xserver: Branch 'server-1.19-branch' - 19 commits

[Adam Jackson]

 Xext/shm.c                                       |    8 --
 config/udev.c                                    |   65 +++++++++++------------
 dix/devices.c                                    |    7 ++
 glx/glxcmds.c                                    |    9 ++-
 glx/glxdri2.c                                    |    3 -
 glx/glxdriswrast.c                               |    3 -
 hw/xfree86/drivers/modesetting/drmmode_display.c |   40 ++++----------
 hw/xfree86/modes/xf86EdidModes.c                 |    4 -
 hw/xfree86/ramdac/xf86HWCurs.c                   |    9 ++-
 hw/xquartz/GL/indirect.c                         |    2 
 hw/xwayland/xwayland-cursor.c                    |    2 
 include/misc.h                                   |    2 
 os/access.c                                      |    6 +-
 os/xdmcp.c                                       |    2 
 present/present.c                                |    8 ++
 present/present_event.c                          |    5 +
 present/present_priv.h                           |    5 +
 present/present_request.c                        |    4 -
 randr/rroutput.c                                 |    2 
 randr/rrscreen.c                                 |    2 
 test/input.c                                     |    2 
 test/signal-logging.c                            |    2 
 xkb/ddxLoad.c                                    |    6 +-
 xkb/xkbUtils.c                                   |    2 
 24 files changed, 106 insertions(+), 94 deletions(-)

New commits:
commit dbf97534de61539873717b8e0fcc03f1be6362f8
Author: Tomasz Śniatowski <kailoran at gmail.com>
Date:   Wed Dec 6 12:16:17 2017 +0100

    os: Fix strtok/free crash in ComputeLocalClient
    
    Don't reuse cmd for strtok output to ensure the proper pointer is
    freed afterwards.
    
    The code incorrectly assumed the pointer returned by strtok(cmd, ":")
    would always point to cmd. However, strtok(str, sep) != str if str
    begins with sep. This caused an invalid-free crash when running
    a program under X with a name beginning with a colon.
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=104123
    Signed-off-by: Tomasz Śniatowski <kailoran at gmail.com>
    Reviewed-by: Michel Dänzer <michel.daenzer at amd.com>
    (cherry picked from commit 6883ae43eb72fe4e2651c1dca209563323fad2db)

diff --git a/os/access.c b/os/access.c
index 8828e0834..97246160c 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1137,12 +1137,12 @@ ComputeLocalClient(ClientPtr client)
         /* Cut off any colon and whatever comes after it, see
          * https://lists.freedesktop.org/archives/xorg-devel/2015-December/048164.html
          */
-        cmd = strtok(cmd, ":");
+        char *tok = strtok(cmd, ":");
 
 #if !defined(WIN32) || defined(__CYGWIN__)
-        ret = strcmp(basename(cmd), "ssh") != 0;
+        ret = strcmp(basename(tok), "ssh") != 0;
 #else
-        ret = strcmp(cmd, "ssh") != 0;
+        ret = strcmp(tok, "ssh") != 0;
 #endif
 
         free(cmd);
commit 072dff82817bc02bb4bdb2dad594e6090586bf58
Author: Olivier Fourdan <ofourdan at redhat.com>
Date:   Tue Dec 5 09:59:06 2017 +0100

    dix: avoid deferencing NULL PtrCtrl
    
    PtrCtrl really makes sense for relative pointing device only, absolute
    devices such as touch devices do not have any PtrCtrl set.
    
    In some cases, if the client issues a XGetPointerControl() immediatlely
    after a ChangeMasterDeviceClasses() copied the touch device to the VCP,
    a NULL pointer dereference will occur leading to a crash of Xwayland.
    
    Check whether the PtrCtrl is not NULL in ProcGetPointerControl() and
    return the default control values otherwise, to avoid the NULL pointer
    dereference.
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1519533
    Reviewed-by: Adam Jackson <ajax at redhat.com>
    Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
    (cherry picked from commit 9f7a9be13d6449c00c86d3035374f4f543654b3f)

diff --git a/dix/devices.c b/dix/devices.c
index ea3c6c8a9..4a628afb0 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -2329,10 +2329,15 @@ int
 ProcGetPointerControl(ClientPtr client)
 {
     DeviceIntPtr ptr = PickPointer(client);
-    PtrCtrl *ctrl = &ptr->ptrfeed->ctrl;
+    PtrCtrl *ctrl;
     xGetPointerControlReply rep;
     int rc;
 
+    if (ptr->ptrfeed)
+        ctrl = &ptr->ptrfeed->ctrl;
+    else
+        ctrl = &defaultPointerControl;
+
     REQUEST_SIZE_MATCH(xReq);
 
     rc = XaceHook(XACE_DEVICE_ACCESS, client, ptr, DixGetAttrAccess);
commit f9a55653721980e3921083015ffb39f777606828
Author: Olivier Fourdan <ofourdan at redhat.com>
Date:   Wed Sep 27 18:01:01 2017 +0200

    xwayland: Fix non-argb cursor conversion
    
    From the bug: "What happens if bits->width is less than 8? :)"
    
