diff options
| author | Jon Turney <jon.turney@dronecode.org.uk> | 2017-11-03 13:46:26 +0000 |
|---|---|---|
| committer | Jon Turney <jon.turney@dronecode.org.uk> | 2017-11-03 13:46:26 +0000 |
| commit | 120a0009cd46eda1539e9544df81a9aff100944e (patch) | |
| tree | e0cbc6f70b1a6a596e82f298dba710fde9072dfa | |
| parent | 427d361cf7539cd8126aa1069840259c3f899725 (diff) | |
| parent | b96e982e3a43513549636850186ff80a82190f64 (diff) | |
Merge tag 'xorg-server-1.19.5' into cygwin-release-1.19
xorg-server-1.19.5
| -rw-r--r-- | Xext/panoramiX.c | 3 | ||||
| -rw-r--r-- | Xext/saver.c | 2 | ||||
| -rw-r--r-- | Xext/vidmode.c | 129 | ||||
| -rw-r--r-- | Xext/xres.c | 4 | ||||
| -rw-r--r-- | Xext/xvdisp.c | 4 | ||||
| -rw-r--r-- | Xi/xibarriers.c | 5 | ||||
| -rw-r--r-- | Xi/xichangehierarchy.c | 2 | ||||
| -rw-r--r-- | configure.ac | 6 | ||||
| -rw-r--r-- | dbe/dbe.c | 5 | ||||
| -rw-r--r-- | dix/dispatch.c | 7 | ||||
| -rw-r--r-- | hw/dmx/dmxpict.c | 2 | ||||
| -rw-r--r-- | hw/xfree86/common/xf86DGA.c | 81 | ||||
| -rw-r--r-- | hw/xfree86/dri/xf86dri.c | 1 | ||||
| -rw-r--r-- | hw/xfree86/drivers/modesetting/dri2.c | 74 | ||||
| -rw-r--r-- | hw/xfree86/drivers/modesetting/driver.h | 17 | ||||
| -rw-r--r-- | hw/xfree86/drivers/modesetting/drmmode_display.c | 9 | ||||
| -rw-r--r-- | hw/xfree86/drivers/modesetting/present.c | 25 | ||||
| -rw-r--r-- | hw/xfree86/drivers/modesetting/vblank.c | 67 | ||||
| -rw-r--r-- | os/io.c | 5 | ||||
| -rw-r--r-- | pseudoramiX/pseudoramiX.c | 3 | ||||
| -rw-r--r-- | render/render.c | 3 | ||||
| -rw-r--r-- | xfixes/cursor.c | 5 | ||||
| -rw-r--r-- | xfixes/region.c | 3 | ||||
| -rw-r--r-- | xfixes/saveset.c | 1 | ||||
| -rw-r--r-- | xfixes/xfixes.c | 1 |
25 files changed, 263 insertions, 201 deletions
diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c index 209df292c..844ea49ce 100644 --- a/Xext/panoramiX.c +++ b/Xext/panoramiX.c @@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client) xPanoramiXGetScreenSizeReply rep; int rc; + REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); + if (stuff->screen >= PanoramiXNumScreens) return BadMatch; - REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess); if (rc != Success) return rc; diff --git a/Xext/saver.c b/Xext/saver.c index 750b8b965..45ac4d2c9 100644 --- a/Xext/saver.c +++ b/Xext/saver.c @@ -1185,6 +1185,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client) PanoramiXRes *draw; int rc, i; + REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq); + rc = dixLookupResourceByClass((void **) &draw, stuff->drawable, XRC_DRAWABLE, client, DixWriteAccess); if (rc != Success) diff --git a/Xext/vidmode.c b/Xext/vidmode.c index ea3ad1320..76055c89a 100644 --- a/Xext/vidmode.c +++ b/Xext/vidmode.c @@ -454,6 +454,20 @@ ProcVidModeAddModeLine(ClientPtr client) DEBUG_P("XF86VidModeAddModeline"); ver = ClientMajorVersion(client); + + if (ver < 2) { + REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq)); + } + else { + REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq)); + } + if (ver < 2) { /* convert from old format */ stuff = &newstuff; @@ -501,18 +515,6 @@ ProcVidModeAddModeLine(ClientPtr client) stuff->after_vsyncend, stuff->after_vtotal, (unsigned long) stuff->after_flags); - if (ver < 2) { - REQUEST_AT_LEAST_SIZE(xXF86OldVidModeAddModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86OldVidModeAddModeLineReq)); - } - else { - REQUEST_AT_LEAST_SIZE(xXF86VidModeAddModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86VidModeAddModeLineReq)); - } if (len != stuff->privsize) return BadLength; @@ -622,6 +624,20 @@ ProcVidModeDeleteModeLine(ClientPtr client) DEBUG_P("XF86VidModeDeleteModeline"); ver = ClientMajorVersion(client); + + if (ver < 2) { + REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq)); + } + else { + REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq)); + } + if (ver < 2) { /* convert from old format */ stuff = &newstuff; @@ -649,18 +665,6 @@ ProcVidModeDeleteModeLine(ClientPtr client) stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, (unsigned long) stuff->flags); - if (ver < 2) { - REQUEST_AT_LEAST_SIZE(xXF86OldVidModeDeleteModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86OldVidModeDeleteModeLineReq)); - } - else { - REQUEST_AT_LEAST_SIZE(xXF86VidModeDeleteModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86VidModeDeleteModeLineReq)); - } if (len != stuff->privsize) { DebugF("req_len = %ld, sizeof(Req) = %d, privsize = %ld, " "len = %d, length = %d\n", @@ -744,6 +748,20 @@ ProcVidModeModModeLine(ClientPtr