xserver: Branch 'master' - 3 commits

Keith Packard keithp at kemper.freedesktop.org
Thu Jun 28 10:10:42 PDT 2012 

 randr/randr.c    |    3 +++
 randr/rrcrtc.c   |   10 ++++------
 randr/rrinfo.c   |    7 ++++---
 randr/rrmode.c   |    4 +---
 randr/rroutput.c |   11 ++++++-----
 randr/rrscreen.c |    3 +++
 6 files changed, 21 insertions(+), 17 deletions(-)

New commits:
commit 855003c333a0ead1db912695bc9705ef2b3144b4
Author: Keith Packard <keithp at keithp.com>
Date:   Thu Jun 21 18:45:18 2012 -0700

    randr: Catch two more potential unset rrScrPriv uses
    
    Ricardo Salveti <ricardo.salveti at linaro.org> found one place where the
    randr code could use the randr screen private data without checking
    for null first. This happens when the X server is running with
    multiple screens, some of which are randr enabled and some of which
    are not. Applications making protocol requests to the non-randr
    screens can cause segfaults where the server touches the unset private
    structure.
    
    I audited the code and found two more possible problem spots; the
    trick to auditing for this issue was to look for functions not taking
    a RandR data structure and where there was no null screen private
    check above them in the call graph.
    
    Signed-off-by: Keith Packard <keithp at keithp.com>

diff --git a/randr/rroutput.c b/randr/rroutput.c
index 091e06b..fbd0e32 100644
--- a/randr/rroutput.c
+++ b/randr/rroutput.c
@@ -546,7 +546,8 @@ ProcRRSetOutputPrimary(ClientPtr client)
     }
 
     pScrPriv = rrGetScrPriv(pWin->drawable.pScreen);
-    RRSetPrimaryOutput(pWin->drawable.pScreen, pScrPriv, output);
+    if (pScrPriv)
+        RRSetPrimaryOutput(pWin->drawable.pScreen, pScrPriv, output);
 
     return Success;
 }
diff --git a/randr/rrscreen.c b/randr/rrscreen.c
index f570afa..55110e0 100644
--- a/randr/rrscreen.c
+++ b/randr/rrscreen.c
@@ -248,6 +248,9 @@ ProcRRSetScreenSize(ClientPtr client)
 
     pScreen = pWin->drawable.pScreen;
     pScrPriv = rrGetScrPriv(pScreen);
+    if (!pScrPriv)
+        return BadMatch;
+
     if (stuff->width < pScrPriv->minWidth || pScrPriv->maxWidth < stuff->width) {
         client->errorValue = stuff->width;
         return BadValue;
commit 32603f57ca03b6390b109960f8bb5ea53ac95ecb
Author: Ricardo Salveti de Araujo <ricardo.salveti at linaro.org>
Date:   Thu Jun 21 00:55:53 2012 -0300

    randr: first check pScrPriv before using the pointer at RRFirstOutput
    
    Fix a seg fault in case pScrPriv is NULL at ProcRRGetScreenInfo,
    which later calls RRFirstOutput.
    
    Signed-off-by: Ricardo Salveti de Araujo <ricardo.salveti at linaro.org>
    Reviewed-by: Keith Packard <keithp at keithp.com>
    Signed-off-by: Keith Packard <keithp at keithp.com>

diff --git a/randr/randr.c b/randr/randr.c
index 4d4298a..103da48 100644
--- a/randr/randr.c
+++ b/randr/randr.c
@@ -446,6 +446,9 @@ RRFirstOutput(ScreenPtr pScreen)
     RROutputPtr output;
     int i, j;
 
+    if (!pScrPriv)
+        return NULL;
+
     if (pScrPriv->primaryOutput && pScrPriv->primaryOutput->crtc)
         return pScrPriv->primaryOutput;
 
commit 4ba340cfaa8d430c808566495f8deda0ff1b4424
Author: Keith Packard <keithp at keithp.com>
Date:   Thu Jun 21 18:42:46 2012 -0700

    randr: Clean up compiler warnings about unused and shadowing variables
    
    set but not used variables
    shadowing a previous local
    
    A hidden problem was that the VERIFY_RR_* macros define local 'rc'
    variables, any other local definitions for those would be shadowed and
    generate warnings from gcc. I've renamed the other locals 'ret'
    instead of 'rc'.
    