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103012
    Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
    Reviewed-by: Emil Velikov <emil.velikov at collabora.com>
    Reviewed-by: Daniel Stone <daniels at collabora.com>
    (cherry picked from commit 97ac59b1ed3624f7c04e54dd3e3dadfa46a8f170)

diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c
index f334f1ca5..7b6a698fd 100644
--- a/hw/xwayland/xwayland-cursor.c
+++ b/hw/xwayland/xwayland-cursor.c
@@ -42,7 +42,7 @@ expand_source_and_mask(CursorPtr cursor, CARD32 *data)
         (cursor->foreGreen & 0xff00) | (cursor->foreGreen >> 8);
     bg = ((cursor->backRed & 0xff00) << 8) |
         (cursor->backGreen & 0xff00) | (cursor->backGreen >> 8);
-    stride = (bits->width / 8 + 3) & ~3;
+    stride = BitmapBytePad(bits->width);
     for (y = 0; y < bits->height; y++)
         for (x = 0; x < bits->width; x++) {
             i = y * stride + x / 8;
commit b832dac751f81d803d33df7c4dd929f77a69c7b0
Author: Adam Jackson <ajax at redhat.com>
Date:   Tue Nov 14 15:15:01 2017 -0500

    glx: Fix glXQueryContext for GLX_FBCONFIG_ID and GLX_RENDER_TYPE (v2)
    
    Just never filled in, oops. Seems to have gone unnoticed because
    normally glXQueryContext simply returns the values filled in by the
    client library when the context was created. The only path by which you
    normally get to a GLXQueryContext request is glXImportContext, and then
    only if the context is already indirect.
    
    However, that's a statement about Mesa's libGL (and anything else that
    inherited that bit of the SGI SI more or less intact). Nothing prevents
    a mischeivous client from issuing that request of a direct context, and
    if they did we'd be in trouble because we never bothered to preserve the
    associated fbconfig in the context state, so we'd crash looking up
    GLX_VISUAL_ID_EXT. So let's fix that too.
    
    v2: Fixed missing preservation of the config in DRI2 (Eric Anholt)
    
    Signed-off-by: Adam Jackson <ajax at redhat.com>
    Reviewed-by: Eric Anholt <eric at anholt.net>
    (cherry picked from commit 5d667df6ea1634191a26f9a7c26bc883701d62b0)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 86aab5498..386a53410 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -215,6 +215,7 @@ __glXdirectContextCreate(__GLXscreen * screen,
     if (context == NULL)
         return NULL;
 
+    context->config = modes;
     context->destroy = __glXdirectContextDestroy;
     context->loseCurrent = __glXdirectContextLoseCurrent;
 
@@ -1720,7 +1721,7 @@ DoQueryContext(__GLXclientState * cl, GLXContextID gcId)
     ClientPtr client = cl->client;
     __GLXcontext *ctx;
     xGLXQueryContextInfoEXTReply reply;
-    int nProps = 3;
+    int nProps = 5;
     int sendBuf[nProps * 2];
     int nReplyBytes;
     int err;
@@ -1742,6 +1743,10 @@ DoQueryContext(__GLXclientState * cl, GLXContextID gcId)
     sendBuf[3] = (int) (ctx->config->visualID);
     sendBuf[4] = GLX_SCREEN_EXT;
     sendBuf[5] = (int) (ctx->pGlxScreen->pScreen->myNum);
+    sendBuf[6] = GLX_FBCONFIG_ID;
+    sendBuf[7] = (int) (ctx->config->fbconfigID);
+    sendBuf[8] = GLX_RENDER_TYPE;
+    sendBuf[9] = (int) (ctx->config->renderType);
 
     if (client->swapped) {
         __glXSwapQueryContextInfoEXTReply(client, &reply, sendBuf);
diff --git a/glx/glxdri2.c b/glx/glxdri2.c
index 8f6c3ab6a..91de0476a 100644
--- a/glx/glxdri2.c
+++ b/glx/glxdri2.c
@@ -557,6 +557,7 @@ __glXDRIscreenCreateContext(__GLXscreen * baseScreen,
         return NULL;
     }
 
+    context->base.config = glxConfig;
     context->base.destroy = __glXDRIcontextDestroy;
     context->base.makeCurrent = __glXDRIcontextMakeCurrent;
     context->base.loseCurrent = __glXDRIcontextLoseCurrent;
diff --git a/glx/glxdriswrast.c b/glx/glxdriswrast.c
index a9472cd4e..e310fda75 100644
--- a/glx/glxdriswrast.c
+++ b/glx/glxdriswrast.c
@@ -244,6 +244,7 @@ __glXDRIscreenCreateContext(__GLXscreen * baseScreen,
     if (context == NULL)
         return NULL;
 
+    context->base.config = glxConfig;
     context->base.destroy = __glXDRIcontextDestroy;
     context->base.makeCurrent = __glXDRIcontextMakeCurrent;
     context->base.loseCurrent = __glXDRIcontextLoseCurrent;
diff --git a/hw/xquartz/GL/indirect.c b/hw/xquartz/GL/indirect.c
index 2d88ef284..6738946ff 100644
--- a/hw/xquartz/GL/indirect.c
+++ b/hw/xquartz/GL/indirect.c
@@ -156,7 +156,7 @@ __glXAquaScreenCreateContext(__GLXscreen *screen,
     memset(context, 0, sizeof *context);
 
     context->base.pGlxScreen = screen;
-
+    context->base.config = conf;
     context->base.destroy = __glXAquaContextDestroy;
     context->base.makeCurrent = __glXAquaContextMakeCurrent;
     context->base.loseCurrent = __glXAquaContextLoseCurrent;
commit ee64427c6c5b22514b4d427fb9cee11b8239baea
Author: Daniel Martin <consume.noise at gmail.com>
Date:   Mon Nov 20 10:47:38 2017 +0100

    os/xdmcp: Honour -once when session is dead
    
    Terminate a dead session when -once was passed. Don't restart it.
    
