xserver: Branch 'server-21.1-branch' - 3 commits
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Tue Oct 22 21:41:55 UTC 2024
hw/xfree86/parser/DRI.c | 2 ++
hw/xfree86/parser/Device.c | 2 ++
hw/xfree86/parser/Extensions.c | 2 ++
hw/xfree86/parser/Files.c | 2 ++
hw/xfree86/parser/Flags.c | 16 ++++++++++++----
hw/xfree86/parser/Input.c | 2 ++
hw/xfree86/parser/InputClass.c | 2 ++
hw/xfree86/parser/Layout.c | 2 ++
hw/xfree86/parser/Module.c | 11 +++++++++--
hw/xfree86/parser/Monitor.c | 6 ++++++
hw/xfree86/parser/OutputClass.c | 2 ++
hw/xfree86/parser/Pointer.c | 2 ++
hw/xfree86/parser/Screen.c | 4 ++++
hw/xfree86/parser/Vendor.c | 4 ++++
hw/xfree86/parser/Video.c | 4 ++++
hw/xfree86/parser/read.c | 2 ++
hw/xfree86/parser/scan.c | 14 ++++++++++----
os/client.c | 29 ++++++++++++++++++-----------
18 files changed, 87 insertions(+), 21 deletions(-)
New commits:
commit e3e14369c62a3647b8f125d9dcb7072f370c10f1
Author: Matthieu Herrb <matthieu at herrb.eu>
Date: Sat Oct 14 19:06:22 2023 +0200
Fix a double-free on syntax error without a new line.
$ echo "#foo\nfoo" > custom_config $ X -config custom_config
will trigger the double free because the contents of xf86_lex_val.str
have been realloc()ed aready when free is called in read.c:209.
This copies the lex token and adds all the necessary free() calls to
avoid leaking it
(cherry picked from commit fbc034e847a3862a0a28e5872135a3c502da6518)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1719>
diff --git a/hw/xfree86/parser/DRI.c b/hw/xfree86/parser/DRI.c
index 31f447d05..933e69f30 100644
--- a/hw/xfree86/parser/DRI.c
+++ b/hw/xfree86/parser/DRI.c
@@ -77,6 +77,8 @@ xf86parseDRISection(void)
break;
case COMMENT:
ptr->dri_comment = xf86addComment(ptr->dri_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
default:
Error(INVALID_KEYWORD_MSG, xf86tokenString());
diff --git a/hw/xfree86/parser/Device.c b/hw/xfree86/parser/Device.c
index 34b7f6557..d0d057adc 100644
--- a/hw/xfree86/parser/Device.c
+++ b/hw/xfree86/parser/Device.c
@@ -106,6 +106,8 @@ xf86parseDeviceSection(void)
switch (token) {
case COMMENT:
ptr->dev_comment = xf86addComment(ptr->dev_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case IDENTIFIER:
if (xf86getSubToken(&(ptr->dev_comment)) != STRING)
diff --git a/hw/xfree86/parser/Extensions.c b/hw/xfree86/parser/Extensions.c
index 3a2195901..206c512ef 100644
--- a/hw/xfree86/parser/Extensions.c
+++ b/hw/xfree86/parser/Extensions.c
@@ -67,6 +67,8 @@ xf86parseExtensionsSection(void)
case COMMENT:
ptr->extensions_comment =
xf86addComment(ptr->extensions_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
default:
Error(INVALID_KEYWORD_MSG, xf86tokenString());
diff --git a/hw/xfree86/parser/Files.c b/hw/xfree86/parser/Files.c
index c86ac7af2..fba99a864 100644
--- a/hw/xfree86/parser/Files.c
+++ b/hw/xfree86/parser/Files.c
@@ -89,6 +89,8 @@ xf86parseFilesSection(void)
switch (token) {
case COMMENT:
ptr->file_comment = xf86addComment(ptr->file_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case FONTPATH:
if (xf86getSubToken(&(ptr->file_comment)) != STRING)
diff --git a/hw/xfree86/parser/Flags.c b/hw/xfree86/parser/Flags.c
index d677cf1db..7d35bb7ea 100644
--- a/hw/xfree86/parser/Flags.c
+++ b/hw/xfree86/parser/Flags.c
@@ -98,6 +98,8 @@ xf86parseFlagsSection(void)
switch (token) {
case COMMENT:
ptr->flg_comment = xf86addComment(ptr->flg_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
/*
* these old keywords are turned into standard generic options.