client) DEBUG_P("XF86VidModeModModeline"); ver = ClientMajorVersion(client); + + if (ver < 2) { + REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq)); + } + else { + REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86VidModeModModeLineReq)); + } + if (ver < 2) { /* convert from old format */ stuff = &newstuff; @@ -768,18 +786,6 @@ ProcVidModeModModeLine(ClientPtr client) stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, (unsigned long) stuff->flags); - if (ver < 2) { - REQUEST_AT_LEAST_SIZE(xXF86OldVidModeModModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86OldVidModeModModeLineReq)); - } - else { - REQUEST_AT_LEAST_SIZE(xXF86VidModeModModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86VidModeModModeLineReq)); - } if (len != stuff->privsize) return BadLength; @@ -877,6 +883,19 @@ ProcVidModeValidateModeLine(ClientPtr client) DEBUG_P("XF86VidModeValidateModeline"); ver = ClientMajorVersion(client); + + if (ver < 2) { + REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq); + len = client->req_len - + bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq)); + } + else { + REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq)); + } + if (ver < 2) { /* convert from old format */ stuff = &newstuff; @@ -905,17 +924,6 @@ ProcVidModeValidateModeLine(ClientPtr client) stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, (unsigned long) stuff->flags); - if (ver < 2) { - REQUEST_AT_LEAST_SIZE(xXF86OldVidModeValidateModeLineReq); - len = client->req_len - - bytes_to_int32(sizeof(xXF86OldVidModeValidateModeLineReq)); - } - else { - REQUEST_AT_LEAST_SIZE(xXF86VidModeValidateModeLineReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86VidModeValidateModeLineReq)); - } if (len != stuff->privsize) return BadLength; @@ -1027,6 +1035,20 @@ ProcVidModeSwitchToMode(ClientPtr client) DEBUG_P("XF86VidModeSwitchToMode"); ver = ClientMajorVersion(client); + + if (ver < 2) { + REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq)); + } + else { + REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq); + len = + client->req_len - + bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq)); + } + if (ver < 2) { /* convert from old format */ stuff = &newstuff; @@ -1055,18 +1077,6 @@ ProcVidModeSwitchToMode(ClientPtr client) stuff->vdisplay, stuff->vsyncstart, stuff->vsyncend, stuff->vtotal, (unsigned long) stuff->flags); - if (ver < 2) { - REQUEST_AT_LEAST_SIZE(xXF86OldVidModeSwitchToModeReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86OldVidModeSwitchToModeReq)); - } - else { - REQUEST_AT_LEAST_SIZE(xXF86VidModeSwitchToModeReq); - len = - client->req_len - - bytes_to_int32(sizeof(xXF86VidModeSwitchToModeReq)); - } if (len != stuff->privsize) return BadLength; @@ -1457,6 +1467,7 @@ ProcVidModeSetGammaRamp(ClientPtr client) VidModePtr pVidMode; REQUEST(xXF86VidModeSetGammaRampReq); + REQUEST_AT_LEAST_SIZE(xXF86VidModeSetGammaRampReq); if (stuff->screen >= screenInfo.numScreens) return BadValue; diff --git a/Xext/xres.c b/Xext/xres.c index ae779dfe8..bc54133d2 100644 --- a/Xext/xres.c +++ b/Xext/xres.c @@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr client) ConstructResourceBytesCtx ctx; REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq); + if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0])) + return BadLength; REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq, stuff->numSpecs * sizeof(ctx.specs[0])); @@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr client) int c; xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff)); - swapl(&stuff->numSpecs); REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq); + swapl(&stuff->numSpecs); REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq, stuff->numSpecs * sizeof(specs[0])); diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c index 8a35b7b4e..4d412b857 100644 --- a/Xext/xvdisp.c +++ b/Xext/xvdisp.c @@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client) { REQUEST(xvShmPutImageReq); PanoramiXRes *draw, *gc, *port; - Bool send_event = stuff->send_event; + Bool send_event; Bool isRoot; int result, i, x, y; REQUEST_SIZE_MATCH(xvShmPutImageReq); + send_event = stuff->send_event; + result = dixLookupResourceByClass((void **) &draw, stuff->drawable, XRC_DRAWABLE, client, DixWriteAccess); if (result != Success) diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c index 0bc5761f3..b0a4a92a1 100644 --- a/Xi/xibarriers.c +++ b/Xi/xibarriers.c @@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client) REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); swapl(&stuff->num_barriers); + if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) + return BadLength; REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); info = (xXIBarrierReleasePointerInfo*) &stuff[1]; @@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client) xXIBarrierReleasePointerInfo *info; REQUEST(xXIBarrierReleasePointerReq); + REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); + if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) + return BadLength; REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); info = (xXIBarrierReleasePointerInfo*) &stuff[1]; diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c index f2b7785ad..7286eff55 100644 --- a/Xi/xichangehierarchy.c +++ b/Xi/xichangehierarchy.c @@ -423,7 +423,7 @@ ProcXIChangeHierarchy(ClientPtr client) if (!stuff->num_changes) return rc; - len = ((size_t)stuff->length << 2) - sizeof(xXIAnyHierarchyChangeInfo); + len = ((size_t)stuff->length << 2) - sizeof(xXIChangeHierarchyReq); any = (xXIAnyHierarchyChangeInfo *) &stuff[1]; while (stuff->num_changes--) { diff --git a/configure.ac b/configure.ac index 315a51f08..434ddc45f 100644 --- a/configure.ac +++ b/configure.ac @@ -26,9 +26,9 @@ dnl dnl Process this file with autoconf to create configure. AC_PREREQ(2.60) -AC_INIT([xorg-server], 1.19.4, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server) -RELEASE_DATE="2017-10-04" -RELEASE_NAME="French Onion Soup" +AC_INIT([xorg-server], 1.19.5, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server) +RELEASE_DATE="2017-10-12" +RELEASE_NAME="Shahi Paneer" AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([foreign dist-bzip2]) @@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client) XdbeScreenVisualInfo *pScrVisInfo; REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); + if (stuff->n > UINT32_MAX / sizeof(CARD32)) + return BadLength; + REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32)); if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) return BadAlloc; @@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client) swapl(&stuff->n); if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) - return BadAlloc; + return BadLength; REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); if (stuff->n != 0) { diff --git a/dix/dispatch.c b/dix/dispatch.c index 64ecea957..2a2742d2b 100644 --- a/dix/dispatch.c +++ b/dix/dispatch.c @@ -3707,7 +3707,12 @@ ProcEstablishConnection(ClientPtr client) prefix = (xConnClientPrefix *) ((char *) stuff + sz_xReq); auth_proto = (char *) prefix + sz_xConnClientPrefix; auth_string = auth_proto + pad_to_int32(prefix->nbytesAuthProto); - if ((prefix->majorVersion != X_PROTOCOL) || + + if ((client->req_len << 2) != sz_xReq + sz_xConnClientPrefix + + pad_to_int32(prefix->nbytesAuthProto) + + pad_to_int32(prefix->nbytesAuthString)) + reason = "Bad length"; + else if ((prefix->majorVersion != X_PROTOCOL) || (prefix->minorVersion != X_PROTOCOL_REVISION)) reason = "Protocol version mismatch"; else diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c index 1f1022ee6..63caec94e 100644 --- a/hw/dmx/dmxpict.c +++ b/hw/dmx/dmxpict.c @@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client) filter = (char *) (stuff + 1); params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3)); nparams = ((XFixed *) stuff + client->req_len) - params; + if (nparams < 0) + return BadLength; XRenderSetPictureFilter(dmxScreen->beDisplay, pPictPriv->pict, filter, params, nparams); diff --git a/hw/xfree86/common/xf86DGA.c b/hw/xfree86/common/xf86DGA.c index c689dcb73..039f38dfa 100644 --- a/hw/xfree86/common/xf86DGA.c +++ b/hw/xfree86/common/xf86DGA.c @@ -1272,13 +1272,14 @@ ProcXDGAOpenFramebuffer(ClientPtr client) char *deviceName; int nameSize; + REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (!DGAAvailable(stuff->screen)) return DGAErrorBase + XF86DGANoDirectVideoMode; - REQUEST_SIZE_MATCH(xXDGAOpenFramebufferReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -1305,14 +1306,14 @@ ProcXDGACloseFramebuffer(ClientPtr client) { REQUEST(xXDGACloseFramebufferReq); + REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (!DGAAvailable(stuff->screen)) return DGAErrorBase + XF86DGANoDirectVideoMode; - REQUEST_SIZE_MATCH(xXDGACloseFramebufferReq); - DGACloseFramebuffer(stuff->screen); return Success; @@ -1328,10 +1329,11 @@ ProcXDGAQueryModes(ClientPtr client) xXDGAModeInfo info; XDGAModePtr mode; + REQUEST_SIZE_MATCH(xXDGAQueryModesReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; - REQUEST_SIZE_MATCH(xXDGAQueryModesReq); rep.type = X_Reply; rep.length = 0; rep.number = 0; @@ -1443,11 +1445,12 @@ ProcXDGASetMode(ClientPtr client) ClientPtr owner; int size; + REQUEST_SIZE_MATCH(xXDGASetModeReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; owner = DGA_GETCLIENT(stuff->screen); - REQUEST_SIZE_MATCH(xXDGASetModeReq); rep.type = X_Reply; rep.length = 0; rep.offset = 0; @@ -1533,14 +1536,14 @@ ProcXDGASetViewport(ClientPtr client) { REQUEST(xXDGASetViewportReq); + REQUEST_SIZE_MATCH(xXDGASetViewportReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXDGASetViewportReq); - DGASetViewport(stuff->screen, stuff->x, stuff->y, stuff->flags); return Success; @@ -1554,14 +1557,14 @@ ProcXDGAInstallColormap(ClientPtr client) REQUEST(xXDGAInstallColormapReq); + REQUEST_SIZE_MATCH(xXDGAInstallColormapReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXDGAInstallColormapReq); - rc = dixLookupResourceByType((void **) &cmap, stuff->cmap, RT_COLORMAP, client, DixInstallAccess); if (rc != Success) @@ -1575,14 +1578,14 @@ ProcXDGASelectInput(ClientPtr client) { REQUEST(xXDGASelectInputReq); + REQUEST_SIZE_MATCH(xXDGASelectInputReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXDGASelectInputReq); - if (DGA_GETCLIENT(stuff->screen) == client) DGASelectInput(stuff->screen, client, stuff->mask); @@ -1594,14 +1597,14 @@ ProcXDGAFillRectangle(ClientPtr client) { REQUEST(xXDGAFillRectangleReq); + REQUEST_SIZE_MATCH(xXDGAFillRectangleReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXDGAFillRectangleReq); - if (Success != DGAFillRect(stuff->screen, stuff->x, stuff->y, stuff->width, stuff->height, stuff->color)) return BadMatch; @@ -1614,14 +1617,14 @@ ProcXDGACopyArea(ClientPtr client) { REQUEST(xXDGACopyAreaReq); + REQUEST_SIZE_MATCH(xXDGACopyAreaReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXDGACopyAreaReq); - if (Success != DGABlitRect(stuff->screen, stuff->srcx, stuff->srcy, stuff->width, stuff->height, stuff->dstx, stuff->dsty)) @@ -1635,14 +1638,14 @@ ProcXDGACopyTransparentArea(ClientPtr client) { REQUEST(xXDGACopyTransparentAreaReq); + REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXDGACopyTransparentAreaReq); - if (Success != DGABlitTransRect(stuff->screen, stuff->srcx, stuff->srcy, stuff->width, stuff->height, stuff->dstx, stuff->dsty, stuff->key)) @@ -1657,13 +1660,14 @@ ProcXDGAGetViewportStatus(ClientPtr client) REQUEST(xXDGAGetViewportStatusReq); xXDGAGetViewportStatusReply rep; + REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXDGAGetViewportStatusReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -1680,13 +1684,14 @@ ProcXDGASync(ClientPtr client) REQUEST(xXDGASyncReq); xXDGASyncReply rep; + REQUEST_SIZE_MATCH(xXDGASyncReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXDGASyncReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -1725,13 +1730,14 @@ ProcXDGAChangePixmapMode(ClientPtr client) xXDGAChangePixmapModeReply rep; int x, y; + REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXDGAChangePixmapModeReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -1755,14 +1761,14 @@ ProcXDGACreateColormap(ClientPtr client) REQUEST(xXDGACreateColormapReq); int result; + REQUEST_SIZE_MATCH(xXDGACreateColormapReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXDGACreateColormapReq); - if (!stuff->mode) return BadValue; @@ -1791,10 +1797,11 @@ ProcXF86DGAGetVideoLL(ClientPtr client) int num, offset, flags; char *name; + REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; - REQUEST_SIZE_MATCH(xXF86DGAGetVideoLLReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -1831,9 +1838,10 @@ ProcXF86DGADirectVideo(ClientPtr client) REQUEST(xXF86DGADirectVideoReq); + REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; - REQUEST_SIZE_MATCH(xXF86DGADirectVideoReq); if (!DGAAvailable(stuff->screen)) return DGAErrorBase + XF86DGANoDirectVideoMode; @@ -1889,10 +1897,11 @@ ProcXF86DGAGetViewPortSize(ClientPtr client) REQUEST(xXF86DGAGetViewPortSizeReq); xXF86DGAGetViewPortSizeReply rep; + REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; - REQUEST_SIZE_MATCH(xXF86DGAGetViewPortSizeReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -1917,14 +1926,14 @@ ProcXF86DGASetViewPort(ClientPtr client) { REQUEST(xXF86DGASetViewPortReq); + REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXF86DGASetViewPortReq); - if (!DGAAvailable(stuff->screen)) return DGAErrorBase + XF86DGANoDirectVideoMode; @@ -1944,10 +1953,11 @@ ProcXF86DGAGetVidPage(ClientPtr client) REQUEST(xXF86DGAGetVidPageReq); xXF86DGAGetVidPageReply