    Signed-off-by: Daniel Martin <consume.noise at gmail.com>
    Reviewed-by: Walter Harms <wharms at bfs.de>
    (cherry picked from commit 918afeecbc63d70413e222efdb2ac4cfb16eae9e)

diff --git a/os/xdmcp.c b/os/xdmcp.c
index 906c95944..7aeb393e6 100644
--- a/os/xdmcp.c
+++ b/os/xdmcp.c
@@ -797,7 +797,7 @@ XdmcpDeadSession(const char *reason)
     ErrorF("XDM: %s, declaring session dead\n", reason);
     state = XDM_INIT_STATE;
     isItTimeToYield = TRUE;
-    dispatchException |= DE_RESET;
+    dispatchException |= (OneSession ? DE_TERMINATE : DE_RESET);
     TimerCancel(xdmcp_timer);
     timeOutRtx = 0;
     send_packet();
commit 5c00e693631475679c1c2504e03177652ec7de28
Author: Michel Dänzer <michel.daenzer at amd.com>
Date:   Mon Oct 2 11:33:43 2017 +0200

    present: Only send PresentCompleteNotify events to the presenting client
    
    We were sending the events to all clients listening for them on the
    window. But clients can get confused by events from another client, and
    I can't imagine any case where receiving events from other clients would
    be required.
    
    v2:
    * Also restrict events sent to additional windows to the presenting
      client
    * Don't shorten line lengths
    
    Reviewed-by: Keith Packard <keithp at keithp.com>
    (cherry picked from commit 559954aaa8d811a22cf918cc16a7d618e12201a0)

diff --git a/present/present.c b/present/present.c
index 7d428fca7..86743c504 100644
--- a/present/present.c
+++ b/present/present.c
@@ -222,13 +222,13 @@ present_vblank_notify(present_vblank_ptr vblank, CARD8 kind, CARD8 mode, uint64_
     int         n;
 
     if (vblank->window)
-        present_send_complete_notify(vblank->window, kind, mode, vblank->serial, ust, crtc_msc - vblank->msc_offset);
+        present_send_complete_notify(vblank->window, kind, mode, vblank->serial, ust, crtc_msc - vblank->msc_offset, vblank->client);
     for (n = 0; n < vblank->num_notifies; n++) {
         WindowPtr   window = vblank->notifies[n].window;
         CARD32      serial = vblank->notifies[n].serial;
 
         if (window)
-            present_send_complete_notify(window, kind, mode, serial, ust, crtc_msc - vblank->msc_offset);
+            present_send_complete_notify(window, kind, mode, serial, ust, crtc_msc - vblank->msc_offset, vblank->client);
     }
 }
 
@@ -788,6 +788,7 @@ present_execute(present_vblank_ptr vblank, uint64_t ust, uint64_t crtc_msc)
 int
 present_pixmap(WindowPtr window,
                PixmapPtr pixmap,
+               ClientPtr client,
                CARD32 serial,
                RegionPtr valid,
                RegionPtr update,
@@ -898,6 +899,7 @@ present_pixmap(WindowPtr window,
     xorg_list_append(&vblank->window_list, &window_priv->vblank);
     xorg_list_init(&vblank->event_queue);
 
+    vblank->client = client;
     vblank->screen = screen;
     vblank->window = window;
     vblank->pixmap = pixmap;
@@ -1017,6 +1019,7 @@ present_abort_vblank(ScreenPtr screen, RRCrtcPtr crtc, uint64_t event_id, uint64
 
 int
 present_notify_msc(WindowPtr window,
+                   ClientPtr client,
                    CARD32 serial,
                    uint64_t target_msc,
                    uint64_t divisor,
@@ -1024,6 +1027,7 @@ present_notify_msc(WindowPtr window,
 {
     return present_pixmap(window,
                           NULL,
+                          client,
                           serial,
                           NULL, NULL,
                           0, 0,
diff --git a/present/present_event.c b/present/present_event.c
index c222dd5ff..ac6f2555a 100644
--- a/present/present_event.c
+++ b/present/present_event.c
@@ -146,7 +146,7 @@ present_register_complete_notify(present_complete_notify_proc proc)
 }
 
 void
-present_send_complete_notify(WindowPtr window, CARD8 kind, CARD8 mode, CARD32 serial, uint64_t ust, uint64_t msc)
+present_send_complete_notify(WindowPtr window, CARD8 kind, CARD8 mode, CARD32 serial, uint64_t ust, uint64_t msc, ClientPtr client)
 {
     present_window_priv_ptr window_priv = present_window_priv(window);
 
