xserver: Branch 'master' - 2 commits

Thu Oct 23 17:32:44 PDT 2014

glx/glxdri2.c |    4 +++-
 os/utils.c    |    1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

New commits:
commit 16a32c53f6e9ad1f3284d4596edfa33e9efb740e
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Thu Oct 9 05:42:09 2014 -0700

    If fork fails in System(), don't fallthrough to exec()
    
    In the unlikely event of a failure in creating processes, signal
    masks will fall from the panels above you.  Secure your mask before
    telling your child what to do, since it won't exist, and you will
    instead cause the server itself to be replaced by a shell running
    the target program.
    
    Found by Coverity #53397: Missing break in switch
    Execution falls through to the next case statement or default;
     this might indicate a common typo.
    In System: Missing break statement between cases in switch statement (CWE-484)
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
    Signed-off-by: Keith Packard <keithp at keithp.com>

diff --git a/os/utils.c b/os/utils.c
index 80415c4..75769f1 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -1373,6 +1373,7 @@ System(const char *command)
     switch (pid = fork()) {
     case -1:                   /* error */
         p = -1;
+        break;
     case 0:                    /* child */
         if (setgid(getgid()) == -1)
             _exit(127);
commit 7e5bc49d1ed2c78c321da79bdbc99b90c5f95b38
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Thu Oct 9 05:42:08 2014 -0700

    Allocate enough room for both reset & flags attributes
    
    ctx_attribs had room for 3 pairs of attributes, but if both flags & reset
    attributes were being returned it was storing 4 pairs in the array.
    
    Found by Coverity #53442:  Out-of-bounds write
    This could cause an immediate crash or incorrect computations.
    In create_driver_context: Out-of-bounds write to a buffer (CWE-119)
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Reviewed-by: Adam Jackson <ajax at redhat.com>
    Signed-off-by: Keith Packard <keithp at keithp.com>

diff --git a/glx/glxdri2.c b/glx/glxdri2.c
index c756bf5..5a8966f 100644
--- a/glx/glxdri2.c
+++ b/glx/glxdri2.c
@@ -475,7 +475,7 @@ create_driver_context(__GLXDRIcontext * context,
     context->driContext = NULL;
 
     if (screen->dri2->base.version >= 3) {
-        uint32_t ctx_attribs[3 * 2];
+        uint32_t ctx_attribs[4 * 2];
         unsigned num_ctx_attribs = 0;
         unsigned dri_err = 0;
         unsigned major_ver;
@@ -510,6 +510,8 @@ create_driver_context(__GLXDRIcontext * context,
                     __DRI_CTX_ATTRIB_RESET_STRATEGY;
                 ctx_attribs[num_ctx_attribs++] = reset;
             }
+
+            assert(num_ctx_attribs <= ARRAY_SIZE(ctx_attribs));
         }
 
         context->driContext =