rep; + REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; - REQUEST_SIZE_MATCH(xXF86DGAGetVidPageReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -1962,11 +1972,11 @@ ProcXF86DGASetVidPage(ClientPtr client) { REQUEST(xXF86DGASetVidPageReq); + REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; - REQUEST_SIZE_MATCH(xXF86DGASetVidPageReq); - /* silently fail */ return Success; @@ -1980,14 +1990,14 @@ ProcXF86DGAInstallColormap(ClientPtr client) REQUEST(xXF86DGAInstallColormapReq); + REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXF86DGAInstallColormapReq); - if (!DGAActive(stuff->screen)) return DGAErrorBase + XF86DGADirectNotActivated; @@ -2008,10 +2018,11 @@ ProcXF86DGAQueryDirectVideo(ClientPtr client) REQUEST(xXF86DGAQueryDirectVideoReq); xXF86DGAQueryDirectVideoReply rep; + REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; - REQUEST_SIZE_MATCH(xXF86DGAQueryDirectVideoReq); rep.type = X_Reply; rep.length = 0; rep.sequenceNumber = client->sequence; @@ -2030,14 +2041,14 @@ ProcXF86DGAViewPortChanged(ClientPtr client) REQUEST(xXF86DGAViewPortChangedReq); xXF86DGAViewPortChangedReply rep; + REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq); + if (stuff->screen >= screenInfo.numScreens) return BadValue; if (DGA_GETCLIENT(stuff->screen) != client) return DGAErrorBase + XF86DGADirectNotActivated; - REQUEST_SIZE_MATCH(xXF86DGAViewPortChangedReq); - if (!DGAActive(stuff->screen)) return DGAErrorBase + XF86DGADirectNotActivated; diff --git a/hw/xfree86/dri/xf86dri.c b/hw/xfree86/dri/xf86dri.c index 68f8b7e72..65f368efd 100644 --- a/hw/xfree86/dri/xf86dri.c +++ b/hw/xfree86/dri/xf86dri.c @@ -570,6 +570,7 @@ static int SProcXF86DRIQueryDirectRenderingCapable(register ClientPtr client) { REQUEST(xXF86DRIQueryDirectRenderingCapableReq); + REQUEST_SIZE_MATCH(xXF86DRIQueryDirectRenderingCapableReq); swaps(&stuff->length); swapl(&stuff->screen); return ProcXF86DRIQueryDirectRenderingCapable(client); diff --git a/hw/xfree86/drivers/modesetting/dri2.c b/hw/xfree86/drivers/modesetting/dri2.c index 8f44899b3..8944ef136 100644 --- a/hw/xfree86/drivers/modesetting/dri2.c +++ b/hw/xfree86/drivers/modesetting/dri2.c @@ -695,16 +695,19 @@ ms_dri2_schedule_wait_msc(ClientPtr client, DrawablePtr draw, CARD64 target_msc, { ScreenPtr screen = draw->pScreen; ScrnInfoPtr scrn = xf86ScreenToScrn(screen); + modesettingPtr ms = modesettingPTR(scrn); ms_dri2_frame_event_ptr wait_info; + drmVBlank vbl; int ret; xf86CrtcPtr crtc = ms_dri2_crtc_covering_drawable(draw); + drmmode_crtc_private_ptr drmmode_crtc; CARD64 current_msc, current_ust, request_msc; uint32_t seq; - uint64_t queued_msc; /* Drawable not visible, return immediately */ if (!crtc) goto out_complete; + drmmode_crtc = crtc->driver_private; wait_info = calloc(1, sizeof(*wait_info)); if (!wait_info) @@ -744,8 +747,13 @@ ms_dri2_schedule_wait_msc(ClientPtr client, DrawablePtr draw, CARD64 target_msc, if (current_msc >= target_msc) target_msc = current_msc; + vbl.request.type = (DRM_VBLANK_ABSOLUTE | + DRM_VBLANK_EVENT | + drmmode_crtc->vblank_pipe); + vbl.request.sequence = ms_crtc_msc_to_kernel_msc(crtc, target_msc); + vbl.request.signal = (unsigned long)seq; - ret = ms_queue_vblank(crtc, MS_QUEUE_ABSOLUTE, target_msc, &queued_msc, seq); + ret = drmWaitVBlank(ms->fd, &vbl); if (ret) { static int limit = 5; if (limit) { @@ -758,7 +766,7 @@ ms_dri2_schedule_wait_msc(ClientPtr client, DrawablePtr draw, CARD64 target_msc, goto out_free; } - wait_info->frame = queued_msc; + wait_info->frame = ms_kernel_msc_to_crtc_msc(crtc, vbl.reply.sequence); DRI2BlockClient(client, draw); return TRUE; } @@ -767,6 +775,9 @@ ms_dri2_schedule_wait_msc(ClientPtr client, DrawablePtr draw, CARD64 target_msc, * If we get here, target_msc has already passed or we don't have one, * so we queue an event that will satisfy the divisor/remainder equation. */ + vbl.request.type = + DRM_VBLANK_ABSOLUTE | DRM_VBLANK_EVENT | drmmode_crtc->vblank_pipe; + request_msc = current_msc - (current_msc % divisor) + remainder; /* @@ -784,7 +795,11 @@ ms_dri2_schedule_wait_msc(ClientPtr client, DrawablePtr draw, CARD64 target_msc, if (!seq) goto out_free; - if (!ms_queue_vblank(crtc, MS_QUEUE_ABSOLUTE, request_msc, &queued_msc, seq)) { + vbl.request.sequence = ms_crtc_msc_to_kernel_msc(crtc, request_msc); + vbl.request.signal = (unsigned long)seq; + + ret = drmWaitVBlank(ms->fd, &vbl); + if (ret) { static int limit = 5; if (limit) { xf86DrvMsg(scrn->scrnIndex, X_WARNING, @@ -796,8 +811,7 @@ ms_dri2_schedule_wait_msc(ClientPtr client, DrawablePtr draw, CARD64 