@@ -167,7 +167,8 @@ present_send_complete_notify(WindowPtr window, CARD8 kind, CARD8 mode, CARD32 se
         present_event_ptr event;
 
         for (event = window_priv->events; event; event = event->next) {
-            if (event->mask & PresentCompleteNotifyMask) {
+            if (event->mask & PresentCompleteNotifyMask &&
+                client == event->client) {
                 cn.eid = event->id;
                 WriteEventsToClient(event->client, 1, (xEvent *) &cn);
             }
diff --git a/present/present_priv.h b/present/present_priv.h
index dfb4bdea9..41c37af7e 100644
--- a/present/present_priv.h
+++ b/present/present_priv.h
@@ -52,6 +52,7 @@ struct present_notify {
 struct present_vblank {
     struct xorg_list    window_list;
     struct xorg_list    event_queue;
+    ClientPtr           client;
     ScreenPtr           screen;
     WindowPtr           window;
     PixmapPtr           pixmap;
@@ -155,6 +156,7 @@ present_get_window_priv(WindowPtr window, Bool create);
 int
 present_pixmap(WindowPtr window,
                PixmapPtr pixmap,
+               ClientPtr client,
                CARD32 serial,
                RegionPtr valid,
                RegionPtr update,
@@ -172,6 +174,7 @@ present_pixmap(WindowPtr window,
 
 int
 present_notify_msc(WindowPtr window,
+                   ClientPtr client,
                    CARD32 serial,
                    uint64_t target_msc,
                    uint64_t divisor,
@@ -215,7 +218,7 @@ void
 present_send_config_notify(WindowPtr window, int x, int y, int w, int h, int bw, WindowPtr sibling);
 
 void
-present_send_complete_notify(WindowPtr window, CARD8 kind, CARD8 mode, CARD32 serial, uint64_t ust, uint64_t msc);
+present_send_complete_notify(WindowPtr window, CARD8 kind, CARD8 mode, CARD32 serial, uint64_t ust, uint64_t msc, ClientPtr client);
 
 void
 present_send_idle_notify(WindowPtr window, CARD32 serial, PixmapPtr pixmap, present_fence_ptr idle_fence);
diff --git a/present/present_request.c b/present/present_request.c
index c7663fcc8..6997aa869 100644
--- a/present/present_request.c
+++ b/present/present_request.c
@@ -135,7 +135,7 @@ proc_present_pixmap(ClientPtr client)
             return ret;
     }
 
-    ret = present_pixmap(window, pixmap, stuff->serial, valid, update,
+    ret = present_pixmap(window, pixmap, client, stuff->serial, valid, update,
                          stuff->x_off, stuff->y_off, target_crtc,
                          wait_fence, idle_fence, stuff->options,
                          stuff->target_msc, stuff->divisor, stuff->remainder, notifies, nnotifies);
@@ -171,7 +171,7 @@ proc_present_notify_msc(ClientPtr client)
         }
     }
 
-    return present_notify_msc(window, stuff->serial,
+    return present_notify_msc(window, client, stuff->serial,
                               stuff->target_msc, stuff->divisor, stuff->remainder);
 }
 
commit a4bd27bdc8e3569ffa67c1105a2e5cdf0f3de683
Author: Giuseppe Bilotta <giuseppe.bilotta at gmail.com>
Date:   Thu Nov 9 10:21:19 2017 +0100

    randr: rrGetScreenResources: initialize memory
    
    Similarly to bb766ef11227bd8c71ac65845d1930edd0eda40d, ensure that the
    extra padding is set to 0.
    
    Reviewed-by: Adam Jackson <ajax at redhat.com>
    Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta at gmail.com>
    (cherry picked from commit fb5ee77b91a93e27801006be8ee34d27984e7fa6)

diff --git a/randr/rrscreen.c b/randr/rrscreen.c
index d6c499580..0c70b28dd 100644
--- a/randr/rrscreen.c
+++ b/randr/rrscreen.c
@@ -558,7 +558,7 @@ rrGetScreenResources(ClientPtr client, Bool query)
 
         extraLen = rep.length << 2;
         if (extraLen) {
-            extra = malloc(extraLen);
+            extra = calloc(1, extraLen);
             if (!extra) {
                 free(modes);
                 return BadAlloc;
commit ece2e82ebf597ffda44b4753aa5cb7f5e1d97480
Author: Adam Jackson <ajax at redhat.com>
Date:   Tue Nov 14 15:59:35 2017 -0500

    glx: Only flush indirect contexts in MakeCurrent (v2)
    
    If the context is direct none of the GL commands were issued by this
    process, the server couldn't flush them even if it wanted to.
    
    v2: Fix embarassingly obvious boolean inversion (Michel Dänzer)
    
    Signed-off-by: Adam Jackson <ajax at redhat.com>
    Reviewed-by: Michel Dänzer <michel.daenzer at amd.com>
    (cherry picked from commit 307c124d6bcfe26057767b2c0990dc9ac66b9c93)

diff --git a/glx/glxcmds.c b/glx/glxcmds.c
index 5873cb49c..86aab5498 100644
--- a/glx/glxcmds.c
+++ b/glx/glxcmds.c
@@ -631,7 +631,7 @@ DoMakeCurrent(__GLXclientState * cl,
         /*
          ** Flush the previous context if needed.
          */
-        Bool need_flush = GL_TRUE;
+        Bool need_flush = !prevglxc->isDirect;
 #ifdef GLX_CONTEXT_RELEASE_BEHAVIOR_ARB
         if (prevglxc->releaseBehavior == GLX_CONTEXT_RELEASE_BEHAVIOR_NONE_ARB)
             need_flush = GL_FALSE;
commit d1a2a2757977bf2f241fd254be821bf96910b587
Author: Hector Martin <marcan at marcan.st>
Date:   Wed Nov 15 03:12:31 2017 +0900

    edid: fix off-by-one error in CEA mode numbering
    
    The CEA extension short video descriptors contain the VIC, which starts
    at 1, not 0.
    
