext/xace.c
@@ -87,7 +87,18 @@ void XaceHookAuditEnd(ClientPtr ptr, int result)
*/
int XaceHook(int hook, ...)
{
- pointer calldata; /* data passed to callback */
+ union {
+ XaceResourceAccessRec res;
+ XaceDeviceAccessRec dev;
+ XaceSendAccessRec send;
+ XaceReceiveAccessRec recv;
+ XaceClientAccessRec client;
+ XaceExtAccessRec ext;
+ XaceServerAccessRec server;
+ XaceScreenAccessRec screen;
+ XaceAuthAvailRec auth;
+ XaceKeyAvailRec key;
+ } u;
int *prv = NULL; /* points to return value from callback */
va_list ap; /* argument list */
va_start(ap, hook);
@@ -99,117 +110,86 @@ int XaceHook(int hook, ...)
*/
switch (hook)
{
- case XACE_RESOURCE_ACCESS: {
- XaceResourceAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.id = va_arg(ap, XID);
- rec.rtype = va_arg(ap, RESTYPE);
- rec.res = va_arg(ap, pointer);
- rec.ptype = va_arg(ap, RESTYPE);
- rec.parent = va_arg(ap, pointer);
- rec.access_mode = va_arg(ap, Mask);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_RESOURCE_ACCESS:
+ u.res.client = va_arg(ap, ClientPtr);
+ u.res.id = va_arg(ap, XID);
+ u.res.rtype = va_arg(ap, RESTYPE);
+ u.res.res = va_arg(ap, pointer);
+ u.res.ptype = va_arg(ap, RESTYPE);
+ u.res.parent = va_arg(ap, pointer);
+ u.res.access_mode = va_arg(ap, Mask);
+ u.res.status = Success; /* default allow */
+ prv = &u.res.status;
break;
- }
- case XACE_DEVICE_ACCESS: {
- XaceDeviceAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.dev = va_arg(ap, DeviceIntPtr);
- rec.access_mode = va_arg(ap, Mask);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_DEVICE_ACCESS:
+ u.dev.client = va_arg(ap, ClientPtr);
+ u.dev.dev = va_arg(ap, DeviceIntPtr);
+ u.dev.access_mode = va_arg(ap, Mask);
+ u.dev.status = Success; /* default allow */
+ prv = &u.dev.status;
break;
- }
- case XACE_SEND_ACCESS: {
- XaceSendAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.dev = va_arg(ap, DeviceIntPtr);
- rec.pWin = va_arg(ap, WindowPtr);
- rec.events = va_arg(ap, xEventPtr);
- rec.count = va_arg(ap, int);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_SEND_ACCESS:
+ u.send.client = va_arg(ap, ClientPtr);
+ u.send.dev = va_arg(ap, DeviceIntPtr);
+ u.send.pWin = va_arg(ap, WindowPtr);
+ u.send.events = va_arg(ap, xEventPtr);
+ u.send.count = va_arg(ap, int);
+ u.send.status = Success; /* default allow */
+ prv = &u.send.status;
break;
- }
- case XACE_RECEIVE_ACCESS: {
- XaceReceiveAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.pWin = va_arg(ap, WindowPtr);
- rec.events = va_arg(ap, xEventPtr);
- rec.count = va_arg(ap, int);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_RECEIVE_ACCESS:
+ u.recv.client = va_arg(ap, ClientPtr);
+ u.recv.pWin = va_arg(ap, WindowPtr);
+ u.recv.events = va_arg(ap, xEventPtr);
+ u.recv.count = va_arg(ap, int);
+ u.recv.status = Success; /* default allow */