target_msc, goto out_free; } - wait_info->frame = queued_msc; - + wait_info->frame = ms_kernel_msc_to_crtc_msc(crtc, vbl.reply.sequence); DRI2BlockClient(client, draw); return TRUE; @@ -825,18 +839,20 @@ ms_dri2_schedule_swap(ClientPtr client, DrawablePtr draw, { ScreenPtr screen = draw->pScreen; ScrnInfoPtr scrn = xf86ScreenToScrn(screen); + modesettingPtr ms = modesettingPTR(scrn); + drmVBlank vbl; int ret, flip = 0; xf86CrtcPtr crtc = ms_dri2_crtc_covering_drawable(draw); + drmmode_crtc_private_ptr drmmode_crtc; ms_dri2_frame_event_ptr frame_info = NULL; uint64_t current_msc, current_ust; uint64_t request_msc; uint32_t seq; - ms_queue_flag ms_flag = MS_QUEUE_ABSOLUTE; - uint64_t queued_msc; /* Drawable not displayed... just complete the swap */ if (!crtc) goto blit_fallback; + drmmode_crtc = crtc->driver_private; frame_info = calloc(1, sizeof(*frame_info)); if (!frame_info) @@ -862,8 +878,6 @@ ms_dri2_schedule_swap(ClientPtr client, DrawablePtr draw, ms_dri2_reference_buffer(back); ret = ms_get_crtc_ust_msc(crtc, ¤t_ust, ¤t_msc); - if (ret != Success) - goto blit_fallback; /* Flips need to be submitted one frame before */ if (can_flip(scrn, draw, front, back)) { @@ -878,19 +892,22 @@ ms_dri2_schedule_swap(ClientPtr client, DrawablePtr draw, if (*target_msc > 0) *target_msc -= flip; - /* If non-pageflipping, but blitting/exchanging, we need to use - * DRM_VBLANK_NEXTONMISS to avoid unreliable timestamping later - * on. - */ - if (flip == 0) - ms_flag |= MS_QUEUE_NEXT_ON_MISS; - /* * If divisor is zero, or current_msc is smaller than target_msc * we just need to make sure target_msc passes before initiating * the swap. */ if (divisor == 0 || current_msc < *target_msc) { + vbl.request.type = (DRM_VBLANK_ABSOLUTE | + DRM_VBLANK_EVENT | + drmmode_crtc->vblank_pipe); + + /* If non-pageflipping, but blitting/exchanging, we need to use + * DRM_VBLANK_NEXTONMISS to avoid unreliable timestamping later + * on. + */ + if (flip == 0) + vbl.request.type |= DRM_VBLANK_NEXTONMISS; /* If target_msc already reached or passed, set it to * current_msc to ensure we return a reasonable value back @@ -905,14 +922,19 @@ ms_dri2_schedule_swap(ClientPtr client, DrawablePtr draw, if (!seq) goto blit_fallback; - if (!ms_queue_vblank(crtc, ms_flag, *target_msc, &queued_msc, seq)) { + vbl.request.sequence = ms_crtc_msc_to_kernel_msc(crtc, *target_msc); + vbl.request.signal = (unsigned long)seq; + + ret = drmWaitVBlank(ms->fd, &vbl); + if (ret) { xf86DrvMsg(scrn->scrnIndex, X_WARNING, "divisor 0 get vblank counter failed: %s\n", strerror(errno)); goto blit_fallback; } - *target_msc = queued_msc + flip; + *target_msc = ms_kernel_msc_to_crtc_msc(crtc, + vbl.reply.sequence + flip); frame_info->frame = *target_msc; return TRUE; @@ -923,6 +945,11 @@ ms_dri2_schedule_swap(ClientPtr client, DrawablePtr draw, * and we need to queue an event that will satisfy the divisor/remainder * equation. */ + vbl.request.type = (DRM_VBLANK_ABSOLUTE | + DRM_VBLANK_EVENT | + drmmode_crtc->vblank_pipe); + if (flip == 0) + vbl.request.type |= DRM_VBLANK_NEXTONMISS; request_msc = current_msc - (current_msc % divisor) + remainder; @@ -939,6 +966,7 @@ ms_dri2_schedule_swap(ClientPtr client, DrawablePtr draw, if (request_msc <= current_msc) request_msc += divisor; + seq = ms_drm_queue_alloc(crtc, frame_info, ms_dri2_frame_event_handler, ms_dri2_frame_event_abort); @@ -946,7 +974,11 @@ ms_dri2_schedule_swap(ClientPtr client, DrawablePtr draw, goto blit_fallback; /* Account for 1 frame extra pageflip delay if flip > 0 */ - if (!ms_queue_vblank(crtc, ms_flag, request_msc - flip, &queued_msc, seq)) { + vbl.request.sequence = ms_crtc_msc_to_kernel_msc(crtc, request_msc) - flip; + vbl.request.signal = (unsigned long)seq; + + ret = drmWaitVBlank(ms->fd, &vbl); + if (ret) { xf86DrvMsg(scrn->scrnIndex, X_WARNING, "final get vblank counter failed: %s\n", strerror(errno)); @@ -954,7 +986,7 @@ ms_dri2_schedule_swap(ClientPtr client, DrawablePtr draw, } /* Adjust returned value for 1 fame pageflip offset of flip > 0 */ - *target_msc = queued_msc + flip; + *target_msc = ms_kernel_msc_to_crtc_msc(crtc, vbl.reply.sequence + flip); frame_info->frame = *target_msc; return TRUE; diff --git a/hw/xfree86/drivers/modesetting/driver.h b/hw/xfree86/drivers/modesetting/driver.h index 66034badb..eee96e50f 100644 --- a/hw/xfree86/drivers/modesetting/driver.h +++ b/hw/xfree86/drivers/modesetting/driver.h @@ -119,10 +119,6 @@ typedef struct _modesettingRec { Bool dirty_enabled; uint32_t cursor_width, cursor_height; - - Bool has_queue_sequence; - Bool