| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
http://bugs.freedesktop.org/show_bug.cgi?id=26124
Revert "Use new pixman_glyph_cache_t API that will be in pixman 0.28.0"
Revert "fb: Fix origin of source picture in fbGlyphs"
Revert "fb: Publish fbGlyphs and fbUnrealizeGlyph"
This reverts commit 9cbcb5bd6a5360a128d15b77a02d8d3351f74366.
This reverts commit 983e30361f49a67252d0b5d82630e70724d69dbf.
This reverts commit 3c2c59eed3c68c0e5a93c38cf01eedad015e3157.
|
|
http://bugs.freedesktop.org/show_bug.cgi?id=26124
Revert "Fix source pictures getting random transforms after 2d6a8f668342a5190cdf43b5."
Revert "fb: Adjust transform or composite coordinates for pixman operations"
http://bugs.freedesktop.org/26124
This reverts commit a72c65e9176c51de95db2fdbf4c5d946a4911695.
This reverts commit a6bd5d2e482a5aa84acb3d4932e2a166d8670ef1.
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
Reverts commits:
788ccb9a8bcf6a4fb4054c507111eec3338fb969
566f1931ee2916269e164e114bffaf2da1d039d1
http://xquartz.macosforge.org/trac/ticket/525
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
output.
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
CFLAGS can include flags which are not useful to the preprocessor
or can even cause it to fail. This fixes a build issue on darwin
when building for more than one architecture.
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
|
|
a few years ago
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
(cherry picked from commit 27ad21254f257bac6c647315d749ee69f20c24e0)
|
|
Found by ASan
X.Org X Server 1.17.99.901 Build Date: 20151018
================================================================
==40471==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000101fed7a4 at pc 0x000101584030 bp 0x70000029f920 sp 0x70000029f918
READ of size 4 at 0x000101fed7a4 thread T7
#0 0x10158402f in DarwinEQInit darwinEvents.c:377
#1 0x10157f3bc in InitInput darwin.c:566
#2 0x101be87ad in dix_main main.c:268
#3 0x10159131b in server_thread quartzStartup.c:66
#4 0x7fff8a535c12 in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x3c12)
#5 0x7fff8a535b8f in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x3b8f)
#6 0x7fff8a533374 in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x1374)
0x000101fed7a4 is located 0 bytes to the right of global variable 'darwin_all_modifier_mask_additions' defined in 'darwinEvents.c:181:12'
(0x101fed7a0) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow darwinEvents.c:377 DarwinEQInit
Shadow bytes around the buggy address:
0x1000203fdaa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000203fdab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000203fdac0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
0x1000203fdad0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x1000203fdae0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
=>0x1000203fdaf0: f9 f9 f9 f9[04]f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x1000203fdb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000203fdb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000203fdb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000203fdb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000203fdb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T7 created by T0 here:
#0 0x10242ee99 in wrap_pthread_create
(/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x37e99)
#1 0x101591089 in create_thread quartzStartup.c:78
#2 0x101590ed9 in QuartzInitServer quartzStartup.c:95
#3 0x1015697eb in X11ApplicationMain X11Application.m:1277
#4 0x101575dc0 in X11ControllerMain X11Controller.m:984
#5 0x10159171a in server_main quartzStartup.c:127
#6 0x101540fc0 in do_start_x11_server bundle-main.c:436
#7 0x101544869 in _Xstart_x11_server mach_startupServer.c:189
#8 0x101545c96 in mach_startup_server mach_startupServer.c:398
#9 0x7fff8d1b70f3 in mach_msg_server (/usr/lib/system/libsystem_kernel.dylib+0x110f3)
#10 0x1015416e7 in main bundle-main.c:774
#11 0x7fff8bd975ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
#12 0x0 (<unknown module>)
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
(cherry picked from commit 3db7e332d374bf8cee581c31b7d50d7ac0509187)
|
|
+[NSScreen mainScreen] does not mean the primary display. It used to mean the
one with the key window. When "Displays have separate spaces" is enabled, it
means the active screen, the one whose menu bar is mostly opaque. As such, it
may not be the screen whose lower-left corner is located at (0, 0). That's
why its max-Y is not necessarily comparable to its height. That only works
for the primary display.
This code could use [[NSScreen screens] firstObject]. This is always the
primary display, the one whose lower-left corner is at (0, 0).
Once that's done, the above change should be reverted. The height of the
visible frame would be the full height of the screen minus the menu bar _and
the Dock_ if the Dock is along the bottom of the screen.
Actually, there's a theoretically-simpler approach: use
-[NSMenu menuBarHeight]. That replaces a long-deprecated method
+[NSMenuView menuBarHeight]. However, there was a bug in Tiger that led to
the former not working while the latter still worked. I haven't actually
checked recently.