@@ -436,18 +438,24 @@ xf86parseOption(XF86OptionPtr head)
if ((token = xf86getSubToken(&comment)) == STRING) {
option = xf86newOption(name, xf86_lex_val.str);
option->opt_comment = comment;
- if ((token = xf86getToken(NULL)) == COMMENT)
+ if ((token = xf86getToken(NULL)) == COMMENT) {
option->opt_comment = xf86addComment(option->opt_comment, xf86_lex_val.str);
- else
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
+ } else {
xf86unGetToken(token);
+ }
}
else {
option = xf86newOption(name, NULL);
option->opt_comment = comment;
- if (token == COMMENT)
+ if (token == COMMENT) {
option->opt_comment = xf86addComment(option->opt_comment, xf86_lex_val.str);
- else
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
+ } else {
xf86unGetToken(token);
+ }
}
old = NULL;
diff --git a/hw/xfree86/parser/Input.c b/hw/xfree86/parser/Input.c
index 88d19b6b5..6b286ec74 100644
--- a/hw/xfree86/parser/Input.c
+++ b/hw/xfree86/parser/Input.c
@@ -84,6 +84,8 @@ xf86parseInputSection(void)
switch (token) {
case COMMENT:
ptr->inp_comment = xf86addComment(ptr->inp_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case IDENTIFIER:
if (xf86getSubToken(&(ptr->inp_comment)) != STRING)
diff --git a/hw/xfree86/parser/InputClass.c b/hw/xfree86/parser/InputClass.c
index 7281659e0..8b9510c0b 100644
--- a/hw/xfree86/parser/InputClass.c
+++ b/hw/xfree86/parser/InputClass.c
@@ -191,6 +191,8 @@ xf86parseInputClassSection(void)
switch (token) {
case COMMENT:
ptr->comment = xf86addComment(ptr->comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case IDENTIFIER:
if (xf86getSubToken(&(ptr->comment)) != STRING)
diff --git a/hw/xfree86/parser/Layout.c b/hw/xfree86/parser/Layout.c
index 2c829f4ee..532f318f3 100644
--- a/hw/xfree86/parser/Layout.c
+++ b/hw/xfree86/parser/Layout.c
@@ -101,6 +101,8 @@ xf86parseLayoutSection(void)
switch (token) {
case COMMENT:
ptr->lay_comment = xf86addComment(ptr->lay_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case IDENTIFIER:
if (xf86getSubToken(&(ptr->lay_comment)) != STRING)
diff --git a/hw/xfree86/parser/Module.c b/hw/xfree86/parser/Module.c
index 38bf777ed..9a166aff2 100644
--- a/hw/xfree86/parser/Module.c
+++ b/hw/xfree86/parser/Module.c
@@ -95,6 +95,8 @@ xf86parseModuleSubSection(XF86LoadPtr head, char *name)
switch (token) {
case COMMENT:
ptr->load_comment = xf86addComment(ptr->load_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case OPTION:
ptr->load_opt = xf86parseOption(ptr->load_opt);
@@ -126,6 +128,8 @@ xf86parseModuleSection(void)
switch (token) {
case COMMENT:
ptr->mod_comment = xf86addComment(ptr->mod_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case LOAD:
if (xf86getSubToken(&(ptr->mod_comment)) != STRING)
@@ -230,10 +234,13 @@ xf86addNewLoadDirective(XF86LoadPtr head, const char *name, int type,
new->ignore = 0;
new->list.next = NULL;
- if ((token = xf86getToken(NULL)) == COMMENT)
+ if ((token = xf86getToken(NULL)) == COMMENT) {
new->load_comment = xf86addComment(new->load_comment, xf86_lex_val.str);
- else
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
+ } else {
xf86unGetToken(token);
+ }
return ((XF86LoadPtr) xf86addListItem((glp) head, (glp) new));
}
diff --git a/hw/xfree86/parser/Monitor.c b/hw/xfree86/parser/Monitor.c
index 1d63a441c..056b9f4c0 100644
--- a/hw/xfree86/parser/Monitor.c
+++ b/hw/xfree86/parser/Monitor.c
@@ -269,6 +269,8 @@ xf86parseVerboseMode(void)
switch (token) {
case COMMENT:
ptr->ml_comment = xf86addComment(ptr->ml_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case DOTCLOCK:
if ((token = xf86getSubToken(&(ptr->ml_comment))) != NUMBER)
@@ -413,6 +415,8 @@ xf86parseMonitorSection(void)
switch (token) {
case COMMENT:
ptr->mon_comment = xf86addComment(ptr->mon_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case IDENTIFIER:
if (xf86getSubToken(&(ptr->mon_comment)) != STRING)
