xserver: Branch 'server-1.19-branch' - 3 commits

Adam Jackson ajax at kemper.freedesktop.org
Wed Mar 15 17:36:57 UTC 2017 

 glamor/glamor_dash.c |    1 +
 os/busfault.c        |   13 +++++++------
 render/render.c      |    4 ++++
 3 files changed, 12 insertions(+), 6 deletions(-)

New commits:
commit b258ed457d8f22cfba8a45b35a9be9b53fd37e1e
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date:   Fri Feb 17 08:18:52 2017 +0000

    os: Fix iteration over busfaults
    
    Fixes a regression from
    
    commit 41da295eb50fa08eaacd0ecde99f43a716fcb41a
    Author: Keith Packard <keithp at keithp.com>
    Date:   Sun Nov 3 13:12:40 2013 -0800
    
        Trap SIGBUS to handle truncated shared memory segments
    
    that causes the SIGBUS handler to fail to chain up correctly and
    corrupts nearby memory instead.
    
    Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
    Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
    (cherry picked from commit acdb5bf2de57c0080d2a6e730c788a0a428e13dc)

diff --git a/os/busfault.c b/os/busfault.c
index d4afa6d..a2d433a 100644
--- a/os/busfault.c
+++ b/os/busfault.c
@@ -98,15 +98,16 @@ static void
 busfault_sigaction(int sig, siginfo_t *info, void *param)
 {
     void                *fault = info->si_addr;
-    struct busfault     *busfault = NULL;
+    struct busfault     *iter, *busfault = NULL;
     void                *new_addr;
 
     /* Locate the faulting address in our list of shared segments
      */
-    xorg_list_for_each_entry(busfault, &busfaults, list) {
-        if ((char *) busfault->addr <= (char *) fault && (char *) fault < (char *) busfault->addr + busfault->size) {
-            break;
-        }
+    xorg_list_for_each_entry(iter, &busfaults, list) {
+	if ((char *) iter->addr <= (char *) fault && (char *) fault < (char *) iter->addr + iter->size) {
+	    busfault = iter;
+	    break;
+	}
     }
     if (!busfault)
         goto panic;
@@ -132,7 +133,7 @@ panic:
     if (previous_busfault_sigaction)
         (*previous_busfault_sigaction)(sig, info, param);
     else
-        FatalError("bus error");
+        FatalError("bus error\n");
 }
 
 Bool
commit 7c4fab2f1f411b6f7d7adc76271fca7c29365ac4
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date:   Mon Mar 13 19:13:14 2017 +0100

    render: Fix out of boundary heap access
    
    ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must
    be protected against an integer overflow during length check. This is
    already included in ProcRenderCreateLinearGradient since the fix for
    CVE-2008-2362.
    
    This can only be successfully exploited on a 32 bit system for an
    out of boundary read later on. Validated by using ASAN.
    
    Reviewed-by: Adam Jackson <ajax at redhat.com>
    (cherry picked from commit ac15d4cecca377c5c31ab852c39bbd554ca48fe2)

diff --git a/render/render.c b/render/render.c
index b9a932e..bfacaa0 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1908,6 +1908,8 @@ ProcRenderCreateRadialGradient(ClientPtr client)
     LEGAL_NEW_RESOURCE(stuff->pid, client);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+    if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+        return BadLength;
     if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -1946,6 +1948,8 @@ ProcRenderCreateConicalGradient(ClientPtr client)
     LEGAL_NEW_RESOURCE(stuff->pid, client);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+    if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+        return BadLength;
     if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
commit fbb46e0be897ffe78b731a2456673b4cbb73b2be
Author: Dr.-Ing. Dieter Jurzitza <dieter.jurzitza at t-online.de>
Date:   Thu Feb 23 12:57:26 2017 -0500

    glamor: Fix missing declaration in dash vertex shader
    
    Fixes a GLSL compilation error:
    
    Failed to compile VS: 0:13(43): error: `pos' undeclared
    0:13(14): error: operands to arithmetic operators must be numeric
    0:13(13): error: operands to arithmetic operators must be numeric
    
    [1.19: Squash in Michel's typo fix from 0c1574d9]
    
    Tested-by: Stefan Dirsch <sndirsch at suse.com>
    Reviewed-by: Adam Jackson <ajax at redhat.com>
    (cherry picked from commit d8161aeb50891ae10c5656487ce8f982deed5f9f)
    (cherry picked from commit 0c1574d9882a91b2c1a046bf4ac5a9b138a37965)

diff --git a/glamor/glamor_dash.c b/glamor/glamor_dash.c
index 3c19dba..78a4fa3 100644
--- a/glamor/glamor_dash.c
+++ b/glamor/glamor_dash.c
@@ -32,6 +32,7 @@ static const char dash_vs_vars[] =
 
 static const char dash_vs_exec[] =
     "       dash_offset = primitive.z / dash_length;\n"
+    "       vec2 pos = vec2(0,0);\n"
     GLAMOR_POS(gl_Position, primitive.xy);
 
 static const char dash_fs_vars[] =

More information about the xorg-commit mailing list