    Reviewed-by: Adam Jackson <ajax at redhat.com>
    Signed-off-by: Hector Martin <marcan at marcan.st>
    (cherry picked from commit 68556d74b49e99d3490166c446079f7d5de26ca4)

diff --git a/hw/xfree86/modes/xf86EdidModes.c b/hw/xfree86/modes/xf86EdidModes.c
index f0e1e974b..f903496f5 100644
--- a/hw/xfree86/modes/xf86EdidModes.c
+++ b/hw/xfree86/modes/xf86EdidModes.c
@@ -976,8 +976,8 @@ handle_cea_svd(struct cea_video_block *video, void *data)
     int vid;
 
     vid = video->video_code & 0x7f;
-    if (vid < CEA_VIDEO_MODES_NUM) {
-        Mode = xf86DuplicateMode(CEAVideoModes + vid);
+    if (vid >= 1 && vid <= CEA_VIDEO_MODES_NUM) {
+        Mode = xf86DuplicateMode(CEAVideoModes + (vid - 1));
         *Modes = xf86ModesAdd(*Modes, Mode);
     }
 }
commit b3fa60edc412e4c52bc6fa0346217eed0ebc98e3
Author: Adam Jackson <ajax at redhat.com>
Date:   Mon Nov 6 16:07:41 2017 -0500

    glx: Fix typos that break GLX_ARB_context_flush_control
    
    The trailing \n are just wrong here, __glXEnableExtension wants a string
    without them.
    
    Signed-off-by: Adam Jackson <ajax at redhat.com>
    Reviewed-by: Michel Dänzer <michel.daenzer at amd.com>
    Reviewed-by: Emil Velikov <emil.velikov at collabora.com>
    (cherry picked from commit fd0eafb18426da14601d5c0d0a50092c49a7aff8)

diff --git a/glx/glxdri2.c b/glx/glxdri2.c
index 484b4aeab..8f6c3ab6a 100644
--- a/glx/glxdri2.c
+++ b/glx/glxdri2.c
@@ -901,7 +901,7 @@ initializeExtensions(__GLXscreen * screen)
 #ifdef __DRI2_FLUSH_CONTROL
         if (strcmp(extensions[i]->name, __DRI2_FLUSH_CONTROL) == 0) {
             __glXEnableExtension(screen->glx_enable_bits,
-                                 "GLX_ARB_context_flush_control\n");
+                                 "GLX_ARB_context_flush_control");
         }
 #endif
 
diff --git a/glx/glxdriswrast.c b/glx/glxdriswrast.c
index ed0469fd6..a9472cd4e 100644
--- a/glx/glxdriswrast.c
+++ b/glx/glxdriswrast.c
@@ -413,7 +413,7 @@ initializeExtensions(__GLXscreen * screen)
 #ifdef __DRI2_FLUSH_CONTROL
         if (strcmp(extensions[i]->name, __DRI2_FLUSH_CONTROL) == 0) {
             __glXEnableExtension(screen->glx_enable_bits,
-                                 "GLX_ARB_context_flush_control\n");
+                                 "GLX_ARB_context_flush_control");
         }
 #endif
 
commit c010bcb8c36b2ca0bba1b80c9bde63ff89e42ed4
Author: Giuseppe Bilotta <giuseppe.bilotta at gmail.com>
Date:   Sat Nov 4 23:06:29 2017 +0100

    randr: ProcRRGetOutputInfo: initialize memory
    
    Running Xephyr under valgrind reveals that we're sending some
    uninitialized memory over the wire (particularly, the leftover padding
    that comes from rounding extraLen to the next 32-bit multiple).
    
    Solve by calloc()ing the memory instead of malloc()ing (the alternative
    would be to memset just the padding, but I'm not sure it's more
    convenient.)
    
    Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta at gmail.com>
    Reviewed-by: Adam Jackson <ajax at redhat.com>
    (cherry picked from commit bb766ef11227bd8c71ac65845d1930edd0eda40d)

diff --git a/randr/rroutput.c b/randr/rroutput.c
index a8efec409..647f19a52 100644
--- a/randr/rroutput.c
+++ b/randr/rroutput.c
@@ -459,7 +459,7 @@ ProcRRGetOutputInfo(ClientPtr client)
 
     if (extraLen) {
         rep.length += bytes_to_int32(extraLen);
-        extra = malloc(extraLen);
+        extra = calloc(1, extraLen);
         if (!extra)
             return BadAlloc;
     }
commit c328570644e3b4dfaf840d057883a4db31976da7
Author: Giuseppe Bilotta <giuseppe.bilotta at gmail.com>
Date:   Sat Nov 4 23:06:27 2017 +0100

    xkb: initialize tsyms
    
    This fixes some “Conditional jump depends on uninitialized value(s)”
    errors spotted by valgrind.
    