    Signed-off-by: Keith Packard <keithp at keithp.com>

diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c
index 36caa58..0c596dd 100644
--- a/randr/rrcrtc.c
+++ b/randr/rrcrtc.c
@@ -825,10 +825,9 @@ ProcRRSetCrtcConfig(ClientPtr client)
     int numOutputs;
     RROutputPtr *outputs = NULL;
     RROutput *outputIds;
-    TimeStamp configTime;
     TimeStamp time;
     Rotation rotation;
-    int rc, i, j;
+    int ret, i, j;
 
     REQUEST_AT_LEAST_SIZE(xRRSetCrtcConfigReq);
     numOutputs = (stuff->length - bytes_to_int32(SIZEOF(xRRSetCrtcConfigReq)));
@@ -855,11 +854,11 @@ ProcRRSetCrtcConfig(ClientPtr client)
 
     outputIds = (RROutput *) (stuff + 1);
     for (i = 0; i < numOutputs; i++) {
-        rc = dixLookupResourceByType((pointer *) (outputs + i), outputIds[i],
+        ret = dixLookupResourceByType((pointer *) (outputs + i), outputIds[i],
                                      RROutputType, client, DixSetAttrAccess);
-        if (rc != Success) {
+        if (ret != Success) {
             free(outputs);
-            return rc;
+            return ret;
         }
         /* validate crtc for this output */
         for (j = 0; j < outputs[i]->numCrtcs; j++)
@@ -904,7 +903,6 @@ ProcRRSetCrtcConfig(ClientPtr client)
     pScrPriv = rrGetScrPriv(pScreen);
 
     time = ClientTimeToServerTime(stuff->timestamp);
-    configTime = ClientTimeToServerTime(stuff->configTimestamp);
 
     if (!pScrPriv) {
         time = currentTime;
diff --git a/randr/rrinfo.c b/randr/rrinfo.c
index 114ec34..1408d6f 100644
--- a/randr/rrinfo.c
+++ b/randr/rrinfo.c
@@ -82,6 +82,7 @@ RRScanOldConfig(ScreenPtr pScreen, Rotation rotations)
     int i;
     CARD16 minWidth = MAXSHORT, minHeight = MAXSHORT;
     CARD16 maxWidth = 0, maxHeight = 0;
+    CARD16 width, height;
 
     /*
      * First time through, create a crtc and output and hook
@@ -141,11 +142,11 @@ RRScanOldConfig(ScreenPtr pScreen, Rotation rotations)
 
     /* find size bounds */
     for (i = 0; i < output->numModes + output->numUserModes; i++) {
-        RRModePtr mode = (i < output->numModes ?
+        mode = (i < output->numModes ?
                           output->modes[i] :
                           output->userModes[i - output->numModes]);
-        CARD16 width = mode->mode.width;
-        CARD16 height = mode->mode.height;
+        width = mode->mode.width;
+        height = mode->mode.height;
 
         if (width < minWidth)
             minWidth = width;
diff --git a/randr/rrmode.c b/randr/rrmode.c
index b637c06..49a45c7 100644
--- a/randr/rrmode.c
+++ b/randr/rrmode.c
@@ -173,7 +173,7 @@ RRModesForScreen(ScreenPtr pScreen, int *num_ret)
      */
     for (o = 0; o < pScrPriv->numOutputs; o++) {
         RROutputPtr output = pScrPriv->outputs[o];
-        int m, n;
+        int n;
 
         for (m = 0; m < output->numModes + output->numUserModes; m++) {
             RRModePtr mode = (m < output->numModes ?
@@ -285,7 +285,6 @@ ProcRRCreateMode(ClientPtr client)
     xRRCreateModeReply rep = { 0 };
     WindowPtr pWin;
     ScreenPtr pScreen;
-    rrScrPrivPtr pScrPriv;
     xRRModeInfo *modeInfo;
     long units_after;
     char *name;
@@ -298,7 +297,6 @@ ProcRRCreateMode(ClientPtr client)
         return rc;
 
     pScreen = pWin->drawable.pScreen;
-    pScrPriv = rrGetScrPriv(pScreen);
 
     modeInfo = &stuff->modeInfo;
     name = (char *) (stuff + 1);
diff --git a/randr/rroutput.c b/randr/rroutput.c
index 0890c55..091e06b 100644
--- a/randr/rroutput.c
+++ b/randr/rroutput.c
@@ -528,13 +528,13 @@ ProcRRSetOutputPrimary(ClientPtr client)
     RROutputPtr output = NULL;
     WindowPtr pWin;
     rrScrPrivPtr pScrPriv;
-    int rc;
+    int ret;
 
     REQUEST_SIZE_MATCH(xRRSetOutputPrimaryReq);
 
-    rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
-    if (rc != Success)
-        return rc;
+    ret = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
+    if (ret != Success)
+        return ret;
 
     if (stuff->output) {
         VERIFY_RR_OUTPUT(stuff->output, output, DixReadAccess);

More information about the xorg-commit mailing list