@@ -599,6 +603,8 @@ xf86parseModesSection(void)
switch (token) {
case COMMENT:
ptr->modes_comment = xf86addComment(ptr->modes_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case IDENTIFIER:
if (xf86getSubToken(&(ptr->modes_comment)) != STRING)
diff --git a/hw/xfree86/parser/OutputClass.c b/hw/xfree86/parser/OutputClass.c
index 01b348fdd..4c5340a03 100644
--- a/hw/xfree86/parser/OutputClass.c
+++ b/hw/xfree86/parser/OutputClass.c
@@ -102,6 +102,8 @@ xf86parseOutputClassSection(void)
switch (token) {
case COMMENT:
ptr->comment = xf86addComment(ptr->comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case IDENTIFIER:
if (xf86getSubToken(&(ptr->comment)) != STRING)
diff --git a/hw/xfree86/parser/Pointer.c b/hw/xfree86/parser/Pointer.c
index ff63deb31..85f7b46d5 100644
--- a/hw/xfree86/parser/Pointer.c
+++ b/hw/xfree86/parser/Pointer.c
@@ -104,6 +104,8 @@ xf86parsePointerSection(void)
switch (token) {
case COMMENT:
ptr->inp_comment = xf86addComment(ptr->inp_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case PROTOCOL:
if (xf86getSubToken(&(ptr->inp_comment)) != STRING)
diff --git a/hw/xfree86/parser/Screen.c b/hw/xfree86/parser/Screen.c
index a831c30cd..28cd03b68 100644
--- a/hw/xfree86/parser/Screen.c
+++ b/hw/xfree86/parser/Screen.c
@@ -119,6 +119,8 @@ xf86parseDisplaySubSection(void)
switch (token) {
case COMMENT:
ptr->disp_comment = xf86addComment(ptr->disp_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case VIEWPORT:
if (xf86getSubToken(&(ptr->disp_comment)) != NUMBER)
@@ -256,6 +258,8 @@ xf86parseScreenSection(void)
switch (token) {
case COMMENT:
ptr->scrn_comment = xf86addComment(ptr->scrn_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case IDENTIFIER:
if (xf86getSubToken(&(ptr->scrn_comment)) != STRING)
diff --git a/hw/xfree86/parser/Vendor.c b/hw/xfree86/parser/Vendor.c
index 50ea68956..456ce8fd0 100644
--- a/hw/xfree86/parser/Vendor.c
+++ b/hw/xfree86/parser/Vendor.c
@@ -98,6 +98,8 @@ xf86parseVendorSubSection(void)
switch (token) {
case COMMENT:
ptr->vs_comment = xf86addComment(ptr->vs_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case IDENTIFIER:
if (xf86getSubToken(&(ptr->vs_comment)))
@@ -151,6 +153,8 @@ xf86parseVendorSection(void)
switch (token) {
case COMMENT:
ptr->vnd_comment = xf86addComment(ptr->vnd_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case IDENTIFIER:
if (xf86getSubToken(&(ptr->vnd_comment)) != STRING)
diff --git a/hw/xfree86/parser/Video.c b/hw/xfree86/parser/Video.c
index 4e8526f3f..108c8f3ad 100644
--- a/hw/xfree86/parser/Video.c
+++ b/hw/xfree86/parser/Video.c
@@ -97,6 +97,8 @@ xf86parseVideoPortSubSection(void)
switch (token) {
case COMMENT:
ptr->vp_comment = xf86addComment(ptr->vp_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case IDENTIFIER:
if (xf86getSubToken(&(ptr->vp_comment)) != STRING)
@@ -154,6 +156,8 @@ xf86parseVideoAdaptorSection(void)
switch (token) {
case COMMENT:
ptr->va_comment = xf86addComment(ptr->va_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case IDENTIFIER:
if (xf86getSubToken(&(ptr->va_comment)) != STRING)
diff --git a/hw/xfree86/parser/read.c b/hw/xfree86/parser/read.c
index d7e731217..a4600bc06 100644
--- a/hw/xfree86/parser/read.c
+++ b/hw/xfree86/parser/read.c
@@ -100,6 +100,8 @@ xf86readConfigFile(void)
switch (token) {
case COMMENT:
ptr->conf_comment = xf86addComment(ptr->conf_comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
break;
case SECTION:
if (xf86getSubToken(&(ptr->conf_comment)) != STRING) {
diff --git a/hw/xfree86/parser/scan.c b/hw/xfree86/parser/scan.c
index 1eb35ed73..f4645f9d9 100644
--- a/hw/xfree86/parser/scan.c
+++ b/hw/xfree86/parser/scan.c
@@ -332,10 +332,10 @@ xf86getToken(const xf86ConfigSymTabRec * tab)
}
while ((c != '\n') && (c != '\r') && (c != '\0'));
configRBuf[i] = '\0';
- /* XXX no private copy.