    Reviewed-by: Eric Engestrom <eric.engestrom at imgtec.com>
    Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta at gmail.com>
    (cherry picked from commit b2167015043a458e9cf93b827b43eb5b7c552ce9)

diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
index 25b5a364e..8975ade8d 100644
--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@@ -222,7 +222,7 @@ XkbUpdateKeyTypesFromCore(DeviceIntPtr pXDev,
     XkbDescPtr xkb;
     unsigned key, nG, explicit;
     int types[XkbNumKbdGroups];
-    KeySym tsyms[XkbMaxSymsPerKey], *syms;
+    KeySym tsyms[XkbMaxSymsPerKey] = {NoSymbol}, *syms;
     XkbMapChangesPtr mc;
 
     xkb = pXDev->key->xkbInfo->desc;
commit c39de5f7358634eb2fea66041e3a3465e8cf6e13
Author: Eric Anholt <eric at anholt.net>
Date:   Tue Oct 31 12:22:31 2017 -0700

    xkb: Print the xkbcomp path being executed when we fail to compile.
    
    I don't know how many times I've had a broken server due to a bad
    directory to xkbcomp, and only finding the whole path has shown me
    where I went wrong.
    
    Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
    (cherry picked from commit 30f4d440ebc3517fdcc1d3c6a422a8fbf3af1f23)

diff --git a/xkb/ddxLoad.c b/xkb/ddxLoad.c
index f71815aa8..bbe395245 100644
--- a/xkb/ddxLoad.c
+++ b/xkb/ddxLoad.c
@@ -191,8 +191,10 @@ RunXkbComp(xkbcomp_buffer_callback callback, void *userdata)
 #endif
             return xnfstrdup(keymap);
         }
-        else
-            LogMessage(X_ERROR, "Error compiling keymap (%s)\n", keymap);
+        else {
+            LogMessage(X_ERROR, "Error compiling keymap (%s) executing '%s'\n",
+                       keymap, buf);
+        }
 #ifdef WIN32
         /* remove the temporary file */
         unlink(tmpname);
commit 5a5b6d6cca469521daa6ac9087f3589b7489ab55
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date:   Tue Sep 26 15:21:59 2017 +1000

    config/udev: consider ID_INPUT_FOO=0 as 'unset'
    
    Historically we didn't need to care about this case but more devices are
    having invalid types set and they cannot be unset with a hwdb entry (which
    doesn't handle the empty string). Allow for "0" to mean "unset" because
    anything else would be crazy anyway.
    
    Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
    (cherry picked from commit 5aad81445c8c3d6b7b30d503cfe26027fa482870)

diff --git a/config/udev.c b/config/udev.c
index 932f230c7..e198e8609 100644
--- a/config/udev.c
+++ b/config/udev.c
@@ -134,7 +134,8 @@ device_added(struct udev_device *udev_device)
     }
 #endif
 
-    if (!udev_device_get_property_value(udev_device, "ID_INPUT")) {
+    value = udev_device_get_property_value(udev_device, "ID_INPUT");
+    if (value && !strcmp(value, "0")) {
         LogMessageVerb(X_INFO, 10,
                        "config/udev: ignoring device %s without "
                        "property ID_INPUT set\n", path);
@@ -237,38 +238,36 @@ device_added(struct udev_device *udev_device)
         else if (!strcmp(key, "ID_VENDOR")) {
             LOG_PROPERTY(path, key, value);
             attrs.vendor = strdup(value);
-        }
-        else if (!strcmp(key, "ID_INPUT_KEY")) {
-            LOG_PROPERTY(path, key, value);
-            attrs.flags |= ATTR_KEY;
-        }
-        else if (!strcmp(key, "ID_INPUT_KEYBOARD")) {
-            LOG_PROPERTY(path, key, value);
-            attrs.flags |= ATTR_KEYBOARD;
-        }
-        else if (!strcmp(key, "ID_INPUT_MOUSE")) {
-            LOG_PROPERTY(path, key, value);
-            attrs.flags |= ATTR_POINTER;
-        }
-        else if (!strcmp(key, "ID_INPUT_JOYSTICK")) {
-            LOG_PROPERTY(path, key, value);
-            attrs.flags |= ATTR_JOYSTICK;
-        }
-        else if (!strcmp(key, "ID_INPUT_TABLET")) {
-            LOG_PROPERTY(path, key, value);
-            attrs.flags |= ATTR_TABLET;
-        }
-        else if (!strcmp(key, "ID_INPUT_TABLET_PAD")) {
-            LOG_PROPERTY(path, key, value);
-            attrs.flags |= ATTR_TABLET_PAD;
-        }
-        else if (!strcmp(key, "ID_INPUT_TOUCHPAD")) {
-            LOG_PROPERTY(path, key, value);
-            attrs.flags |= ATTR_TOUCHPAD;
-        }
-        else if (!strcmp(key, "ID_INPUT_TOUCHSCREEN")) {
-            LOG_PROPERTY(path, key, value);
-            attrs.flags |= ATTR_TOUCHSCREEN;
+        } else if (!strncmp(key, "ID_INPUT_", 9)) {
+            const struct pfmap {
+                const char *property;
+                unsigned int flag;
+            } map[] = {
+                { "ID_INPUT_KEY", ATTR_KEY },
+                { "ID_INPUT_KEYBOARD", ATTR_KEYBOARD },
+                { "ID_INPUT_MOUSE", ATTR_POINTER },
+                { "ID_INPUT_JOYSTICK", ATTR_JOYSTICK },
+                { "ID_INPUT_TABLET", ATTR_TABLET },
+                { "ID_INPUT_TABLET_PAD", ATTR_TABLET_PAD },
+                { "ID_INPUT_TOUCHPAD", ATTR_TOUCHPAD },
+                { "ID_INPUT_TOUCHSCREEN", ATTR_TOUCHSCREEN },
+                { NULL, 0 },
+            };
+
+            /* Anything but the literal string "0" is considered a
+             * boolean true. The empty string isn't a thing with udev
+             * properties anyway */
+            if (value && strcmp(value, "0")) {
+                const struct pfmap *m = map;
+
+                while (m->property != NULL) {
+                    if (!strcmp(m->property, key)) {
+                        LOG_PROPERTY(path, key, value);
+                        attrs.flags |= m->flag;
+                    }
+                    m++;
+                }
+            }
         }
     }
 
