xserver: Branch 'server-1.12-branch' - 2 commits

Wed Aug 1 17:33:00 PDT 2012

randr/rroutput.c |    3 ++-
 randr/rrscreen.c |    5 ++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

New commits:
commit 465a7a253ae36a35d2d85a990c6c50c2a26a861e
Author: Aaron Plattner <aplattner at nvidia.com>
Date:   Fri Jun 29 13:33:58 2012 -0700

    randr: Fix REQUEST vs. REQUEST_SIZE_MATCH mismatch
    
    ProcRRGetScreenSizeRange uses REQUEST(xRRGetScreenSizeRangeReq) followed by
    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq).  This happens to work out because both
    requests have the same size, so this is not a functional change, just a cosmetic
    one.
    
    Signed-off-by: Aaron Plattner <aplattner at nvidia.com>
    Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Signed-off-by: Keith Packard <keithp at keithp.com>
    (cherry picked from commit 212b9803238d2de2e77cbe5de62d3f616ae50daf)

diff --git a/randr/rrscreen.c b/randr/rrscreen.c
index 55110e0..c564d1f 100644
--- a/randr/rrscreen.c
+++ b/randr/rrscreen.c
@@ -195,7 +195,7 @@ ProcRRGetScreenSizeRange(ClientPtr client)
     rrScrPrivPtr pScrPriv;
     int rc;
 
-    REQUEST_SIZE_MATCH(xRRGetScreenInfoReq);
+    REQUEST_SIZE_MATCH(xRRGetScreenSizeRangeReq);
     rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
     if (rc != Success)
         return rc;
commit 6f4b6bca4c8f823adf83519b40f02b39a0c271ed
Author: Keith Packard <keithp at keithp.com>
Date:   Thu Jun 21 18:45:18 2012 -0700

    randr: Catch two more potential unset rrScrPriv uses
    
    Ricardo Salveti <ricardo.salveti at linaro.org> found one place where the
    randr code could use the randr screen private data without checking
    for null first. This happens when the X server is running with
    multiple screens, some of which are randr enabled and some of which
    are not. Applications making protocol requests to the non-randr
    screens can cause segfaults where the server touches the unset private
    structure.
    
    I audited the code and found two more possible problem spots; the
    trick to auditing for this issue was to look for functions not taking
    a RandR data structure and where there was no null screen private
    check above them in the call graph.
    
    Signed-off-by: Keith Packard <keithp at keithp.com>
    (cherry picked from commit 855003c333a0ead1db912695bc9705ef2b3144b4)

diff --git a/randr/rroutput.c b/randr/rroutput.c
index 091e06b..fbd0e32 100644
--- a/randr/rroutput.c
+++ b/randr/rroutput.c
@@ -546,7 +546,8 @@ ProcRRSetOutputPrimary(ClientPtr client)
     }
 
     pScrPriv = rrGetScrPriv(pWin->drawable.pScreen);
-    RRSetPrimaryOutput(pWin->drawable.pScreen, pScrPriv, output);
+    if (pScrPriv)
+        RRSetPrimaryOutput(pWin->drawable.pScreen, pScrPriv, output);
 
     return Success;
 }
diff --git a/randr/rrscreen.c b/randr/rrscreen.c
index f570afa..55110e0 100644
--- a/randr/rrscreen.c
+++ b/randr/rrscreen.c
@@ -248,6 +248,9 @@ ProcRRSetScreenSize(ClientPtr client)
 
     pScreen = pWin->drawable.pScreen;
     pScrPriv = rrGetScrPriv(pScreen);
+    if (!pScrPriv)
+        return BadMatch;
+
     if (stuff->width < pScrPriv->minWidth || pScrPriv->maxWidth < stuff->width) {
         client->errorValue = stuff->width;
         return BadValue;
