xserver: Branch 'master' - 6 commits
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Mon Oct 28 05:47:28 UTC 2024
Xi/xichangehierarchy.c | 2 ++
dix/enterleave.c | 2 +-
dix/eventconvert.c | 4 ++--
hw/xfree86/common/xf86Configure.c | 4 +++-
hw/xfree86/drivers/modesetting/present.c | 24 +++++++++++++-----------
render/picture.c | 3 +++
6 files changed, 24 insertions(+), 15 deletions(-)
New commits:
commit bf63d9b34ef3a24427f884f66a387119dd5cdb8c
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Thu Oct 24 15:51:53 2024 -0700
modesetting: avoid memory leak when ms_present_check_unflip() returns FALSE
Found by Oracle Parfait 13.3 static analyzer:
Memory leak [memory-leak]:
Memory leak of pointer event allocated with calloc(1, 16)
at line 470 of hw/xfree86/drivers/modesetting/present.c in
function 'ms_present_unflip'.
event allocated at line 431 with calloc(1, 16)
event leaks when ms_present_check_unflip(...) == 0 at line 438
and i >= config->num_crtc at line 445
Fixes: 13c7d53df ("modesetting: Implement page flipping support for Present.")
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
diff --git a/hw/xfree86/drivers/modesetting/present.c b/hw/xfree86/drivers/modesetting/present.c
index 8956a7c57..421d70016 100644
--- a/hw/xfree86/drivers/modesetting/present.c
+++ b/hw/xfree86/drivers/modesetting/present.c
@@ -424,22 +424,24 @@ ms_present_unflip(ScreenPtr screen, uint64_t event_id)
PixmapPtr pixmap = screen->GetScreenPixmap(screen);
xf86CrtcConfigPtr config = XF86_CRTC_CONFIG_PTR(scrn);
int i;
- struct ms_present_vblank_event *event;
ms_present_set_screen_vrr(scrn, FALSE);
- event = calloc(1, sizeof(struct ms_present_vblank_event));
- if (!event)
- return;
+ if (ms_present_check_unflip(NULL, screen->root, pixmap, TRUE, NULL)) {
+ struct ms_present_vblank_event *event;
- event->event_id = event_id;
- event->unflip = TRUE;
+ event = calloc(1, sizeof(struct ms_present_vblank_event));
+ if (!event)
+ return;
- if (ms_present_check_unflip(NULL, screen->root, pixmap, TRUE, NULL) &&
- ms_do_pageflip(screen, pixmap, event, NULL, FALSE,
- ms_present_flip_handler, ms_present_flip_abort,
- "Present-unflip")) {
- return;
+ event->event_id = event_id;
+ event->unflip = TRUE;
+
+ if (ms_do_pageflip(screen, pixmap, event, NULL, FALSE,
+ ms_present_flip_handler, ms_present_flip_abort,
+ "Present-unflip")) {
+ return;
+ }
}
for (i = 0; i < config->num_crtc; i++) {
commit b65eea43dd18cdf6d389b7f82ee55ae764c3bf31
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Oct 12 17:33:24 2024 -0700
dix: limit checks to MAX_VALUATORS when generating Xi events
Previously, it was looping through sizeof(ev->valuators.mask) * 8
valuators, where valuators.mask is defined as an array of
(MAX_VALUATORS + 7) / 8 entries. Since MAX_VALUATORS is defined as 36,
this made it actually loop through 40 entries. The last 4 bits in this
array should never be set, so we should never access memory outside the
bounds of the arrays defined to be exactly MAX_VALUATORS in length, but
we can make the static analyzer happier and not waste time checking bits
that should never be set.
Found by Oracle Parfait 13.3 static analyzer:
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 741 of dix/eventconvert.c in function 'eventToDeviceEvent'.
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 808 of dix/eventconvert.c in function 'eventToRawEvent'.
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data_raw[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 809 of dix/eventconvert.c in function 'eventToRawEvent'.
Fixes: b2ba77bac ("dix: add EventToXI2 and GetXI2Type.")
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
diff --git a/dix/eventconvert.c b/dix/eventconvert.c
index 62b111441..d805018f8 100644
--- a/dix/eventconvert.c
+++ b/dix/eventconvert.c
@@ -735,7 +735,7 @@ eventToDeviceEvent(DeviceEvent *ev, xEvent **xi)
ptr += xde->buttons_len * 4;
axisval = (FP3232 *) (ptr + xde->valuators_len * 4);
- for (i = 0; i < sizeof(ev->valuators.mask) * 8; i++) {
+ for (i = 0; i < MAX_VALUATORS; i++) {
if (BitIsOn(ev->valuators.mask, i)) {
SetBit(ptr, i);
*axisval = double_to_fp3232(ev->valuators.data[i]);
@@ -802,7 +802,7 @@ eventToRawEvent(RawDeviceEvent *ev, xEvent **xi)
ptr = (char *) &raw[1];
axisval = (FP3232 *) (ptr + raw->valuators_len * 4);
axisval_raw = axisval + nvals;
- for (i = 0; i < sizeof(ev->valuators.mask) * 8; i++) {
+ for (i = 0; i < MAX_VALUATORS; i++) {
if (BitIsOn(ev->valuators.mask, i)) {
SetBit(ptr, i);
*axisval = double_to_fp3232(ev->valuators.data[i]);
commit 4b073d65bb5e1f4accb7ed280c8926134582b7ab
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Oct 12 17:01:03 2024 -0700
dix: fix button offset when generating DeviceButtonStateNotify events
Found by Oracle Parfait 13.3 static analyzer:
Buffer Overflow in STD C function [buffer-overflow-call-stdc]:
Buffer overflow in call to memcpy. Buffer &bev->buttons[4] of
size 24 is written at an offset of 28
Array size is 28 bytes, index is 32
at line 743 of dix/enterleave.c in function
'DeliverStateNotifyEvent'.