+ prv = &u.recv.status;
break;
- }
- case XACE_CLIENT_ACCESS: {
- XaceClientAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.target = va_arg(ap, ClientPtr);
- rec.access_mode = va_arg(ap, Mask);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_CLIENT_ACCESS:
+ u.client.client = va_arg(ap, ClientPtr);
+ u.client.target = va_arg(ap, ClientPtr);
+ u.client.access_mode = va_arg(ap, Mask);
+ u.client.status = Success; /* default allow */
+ prv = &u.client.status;
break;
- }
- case XACE_EXT_ACCESS: {
- XaceExtAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.ext = va_arg(ap, ExtensionEntry*);
- rec.access_mode = DixGetAttrAccess;
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_EXT_ACCESS:
+ u.ext.client = va_arg(ap, ClientPtr);
+ u.ext.ext = va_arg(ap, ExtensionEntry*);
+ u.ext.access_mode = DixGetAttrAccess;
+ u.ext.status = Success; /* default allow */
+ prv = &u.ext.status;
break;
- }
- case XACE_SERVER_ACCESS: {
- XaceServerAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.access_mode = va_arg(ap, Mask);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_SERVER_ACCESS:
+ u.server.client = va_arg(ap, ClientPtr);
+ u.server.access_mode = va_arg(ap, Mask);
+ u.server.status = Success; /* default allow */
+ prv = &u.server.status;
break;
- }
case XACE_SCREEN_ACCESS:
- case XACE_SCREENSAVER_ACCESS: {
- XaceScreenAccessRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.screen = va_arg(ap, ScreenPtr);
- rec.access_mode = va_arg(ap, Mask);
- rec.status = Success; /* default allow */
- calldata = &rec;
- prv = &rec.status;
+ case XACE_SCREENSAVER_ACCESS:
+ u.screen.client = va_arg(ap, ClientPtr);
+ u.screen.screen = va_arg(ap, ScreenPtr);
+ u.screen.access_mode = va_arg(ap, Mask);
+ u.screen.status = Success; /* default allow */
+ prv = &u.screen.status;
break;
- }
- case XACE_AUTH_AVAIL: {
- XaceAuthAvailRec rec;
- rec.client = va_arg(ap, ClientPtr);
- rec.authId = va_arg(ap, XID);
- calldata = &rec;
+ case XACE_AUTH_AVAIL:
+ u.auth.client = va_arg(ap, ClientPtr);
+ u.auth.authId = va_arg(ap, XID);
break;
- }
- case XACE_KEY_AVAIL: {
- XaceKeyAvailRec rec;
- rec.event = va_arg(ap, xEventPtr);
- rec.keybd = va_arg(ap, DeviceIntPtr);
- rec.count = va_arg(ap, int);
- calldata = &rec;
+ case XACE_KEY_AVAIL:
+ u.key.event = va_arg(ap, xEventPtr);
+ u.key.keybd = va_arg(ap, DeviceIntPtr);
+ u.key.count = va_arg(ap, int);
break;
- }
- default: {
+ default:
va_end(ap);
return 0; /* unimplemented hook number */
- }
}
va_end(ap);
/* call callbacks and return result, if any. */
- CallCallbacks(&XaceHooks[hook], calldata);
+ CallCallbacks(&XaceHooks[hook], &u);
return prv ? *prv : Success;
}
commit f07fc1461d38c8228d1bacf3d19932cac7bacddd
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date: Fri Jun 11 10:12:52 2010 +1000
xkb: fix invalid memory writes in _XkbCopyGeom.