commit 8817747c8587d75c14e00069e8f26e3edb671013
Author: Daniel Martin <consume.noise at gmail.com>
Date:   Fri Oct 27 16:11:55 2017 +0200

    test: signal-logging: Fix looping signed number tests
    
    unsigned_tests[] was used to compute the amount of signed numbers to
    test.
    
    Signed-off-by: Daniel Martin <consume.noise at gmail.com>
    Reviewed-by: Eric Engestrom <eric.engestrom at imgtec.com>
    (cherry picked from commit 15a32ee5d1fffa171bb05af9a0e5b472e4af1488)

diff --git a/test/signal-logging.c b/test/signal-logging.c
index 7f2972003..1af6316de 100644
--- a/test/signal-logging.c
+++ b/test/signal-logging.c
@@ -146,7 +146,7 @@ number_formatting(void)
     for (i = 0; i < sizeof(unsigned_tests) / sizeof(unsigned_tests[0]); i++)
         assert(check_number_format_test(unsigned_tests[i]));
 
-    for (i = 0; i < sizeof(unsigned_tests) / sizeof(signed_tests[0]); i++)
+    for (i = 0; i < sizeof(signed_tests) / sizeof(signed_tests[0]); i++)
         assert(check_signed_number_format_test(signed_tests[i]));
 
     for (i = 0; i < sizeof(float_tests) / sizeof(float_tests[0]); i++)
commit e663998fa8bb77bb753abed1e0c12922d4ce1669
Author: Daniel Martin <consume.noise at gmail.com>
Date:   Fri Oct 27 16:11:54 2017 +0200

    test: input: Fix used uninitialized warning in dix_event_to_core
    
    input.c: In function ‘dix_event_to_core’:
    ../include/inputstr.h:61:55: warning: ‘*((void *)&ev+80)’ is used uninitialized in this function [-Wuninitialized]
     #define SetBit(ptr, bit)  (((BYTE *) (ptr))[(bit)>>3] |= (1 << ((bit) & 7)))
                                                           ^~
    
    Signed-off-by: Daniel Martin <consume.noise at gmail.com>
    Reviewed-by: Eric Engestrom <eric.engestrom at imgtec.com>
    (cherry picked from commit 0bcc65f2bf479c6a74ac70bb5b5181d6834dded6)

diff --git a/test/input.c b/test/input.c
index 91ee43c46..92dd8910c 100644
--- a/test/input.c
+++ b/test/input.c
@@ -228,7 +228,7 @@ dix_check_grab_values(void)
 static void
 dix_event_to_core(int type)
 {
-    DeviceEvent ev;
+    DeviceEvent ev = {};
     xEvent *core;
     int time;
     int x, y;
commit e8530b872aa4b1648bba7fb3dddaf9abf70100ed
Author: Daniel Martin <consume.noise at gmail.com>
Date:   Fri Oct 27 16:11:53 2017 +0200

    modesetting: Fix potential buffer overflow
    
    If one misconfigures a ZaphodHeads value (more than 20 characters
    without a delimiter), we get an overflow of our buffer.  Use
    xstrtokenize() instead of writing/fixing our own tokenizer.
    
    Signed-off-by: Daniel Martin <consume.noise at gmail.com>
    Reviewed-by: Eric Engestrom <eric.engestrom at imgtec.com>
    (cherry picked from commit 04a305121fbc08ecc2ef345ee7155d6087a43fd1)

diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c
index 53e1cf545..45d5e9091 100644
--- a/hw/xfree86/drivers/modesetting/drmmode_display.c
+++ b/hw/xfree86/drivers/modesetting/drmmode_display.c
@@ -57,34 +57,22 @@ static PixmapPtr drmmode_create_pixmap_header(ScreenPtr pScreen, int width, int
 static Bool
 drmmode_zaphod_string_matches(ScrnInfoPtr scrn, const char *s, char *output_name)
 {
-    int i = 0;
-    char s1[20];
-
-    do {
-        switch(*s) {
-        case ',':
-            s1[i] = '\0';
-            i = 0;
-            if (strcmp(s1, output_name) == 0)
-                return TRUE;
-            break;
-        case ' ':
-        case '\t':
-        case '\n':
-        case '\r':
-            break;
-        default:
-            s1[i] = *s;
-            i++;
-            break;
-        }
-    } while(*s++);
+    char **token = xstrtokenize(s, ", \t\n\r");
+    Bool ret = FALSE;
 
-    s1[i] = '\0';
-    if (strcmp(s1, output_name) == 0)
-        return TRUE;
+    if (!token)
+        return FALSE;
 