Fixes: a85f0d6b9 ("Xi: fix use of button->down - bitflags instead of int arrays.")
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
diff --git a/dix/enterleave.c b/dix/enterleave.c
index 2e7a64195..268ced662 100644
--- a/dix/enterleave.c
+++ b/dix/enterleave.c
@@ -740,7 +740,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
(ev - 1)->deviceid |= MORE_EVENTS;
bev->type = DeviceButtonStateNotify;
bev->deviceid = dev->id;
- memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
+ memcpy((char *) &bev->buttons[0], (char *) &b->down[4],
DOWN_LENGTH - 4);
}
commit 7af077dd2f939b76e7d6ba84250368b6649fb777
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Oct 12 16:38:55 2024 -0700
render: avoid NULL pointer dereference if PictureFindVisual returns NULL
Found by Oracle Parfait 13.3:
Null pointer dereference [null-pointer-deref]:
Read from null pointer pVisual
at line 257 of dix/colormap.c in function 'CreateColormap'.
Null pointer introduced at line 412 of render/picture.c in
function 'PictureFindVisual'.
Constant 'NULL' passed into function CreateColormap, argument
pVisual, from call at line 431 in function
'PictureInitIndexedFormat'.
Function PictureFindVisual may return constant 'NULL' at
line 412, called at line 429.
Fixes: d4a101d4e ("Integration of DAMAGE-XFIXES branch to trunk")
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
diff --git a/render/picture.c b/render/picture.c
index c55dcd84e..dd31f2bb9 100644
--- a/render/picture.c
+++ b/render/picture.c
@@ -429,6 +429,9 @@ PictureInitIndexedFormat(ScreenPtr pScreen, PictFormatPtr format)
else {
VisualPtr pVisual = PictureFindVisual(pScreen, format->index.vid);
+ if (pVisual == NULL)
+ return FALSE;
+
if (CreateColormap(FakeClientID(0), pScreen, pVisual,
&format->index.pColormap, AllocNone, 0)
!= Success)
commit d10589cc09c68ad09bebd3a4155c44d1b8f2614b
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Oct 12 16:12:13 2024 -0700
Xi: avoid NULL pointer dereference if GetXTestDevice returns NULL
The comments in that function say "This only happens if master is a
slave device. don't do that" but static analysis doesn't respect that.
Found by Oracle Parfait 13.3:
Null pointer dereference [null-pointer-deref]:
Read from null pointer XTestptr
at line 274 of Xi/xichangehierarchy.c in function 'remove_master'.
Null pointer introduced at line 691 of Xext/xtest.c in function
'GetXTestDevice'.
Function GetXTestDevice may return constant 'NULL' at line 691,
called at line 273 of Xi/xichangehierarchy.c in function
'remove_master'.
Null pointer dereference [null-pointer-deref]:
Read from null pointer XTestkeybd
at line 279 of Xi/xichangehierarchy.c in function 'remove_master'.
Null pointer introduced at line 691 of Xext/xtest.c in function
'GetXTestDevice'.
Function GetXTestDevice may return constant 'NULL' at line 691,
called at line 278 of Xi/xichangehierarchy.c in function
'remove_master'.
Fixes: 0814f511d ("input: store the master device's ID in the devPrivate for XTest devices.")
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
index c89cafbd5..cd4c1f5f0 100644
--- a/Xi/xichangehierarchy.c
+++ b/Xi/xichangehierarchy.c
@@ -271,11 +271,13 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
goto unwind;
XTestptr = GetXTestDevice(ptr);
+ BUG_RETURN_VAL(XTestptr == NULL, BadDevice);
rc = dixLookupDevice(&XTestptr, XTestptr->id, client, DixDestroyAccess);
if (rc != Success)
goto unwind;
XTestkeybd = GetXTestDevice(keybd);
+ BUG_RETURN_VAL(XTestkeybd == NULL, BadDevice);
rc = dixLookupDevice(&XTestkeybd, XTestkeybd->id, client, DixDestroyAccess);
if (rc != Success)
goto unwind;
commit fa711c486a2c2c958c71d7bd8ac0efe552558717
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Oct 12 15:55:06 2024 -0700
xfree86: avoid memory leak on realloc failure
Found by Oracle Parfait 13.3 static analyzer:
Memory leak [memory-leak]:
Memory leak of pointer optname allocated with asprintf(&optname,
"\"%s\"", p->name)
at line 326 of hw/xfree86/common/xf86Configure.c in function
'configureDeviceSection'.
optname allocated at line 309 with asprintf(&optname, "\"%s\"",
p->name)
Fixes: code inherited from XFree86
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
diff --git a/hw/xfree86/common/xf86Configure.c b/hw/xfree86/common/xf86Configure.c
index 1844125a9..c59e926de 100644
--- a/hw/xfree86/common/xf86Configure.c
+++ b/hw/xfree86/common/xf86Configure.c
@@ -313,8 +313,10 @@ configureDeviceSection(int screennum)
len += strlen(opttype);
ptr->dev_comment = realloc(ptr->dev_comment, len);
- if (!ptr->dev_comment)
+ if (!ptr->dev_comment) {
+ free(optname);
break;
+ }
p_e = ptr->dev_comment + strlen(ptr->dev_comment);
sprintf(p_e, "%s%-20s%s%s%s", prefix, optname, middle,
opttype, suffix);
More information about the xorg-commit
mailing list