CrossOver's still-kicking X server code uses this code, which tries all of
the above:
NSScreen* primaryScreen = [[NSScreen screens] objectAtIndex:0];
aquaMenuBarHeight = [[NSApp mainMenu] menuBarHeight];
if (!aquaMenuBarHeight) aquaMenuBarHeight = [NSMenuView menuBarHeight];
if (!aquaMenuBarHeight) aquaMenuBarHeight =
NSHeight([primaryScreen frame]) - NSMaxY([primaryScreen visibleFrame]);
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Ken Thomases <ken@codeweavers.com>
(cherry picked from commit 4513f924a7065edbd267cf96837af94ce5a58a6f)
|
|
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
(cherry picked from commit 6e6827aac33eddeacfb37ef3d7b0397b1446bf66)
|
|
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
(cherry picked from commit df80e2649aa47957986554928e6bf41b86c15240)
|
|
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
(cherry picked from commit 9003a3e5c55903ce4e371b2d5cb5030b5f97ae0e)
|
|
quartzKeyboard.c:741:1: warning: unused function 'macroman2ucs' [-Wunused-function,Unused Entity Issue]
macroman2ucs(unsigned char c)
^
1 warning generated.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
(cherry picked from commit 3a6fa115759c787ec34483437021ad1e55c52423)
|
|
X11Controller.m:939:9: warning: unused variable 'remain' [-Wunused-variable,Unused Entity Issue]
int remain;
^
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
(cherry picked from commit 9fe7f5ccada37e2d2a2fa92064b92a0334a3fcdd)
|
|
X11Controller.m:417:17: error: address of function 'asl_log_descriptor' will always evaluate to 'true'
[-Werror,-Wpointer-bool-conversion,Value Conversion Issue]
if (asl_log_descriptor) {
~~ ^~~~~~~~~~~~~~~~~~
X11Controller.m:417:17: note: prefix with the address-of operator to silence this warning [Semantic Issue]
if (asl_log_descriptor) {
^
&
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
(cherry picked from commit 0b9c32489131a5723bd78decf5d2557b94207cf4)
|
|
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
(cherry picked from commit 3790001ea29658872aebda00a03170e392b47878)
|
|
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Ensure that the given strings length in an XkbSetGeometry request remain
within the limits of the size of the request.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
(cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.
_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.
To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
As a DDX may declare offload support without supporting DRI2
(because it is using an alternative acceleration mechanism like DRI3),
when iterating the list of offload_source Screens to find a matching
DRI2 provider we need to check before assuming it is DRI2 capable.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=88514
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 082931014811e587a9734cbf4d88fd948979b641)
|
|
The CVE fix in:
commit 97015a07b9e15d8ec5608b95d95ec0eb51202acb
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Jan 22 22:37:15 2014 -0800
dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
offended the C++ demons:
../../include/regionstr.h:147:45: error: invalid conversion from 'void*' to
'pixman_region16_data_t* {aka pixman_region16_data*}' [-fpermissive]
Normally this isn't a problem, because around here we have the sense and
common decency to not use C++, but this does make tigervnc fail to build,
which is a little rude of us.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit bb23fbf5bb278113c9c481875423b4d128180972)
|
|
Jonathan Dieter posted a few patches to do this inside the Xorg
server but it makes no sense to do it there, just have the code
we use to probe the device list at startup check seat assignments
using the same code we check at hotplug time.
Bugilla: https://bugzilla.redhat.com/show_bug.cgi?id=1183654
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Tested-by: Jonathan Dieter <jdieter@lesbg.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 697b696e5e24d0679f133183a3bb0852025377c2)
|
|
If the user wants to set one of the slave devices as
the primary output, we shouldn't fail to do so,
we were returning BadMatch which was tripping up
gnome-settings-daemon and bad things ensues.
Fix all the places we use primaryOutput to work
out primaryCrtc and take it into a/c when slave
gpus are in use.
v2: review from Aaron, fix indent, unhide has_primary from
macro. I left the int vs Bool alone to be consistent with
code below, a future patch could fix both.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit df1b401f57ad4b4925bad66684445b476562f26f)
|
|
Fixing following kind of race-conditions -
WaitForSomething()
|
----> // timers -> timer-1 -> timer-2 -> null
while (timers && (int) (timers->expires - now) <= 0)
// prototype - DoTimer(OsTimerPtr timer, CARD32 now, OsTimerPtr *prev)
DoTimer(timers, now, &timers)
|
|
----> OsBlockSignals(); .... OS Signal comes just before blocking it,
.... timer-1 handler gets called.
// timer-1 gets served and scheduled again;
// timers -> timer-2 -> timer-1 -> null
....
