xserver: Branch 'server-1.19-branch' - 3 commits
Adam Jackson
ajax at kemper.freedesktop.org
Wed Mar 15 17:36:57 UTC 2017
glamor/glamor_dash.c | 1 +
os/busfault.c | 13 +++++++------
render/render.c | 4 ++++
3 files changed, 12 insertions(+), 6 deletions(-)
New commits:
commit b258ed457d8f22cfba8a45b35a9be9b53fd37e1e
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date: Fri Feb 17 08:18:52 2017 +0000
os: Fix iteration over busfaults
Fixes a regression from
commit 41da295eb50fa08eaacd0ecde99f43a716fcb41a
Author: Keith Packard <keithp at keithp.com>
Date: Sun Nov 3 13:12:40 2013 -0800
Trap SIGBUS to handle truncated shared memory segments
that causes the SIGBUS handler to fail to chain up correctly and
corrupts nearby memory instead.
Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>
(cherry picked from commit acdb5bf2de57c0080d2a6e730c788a0a428e13dc)
diff --git a/os/busfault.c b/os/busfault.c
index d4afa6d..a2d433a 100644
--- a/os/busfault.c
+++ b/os/busfault.c
@@ -98,15 +98,16 @@ static void
busfault_sigaction(int sig, siginfo_t *info, void *param)
{
void *fault = info->si_addr;
- struct busfault *busfault = NULL;
+ struct busfault *iter, *busfault = NULL;
void *new_addr;
/* Locate the faulting address in our list of shared segments
*/
- xorg_list_for_each_entry(busfault, &busfaults, list) {
- if ((char *) busfault->addr <= (char *) fault && (char *) fault < (char *) busfault->addr + busfault->size) {
- break;
- }
+ xorg_list_for_each_entry(iter, &busfaults, list) {
+ if ((char *) iter->addr <= (char *) fault && (char *) fault < (char *) iter->addr + iter->size) {
+ busfault = iter;
+ break;
+ }
}
if (!busfault)
goto panic;
@@ -132,7 +133,7 @@ panic:
if (previous_busfault_sigaction)
(*previous_busfault_sigaction)(sig, info, param);
else
- FatalError("bus error");
+ FatalError("bus error\n");
}
Bool
commit 7c4fab2f1f411b6f7d7adc76271fca7c29365ac4
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date: Mon Mar 13 19:13:14 2017 +0100
render: Fix out of boundary heap access
ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must
be protected against an integer overflow during length check. This is
already included in ProcRenderCreateLinearGradient since the fix for
CVE-2008-2362.
This can only be successfully exploited on a 32 bit system for an
out of boundary read later on. Validated by using ASAN.
Reviewed-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit ac15d4cecca377c5c31ab852c39bbd554ca48fe2)
diff --git a/render/render.c b/render/render.c
index b9a932e..bfacaa0 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1908,6 +1908,8 @@ ProcRenderCreateRadialGradient(ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+ if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -1946,6 +1948,8 @@ ProcRenderCreateConicalGradient(ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+ if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
commit fbb46e0be897ffe78b731a2456673b4cbb73b2be
Author: Dr.-Ing. Dieter Jurzitza <dieter.jurzitza at t-online.de>
Date: Thu Feb 23 12:57:26 2017 -0500
glamor: Fix missing declaration in dash vertex shader
Fixes a GLSL compilation error:
Failed to compile VS: 0:13(43): error: `pos' undeclared
0:13(14): error: operands to arithmetic operators must be numeric
0:13(13): error: operands to arithmetic operators must be numeric
[1.19: Squash in Michel's typo fix from 0c1574d9]
Tested-by: Stefan Dirsch <sndirsch at suse.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
(cherry picked from commit d8161aeb50891ae10c5656487ce8f982deed5f9f)
(cherry picked from commit 0c1574d9882a91b2c1a046bf4ac5a9b138a37965)
diff --git a/glamor/glamor_dash.c b/glamor/glamor_dash.c
index 3c19dba..78a4fa3 100644
--- a/glamor/glamor_dash.c
+++ b/glamor/glamor_dash.c
@@ -32,6 +32,7 @@ static const char dash_vs_vars[] =
static const char dash_vs_exec[] =
" dash_offset = primitive.z / dash_length;\n"
+ " vec2 pos = vec2(0,0);\n"
GLAMOR_POS(gl_Position, primitive.xy);
static const char dash_fs_vars[] =
More information about the xorg-commit
mailing list