+ /* XXX private copy.
* Use xf86addComment when setting a comment.
*/
- xf86_lex_val.str = configRBuf;
+ xf86_lex_val.str = strdup(configRBuf);
return COMMENT;
}
@@ -448,8 +448,11 @@ xf86getSubToken(char **comment)
for (;;) {
token = xf86getToken(NULL);
if (token == COMMENT) {
- if (comment)
+ if (comment) {
*comment = xf86addComment(*comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
+ }
}
else
return token;
@@ -464,8 +467,11 @@ xf86getSubTokenWithTab(char **comment, const xf86ConfigSymTabRec * tab)
for (;;) {
token = xf86getToken(tab);
if (token == COMMENT) {
- if (comment)
+ if (comment) {
*comment = xf86addComment(*comment, xf86_lex_val.str);
+ free(xf86_lex_val.str);
+ xf86_lex_val.str = NULL;
+ }
}
else
return token;
commit 4adb5d589f4bb90bf0ff9f1c88096ce60c41286c
Author: Matthieu Herrb <matthieu at herrb.eu>
Date: Sat Feb 17 16:47:38 2024 +0100
Return NULL in *cmdname if the client argv or argv[0] is NULL
(cherry picked from commit 59f5445a7ff3ee1468d86f03943c976c790c0893)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1719>
diff --git a/os/client.c b/os/client.c
index 2ed69ea4c..0a5b552d4 100644
--- a/os/client.c
+++ b/os/client.c
@@ -269,10 +269,9 @@ DetermineClientCmd(pid_t pid, const char **cmdname, const char **cmdargs)
return;
argv = kvm_getargv(kd, kp, 0);
if (cmdname) {
- if (argv == NULL || argv[0] == NULL) {
- *cmdname = strdup("");
+ if (argv == NULL || argv[0] == NULL)
return;
- } else
+ else
*cmdname = strdup(argv[0]);
}
if (cmdargs) {
commit 5f9cac4c34e6212e3e4fc22ff4c182d6013eeafc
Author: Matthieu Herrb <matthieu at herrb.eu>
Date: Fri Nov 11 14:58:02 2022 +0100
Don't crash if the client argv or argv[0] is NULL.
Report from bauerm at pestilenz dot org.
(cherry picked from commit a8512146ba9f475a384a35337f51c7730ba7b4ce)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1719>
diff --git a/os/client.c b/os/client.c
index 922172cc5..2ed69ea4c 100644
--- a/os/client.c
+++ b/os/client.c
@@ -268,18 +268,26 @@ DetermineClientCmd(pid_t pid, const char **cmdname, const char **cmdargs)
if (n != 1)
return;
argv = kvm_getargv(kd, kp, 0);
- *cmdname = strdup(argv[0]);
- i = 1;
- while (argv[i] != NULL) {
- len += strlen(argv[i]) + 1;
- i++;
+ if (cmdname) {
+ if (argv == NULL || argv[0] == NULL) {
+ *cmdname = strdup("");
+ return;
+ } else
+ *cmdname = strdup(argv[0]);
}
- *cmdargs = calloc(1, len);
- i = 1;
- while (argv[i] != NULL) {
- strlcat(*cmdargs, argv[i], len);
- strlcat(*cmdargs, " ", len);
- i++;
+ if (cmdargs) {
+ i = 1;
+ while (argv[i] != NULL) {
+ len += strlen(argv[i]) + 1;
+ i++;
+ }
+ *cmdargs = calloc(1, len);
+ i = 1;
+ while (argv[i] != NULL) {
+ strlcat(*(char **)cmdargs, argv[i], len);
+ strlcat(*(char **)cmdargs, " ", len);
+ i++;
+ }
}
kvm_close(kd);
}
More information about the xorg-commit
mailing list