*prev = timer->next;
timer->next = NULL; // timers -> null
// timers list gets corrupted here and timer-2 gets removed from list.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=86288
Signed-off-by: Nikhil Mahale <nmahale@nvidia.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
v2: Apply warning fixes from Keith Packard <keithp@keithp.com>
Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit fe4c774c572e3f55a7417f0ca336ae1479a966ad)
|
|
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit dc777c346d5d452a53b13b917c45f6a1bad2f20b)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
GetHosts saves the pointer to allocated memory in *data, and then
wants to bounds-check writes to that region, but was mistakenly using
a bare 'data' instead of '*data'. Also, data is declared as void **,
so we need a cast to turn it into a byte pointer so we can actually do
pointer comparisons.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 1559a94395258fd73e369f1a2c98a44bfe21a486)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
The 'n' parameter must be surrounded by parens in both places to
prevent precedence from mis-computing things.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 9802a0162f738de03585ca3f3b8a8266494f7d45)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
We're using compiler compatibility settings which generate warnings
when a variable is declared after the first statement.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 61b17c0f10307e25e51e30e6fb1d3e3127f82d86)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
[CVE-2014-8097 pt. 2]
When the local types used to walk the DBE request were changed, this
changed the type of the parameter passed to the DDX SwapBuffers API,
but there wasn't a matching change in the API definition.
At this point, with the API frozen, I just stuck a new variable in
with the correct type. Because we've already bounds-checked nStuff to
be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
fit in a signed int without overflow.
Signed-off-by: Keith Packard <keithp@keithp.com
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit b20912c3d45cbbde3c443e6c3d9e189092fe65e1)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
bitwise not operation will result in a mask that clears all high bits
from temp_buf in the expression:
temp_buf = (temp_buf + mask) & ~mask;
Signed-off-by: Robert Morell <rmorell@nvidia.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7e7630bbb775573eea2a2335adb9d190c3e1e971)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit e883c170c15493ab3637c0a01890f5a7ca4e16a5)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
v2:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
v3:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 984583a497c813df5827ae22483133e704fee79c)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
[CVE-2014-8098 6/8]
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 44ba149f28ece93c2fbfc9cc980588de5322dd4b)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit afe177020d1fb776c6163f21eddc82cb185b95ca)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
[CVE-2014-8098 4/8]
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit c91e4abc3b892f42802efa20fef7ada442c2d3f5)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
This is a half-measure until we start passing request length into the
varsize function, but it's better than the nothing we had before.
v2: Verify that there's at least a large render header's worth of
dataBytes (Julien Cristau)
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit a33a939e6abb255b14d8dbc85fcbd2c55b958bae)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Conflicts:
glx/glxcmds.c
|
|
[CVE-2014-8093 5/6]
v2:
Fix constants in __glXMap2fReqSize (Michal Srb)
Validate w/h/d for proxy targets too (Keith Packard)
v3:
Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 698888e6671d54c7ae41e9d456f7f5483a3459d2)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
v2:
Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit be09e0c988ffdb0371293af49fb4ea8f49ed324a)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
These are paranoid about integer overflow, and will return -1 if their
operation would overflow a (signed) integer or if either argument is
negative.
Note that RenderLarge requests are sized with a uint32_t so in principle
this could be sketchy there, but dix limits bigreqs to 128M so you
shouldn't ever notice, and honestly if you're sending more than 2G of
rendering commands you're already doing something very wrong.
v2: Use INT_MAX for consistency with the rest of the server (jcristau)
v3: Reject negative arguments (anholt)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 2a5cbc17fc72185bf0fa06fef26d1f782de72595)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Without this we'd reject the request with BadLength. Note that some old
versions of Mesa had a bug in the same place, and would _send_ zero
bytes of image data; these will now be rejected, correctly.
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 13d36923e0ddb077f4854e354c3d5c80590b5d9d)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
(v2) [CVE-2014-8093 3/6]
If the computed reply size is negative, something went wrong, treat it
as an error.
v2: Be more careful about size_t being unsigned (Matthieu Herrb)
v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 717a1b37767b41e14859e5022ae9e679152821a9)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Before this we'd just clamp the image size to 0, which was just
hideously stupid; if the parameters were such that they'd overflow an
integer, you'd allocate a small buffer, then pass huge values into (say)
ReadPixels, and now you're scribbling over arbitrary server memory.
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit ab2ba9338aa5e85b4487bc7fbe69985c76483e01)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
If the size computation routine returns -1 we should just reject the
request outright. Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 23fe7718bb171e71db2d1a30505c2ca2988799d9)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f4afd53f2aeaddf509bf9f71d1716dd273fd6e14)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 2df83bb122debc3c20cfc3d3b0edc85cd0270f79)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit d153a85f7478a7a67ccb02fbca6390b0ab1732ee)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Conflicts:
test/Makefile.am
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit a0ece23a8bd300c8be10812d368dc8058c97c63e)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 5d3a788aeb2fbd3ca2812747dc18c94a8b981c63)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
Otherwise we may be reading outside of the client request.
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit b5f9ef03df6a650571b29d3d1c1d2b67c6e84336)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