Classic strlen/strcpy mistake of
foo = malloc(strlen(bar));
strcpy(foo, bar);
Testcase: valgrind Xephyr :1
==8591== Invalid write of size 1
==8591== at 0x4A0638F: strcpy (mc_replace_strmem.c:311)
==8591== by 0x605593: _XkbCopyGeom (xkbUtils.c:1994)
==8591== by 0x605973: XkbCopyKeymap (xkbUtils.c:2118)
==8591== by 0x6122B3: InitKeyboardDeviceStruct (xkbInit.c:560)
==8591== by 0x4472E2: CoreKeyboardProc (devices.c:577)
==8591== by 0x447162: ActivateDevice (devices.c:530)
==8591== by 0x4475D6: InitCoreDevices (devices.c:672)
==8591== by 0x4449EE: main (main.c:254)
==8591== Address 0x6f96505 is 0 bytes after a block of size 53 alloc'd
==8591== at 0x4A0515D: malloc (vg_replace_malloc.c:195)
==8591== by 0x6054B7: _XkbCopyGeom (xkbUtils.c:1980)
==8591== by 0x605973: XkbCopyKeymap (xkbUtils.c:2118)
==8591== by 0x6122B3: InitKeyboardDeviceStruct (xkbInit.c:560)
==8591== by 0x4472E2: CoreKeyboardProc (devices.c:577)
==8591== by 0x447162: ActivateDevice (devices.c:530)
==8591== by 0x4475D6: InitCoreDevices (devices.c:672)
==8591== by 0x4449EE: main (main.c:254)
Reported-by: Dave Airlie <airlied at redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
Reviewed-by-and-apologised-for: Daniel Stone <daniel at fooishbar.org>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 7f19a7a6e90a4fd7b7ec0256974f62e575218541)
Conflicts:
xkb/xkbUtils.c
(cherry picked from commit f85552aa452d5f575fee9f6031a33ca79bdc3cc8)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
index 30ec438..1abb5a8 100644
--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@@ -1940,7 +1940,7 @@ _XkbCopyGeom(XkbDescPtr src, XkbDescPtr dst)
/* font */
if (src->geom->label_font) {
if (!dst->geom->label_font) {
- tmp = xalloc(strlen(src->geom->label_font));
+ tmp = xalloc(strlen(src->geom->label_font) + 1);
if (!tmp)
return FALSE;
dst->geom->label_font = tmp;
@@ -1948,7 +1948,7 @@ _XkbCopyGeom(XkbDescPtr src, XkbDescPtr dst)
else if (strlen(src->geom->label_font) !=
strlen(dst->geom->label_font)) {
tmp = xrealloc(dst->geom->label_font,
- strlen(src->geom->label_font));
+ strlen(src->geom->label_font) + 1);
if (!tmp)
return FALSE;
dst->geom->label_font = tmp;
commit b9638391394d1f4797b5421fa4ccbe9d194eee5a
Author: Pierre-Loup A. Griffais <pgriffais at nvidia.com>
Date: Wed Apr 21 18:11:05 2010 -0700
xf86: Don't crash when switching modes through RandR without owning the VT.
While VT-switched, FB access is disabled and should remain so. Trying to switch
modes in that state would re-enable it, potentially causing crashes if trying
to access it before the driver has recovered from the mode switch.
Signed-off-by: Pierre-Loup A. Griffais <pgriffais at nvidia.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Keith Packard <keithp at keithp.com>
(cherry picked from commit 41bdb6c003cca3ef0ff88d9c7de318115bab1ba2)
Signed-off-by: Julien Cristau <jcristau at debian.org>
diff --git a/hw/xfree86/common/xf86RandR.c b/hw/xfree86/common/xf86RandR.c
index 02dcc34..d4beb2c 100644
--- a/hw/xfree86/common/xf86RandR.c
+++ b/hw/xfree86/common/xf86RandR.c
@@ -163,7 +163,7 @@ xf86RandRSetMode (ScreenPtr pScreen,
WindowPtr pRoot = WindowTable[pScreen->myNum];
Bool ret = TRUE;
- if (pRoot)
+ if (pRoot && scrp->vtSema)
(*scrp->EnableDisableFBAccess) (pScreen->myNum, FALSE);
if (useVirtual)
{
@@ -229,7 +229,7 @@ xf86RandRSetMode (ScreenPtr pScreen,
*/
xf86SetViewport (pScreen, pScreen->width, pScreen->height);
xf86SetViewport (pScreen, 0, 0);
- if (pRoot)
+ if (pRoot && scrp->vtSema)
(*scrp->EnableDisableFBAccess) (pScreen->myNum, TRUE);
return ret;
}
More information about the xorg-commit
mailing list