-    return FALSE;
+    for (int i = 0; token[i]; i++) {
+        if (strcmp(token[i], output_name) == 0)
+            ret = TRUE;
+
+        free(token[i]);
+    }
+
+    free(token);
+
+    return ret;
 }
 
 int
diff --git a/include/misc.h b/include/misc.h
index 01747fd38..2dedf6d63 100644
--- a/include/misc.h
+++ b/include/misc.h
@@ -248,7 +248,7 @@ padding_for_int32(const int bytes)
 }
 
 
-extern char **xstrtokenize(const char *str, const char *separators);
+extern _X_EXPORT char **xstrtokenize(const char *str, const char *separators);
 extern void FormatInt64(int64_t num, char *string);
 extern void FormatUInt64(uint64_t num, char *string);
 extern void FormatUInt64Hex(uint64_t num, char *string);
commit 4ef1aef0fbbf47c937cf421f0180cc18fc23a03e
Author: Alex Goins <agoins at nvidia.com>
Date:   Tue Oct 24 18:39:13 2017 -0700

    ramdac: Check ScreenPriv != NULL in xf86ScreenSetCursor()
    
    Similar to change cba5a10f, xf86ScreenSetCursor() would dereference ScreenPriv
    without NULL checking it. If Option "SWCursor" is specified, ScreenPriv == NULL.
    
    Without this fix, it is observed that setting Option "SWCursor" "on" on the
    modesetting driver in a PRIME configuration will segfault the server.
    
    It is important to return success rather than failure in the instance that
    ScreenPriv == NULL and pCurs == NullCursor, because otherwise xf86SetCursor()
    can fall into infinite recursion: xf86SetCursor(pCurs) calls
    xf86ScreenSetCursor(pCurs), and if FALSE, calls xf86SetCursor(NullCursor). If
    xf86ScreenSetCursor(NullCursor) returns FALSE, it calls
    xf86SetCursor(NullCursor) again and this repeats forever.
    
    Signed-off-by: Alex Goins <agoins at nvidia.com>
    Reviewed-by: Dave Airlie <airlied at redhat.com>
    (cherry picked from commit 68d95e759f8b6ebca6bd52e69e6bc34cc174f8ca)

diff --git a/hw/xfree86/ramdac/xf86HWCurs.c b/hw/xfree86/ramdac/xf86HWCurs.c
index 7043a9c72..4e2e587fd 100644
--- a/hw/xfree86/ramdac/xf86HWCurs.c
+++ b/hw/xfree86/ramdac/xf86HWCurs.c
@@ -180,9 +180,16 @@ xf86ScreenSetCursor(ScreenPtr pScreen, CursorPtr pCurs, int x, int y)
     xf86CursorScreenPtr ScreenPriv =
         (xf86CursorScreenPtr) dixLookupPrivate(&pScreen->devPrivates,
                                                xf86CursorScreenKey);
-    xf86CursorInfoPtr infoPtr = ScreenPriv->CursorInfoPtr;
+
+    xf86CursorInfoPtr infoPtr;
     unsigned char *bits;
 
+    if (!ScreenPriv) { /* NULL if Option "SWCursor" */
+        return (pCurs == NullCursor);
+    }
+
+    infoPtr = ScreenPriv->CursorInfoPtr;
+
     if (pCurs == NullCursor) {
         (*infoPtr->HideCursor) (infoPtr->pScrn);
         return TRUE;
commit cd5076a50c0274512bd2ce2c8ecf56c3517d0266
Author: Nikolay Martynov <mar.kolya at gmail.com>
Date:   Wed Sep 13 23:23:13 2017 -0400

    XShmGetImage: fix censoring
    
    It looks like offsets calculated during image censoring are wrong.
    This results in black (empty) images returns.
    
    This fix is very similar to 6c6f09aac7f1d1367a042087b7681c7fdf1d1e0f
    that was applied to XGetImage
    
    Visually this fixes chromium/firefox window sharing in multiscreen
    configurations - without this patch most of the windows on 'secodnary'
    screens are black.
    
    This also should fix https://bugs.freedesktop.org/show_bug.cgi?id=101730.
    
    Signed-off-by: Nikolay Martynov <mar.kolya at gmail.com>
    Reviewed-by: Adam Jackson <ajax at redhat.com>
    (cherry picked from commit 885636b7d42b3c7b151fc386d358184db004ce45)

diff --git a/Xext/shm.c b/Xext/shm.c
index c98d4a0c3..fe42a66d2 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -650,9 +650,8 @@ ProcShmGetImage(ClientPtr client)
                wBorderWidth((WindowPtr) pDraw) + (int) pDraw->height)
             return BadMatch;
         visual = wVisual(((WindowPtr) pDraw));
-        pVisibleRegion = NotClippedByChildren((WindowPtr) pDraw);
-        if (pVisibleRegion)
-            RegionTranslate(pVisibleRegion, -pDraw->x, -pDraw->y);
+        if (pDraw->type == DRAWABLE_WINDOW)
+            pVisibleRegion = &((WindowPtr) pDraw)->borderClip;
     }
     else {
         if (stuff->x < 0 ||
@@ -715,9 +714,6 @@ ProcShmGetImage(ClientPtr client)
         }
     }
 
-    if (pVisibleRegion)
-        RegionDestroy(pVisibleRegion);
-
     if (client->swapped) {
         swaps(&xgi.sequenceNumber);
         swapl(&xgi.length);