tried_queue_sequence; - } modesettingRec, *modesettingPtr; #define modesettingPTR(p) ((modesettingPtr)((p)->driverPrivate)) @@ -133,15 +129,6 @@ uint32_t ms_drm_queue_alloc(xf86CrtcPtr crtc, ms_drm_handler_proc handler, ms_drm_abort_proc abort); -typedef enum ms_queue_flag { - MS_QUEUE_ABSOLUTE = 0, - MS_QUEUE_RELATIVE = 1, - MS_QUEUE_NEXT_ON_MISS = 2 -} ms_queue_flag; - -Bool ms_queue_vblank(xf86CrtcPtr crtc, ms_queue_flag flags, - uint64_t msc, uint64_t *msc_queued, uint32_t seq); - void ms_drm_abort(ScrnInfoPtr scrn, Bool (*match)(void *data, void *match_data), void *match_data); @@ -153,8 +140,8 @@ xf86CrtcPtr ms_dri2_crtc_covering_drawable(DrawablePtr pDraw); int ms_get_crtc_ust_msc(xf86CrtcPtr crtc, CARD64 *ust, CARD64 *msc); -uint64_t ms_crtc_msc_to_kernel_msc(xf86CrtcPtr crtc, uint64_t expect); -uint64_t ms_kernel_msc_to_crtc_msc(xf86CrtcPtr crtc, uint64_t sequence); +uint32_t ms_crtc_msc_to_kernel_msc(xf86CrtcPtr crtc, uint64_t expect); +uint64_t ms_kernel_msc_to_crtc_msc(xf86CrtcPtr crtc, uint32_t sequence); Bool ms_dri2_screen_init(ScreenPtr screen); diff --git a/hw/xfree86/drivers/modesetting/drmmode_display.c b/hw/xfree86/drivers/modesetting/drmmode_display.c index 025725aaf..53e1cf545 100644 --- a/hw/xfree86/drivers/modesetting/drmmode_display.c +++ b/hw/xfree86/drivers/modesetting/drmmode_display.c @@ -279,6 +279,8 @@ drmmode_SharedPixmapPresentOnVBlank(PixmapPtr ppix, xf86CrtcPtr crtc, { drmmode_crtc_private_ptr drmmode_crtc = crtc->driver_private; msPixmapPrivPtr ppriv = msGetPixmapPriv(drmmode, ppix); + + drmVBlank vbl; struct vblank_event_args *event_args; if (ppix == drmmode_crtc->prime_pixmap) @@ -301,7 +303,12 @@ drmmode_SharedPixmapPresentOnVBlank(PixmapPtr ppix, xf86CrtcPtr crtc, drmmode_SharedPixmapVBlankEventHandler, drmmode_SharedPixmapVBlankEventAbort); - return ms_queue_vblank(crtc, MS_QUEUE_RELATIVE, 1, NULL, ppriv->flip_seq); + vbl.request.type = + DRM_VBLANK_RELATIVE | DRM_VBLANK_EVENT | drmmode_crtc->vblank_pipe; + vbl.request.sequence = 1; + vbl.request.signal = (unsigned long) ppriv->flip_seq; + + return drmWaitVBlank(drmmode->fd, &vbl) >= 0; } Bool diff --git a/hw/xfree86/drivers/modesetting/present.c b/hw/xfree86/drivers/modesetting/present.c index 67982d741..55b622cbc 100644 --- a/hw/xfree86/drivers/modesetting/present.c +++ b/hw/xfree86/drivers/modesetting/present.c @@ -109,7 +109,13 @@ ms_present_queue_vblank(RRCrtcPtr crtc, uint64_t msc) { xf86CrtcPtr xf86_crtc = crtc->devPrivate; + ScreenPtr screen = crtc->pScreen; + ScrnInfoPtr scrn = xf86ScreenToScrn(screen); + modesettingPtr ms = modesettingPTR(scrn); + drmmode_crtc_private_ptr drmmode_crtc = xf86_crtc->driver_private; struct ms_present_vblank_event *event; + drmVBlank vbl; + int ret; uint32_t seq; event = calloc(sizeof(struct ms_present_vblank_event), 1); @@ -124,9 +130,22 @@ ms_present_queue_vblank(RRCrtcPtr crtc, return BadAlloc; } - if (!ms_queue_vblank(xf86_crtc, MS_QUEUE_ABSOLUTE, msc, NULL, seq)) - return BadAlloc; - + vbl.request.type = + DRM_VBLANK_ABSOLUTE | DRM_VBLANK_EVENT | drmmode_crtc->vblank_pipe; + vbl.request.sequence = ms_crtc_msc_to_kernel_msc(xf86_crtc, msc); + vbl.request.signal = seq; + for (;;) { + ret = drmWaitVBlank(ms->fd, &vbl); + if (!ret) + break; + /* If we hit EBUSY, then try to flush events. If we can't, then + * this is an error. + */ + if (errno != EBUSY || ms_flush_drm_events(screen) < 0) { + ms_drm_abort_seq(scrn, seq); + return BadAlloc; + } + } DebugPresent(("\t\tmq %lld seq %u msc %llu (hw msc %u)\n", (long long) event_id, seq, (long long) msc, vbl.request.sequence)); diff --git a/hw/xfree86/drivers/modesetting/vblank.c b/hw/xfree86/drivers/modesetting/vblank.c index 31cf0bd70..8682f4d91 100644 --- a/hw/xfree86/drivers/modesetting/vblank.c +++ b/hw/xfree86/drivers/modesetting/vblank.c @@ -173,7 +173,7 @@ ms_dri2_crtc_covering_drawable(DrawablePtr pDraw) static Bool ms_get_kernel_ust_msc(xf86CrtcPtr crtc, - uint64_t *msc, uint64_t *ust) + uint32_t *msc, uint64_t *ust) { ScreenPtr screen = crtc->randr_crtc->pScreen; ScrnInfoPtr scrn = xf86ScreenToScrn(screen); @@ -198,50 +198,13 @@ ms_get_kernel_ust_msc(xf86CrtcPtr crtc, } } -Bool -ms_queue_vblank(xf86CrtcPtr crtc, ms_queue_flag flags, - uint64_t msc, uint64_t *msc_queued, uint32_t seq) -{ - ScreenPtr screen = crtc->randr_crtc->pScreen; - ScrnInfoPtr scrn = xf86ScreenToScrn(screen); - modesettingPtr ms = modesettingPTR(scrn); - drmmode_crtc_private_ptr drmmode_crtc = crtc->driver_private; - drmVBlank vbl; - int ret; - - for (;;) { - /* Queue an event at the specified sequence */ - vbl.request.type = DRM_VBLANK_EVENT | drmmode_crtc->vblank_pipe; - if (flags & MS_QUEUE_RELATIVE) - vbl.request.type |= DRM_VBLANK_RELATIVE; - else - vbl.request.type |= DRM_VBLANK_ABSOLUTE; - if (flags & MS_QUEUE_NEXT_ON_MISS) - vbl.request.type |= DRM_VBLANK_NEXTONMISS; - - vbl.request.sequence = ms_crtc_msc_to_kernel_msc(crtc, msc); - vbl.request.signal = seq; - ret = drmWaitVBlank(ms->fd, &vbl); - if (ret == 0) { - if (msc_queued) - *msc_queued = ms_kernel_msc_to_crtc_msc(crtc, vbl.reply.sequence); - return TRUE; - } - if (errno != EBUSY) { - ms_drm_abort_seq(scrn, msc); - return FALSE; - } - ms_flush_drm_events(screen); - } -} - /** * Convert a 32-bit kernel MSC sequence number to a 64-bit local sequence * number, adding in the vblank_offset and high 32 bits, and dealing * with 64-bit wrapping */ uint64_t -ms_kernel_msc_to_crtc_msc(xf86CrtcPtr crtc, uint64_t sequence) +ms_kernel_msc_to_crtc_msc(xf86CrtcPtr crtc, uint32_t sequence) { drmmode_crtc_private_rec *drmmode_crtc = crtc->driver_private; sequence += drmmode_crtc->vblank_offset; @@ -255,7 +218,7 @@ ms_kernel_msc_to_crtc_msc(xf86CrtcPtr crtc, uint64_t sequence) int ms_get_crtc_ust_msc(xf86CrtcPtr crtc, CARD64 *ust, CARD64 *msc) { - uint64_t kernel_msc; + uint32_t kernel_msc; if (!ms_get_kernel_ust_msc(crtc, &kernel_msc, ust)) return BadMatch; @@ -267,13 +230,13 @@ ms_get_crtc_ust_msc(xf86CrtcPtr crtc, CARD64 *ust, CARD64 *msc) #define MAX_VBLANK_OFFSET 1000 /** - * Convert a 64-bit adjusted MSC value into a 64-bit kernel sequence number, - * by subtracting out the vblank_offset term. + * Convert a 64-bit adjusted MSC value into a 32-bit kernel sequence number, + * removing the high 32 bits and subtracting out the vblank_offset term. * * This also updates the vblank_offset when it notices that the value should * change. */ -uint64_t +uint32_t ms_crtc_msc_to_kernel_msc(xf86CrtcPtr crtc, uint64_t expect) { drmmode_crtc_private_rec *drmmode_crtc = crtc->driver_private; @@ -294,7 +257,7 @@ ms_crtc_msc_to_kernel_msc(xf86CrtcPtr crtc, uint64_t expect) drmmode_crtc->vblank_offset = 0; } } - return (expect - drmmode_crtc->vblank_offset); + return (uint32_t) (expect - drmmode_crtc->vblank_offset); } /** @@ -412,31 +375,25 @@ ms_drm_abort(ScrnInfoPtr scrn, Bool (*match)(void *data, void *match_data), * drm event queue and calls the handler for it. */ static void -ms_drm_sequence_handler(int fd, uint64_t frame, uint64_t ns, uint64_t user_data) +ms_drm_handler(int fd, uint32_t frame, uint32_t sec, uint32_t usec, + void *user_ptr) { struct ms_drm_queue *q, *tmp; - uint32_t seq = (uint32_t) user_data; + uint32_t user_data = (uint32_t) (intptr_t) user_ptr; xorg_list_for_each_entry_safe(q, tmp, &ms_drm_queue, list) { - if (q->seq == seq) { + if (q->seq == user_data) { uint64_t msc; msc = ms_kernel_msc_to_crtc_msc(q->crtc, frame); xorg_list_del(&q->list); - q->handler(msc, ns / 1000, q->data); + q->handler(msc, (uint64_t) sec * 1000000 + usec, q->data); free(q); break; } } } -static void -ms_drm_handler(int fd, uint32_t frame, uint32_t sec, uint32_t usec, - void *user_ptr) -{ - ms_drm_sequence_handler(fd, frame, ((uint64_t) sec * 1000000 + usec) * 1000, (uint32_t) (uintptr_t) user_ptr); -} - Bool ms_vblank_screen_init(ScreenPtr screen) { @@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client) if (!gotnow) AvailableInput = oc; if (move_header) { + if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) { + YieldControlDeath(); + return -1; + } + request = (xReq *) oci->bufptr; oci->bufptr += (sizeof(xBigReq) - sizeof(xReq)); *(xReq *) oci->bufptr = *request; diff --git a/pseudoramiX/pseudoramiX.c b/pseudoramiX/pseudoramiX.c index d8b259341..95f6e10c8 100644 --- a/pseudoramiX/pseudoramiX.c +++ b/pseudoramiX/pseudoramiX.c @@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr client) TRACE; + REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); + if (stuff->screen >= pseudoramiXNumScreens) return BadMatch; - REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess); if (rc != Success) return rc; diff --git a/render/render.c b/render/render.c index bfacaa0d0..3a41e331e 100644 --- a/render/render.c +++ b/render/render.c @@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr client) name = (char *) (stuff + 1); params = (xFixed *) (name + pad_to_int32(stuff->nbytes)); nparams = ((xFixed *) stuff + client->req_len) - params; + if (nparams < 0) + return BadLength; + result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams); return result; } diff --git a/xfixes/cursor.c b/xfixes/cursor.c index f009a78b9..6e84d71f1 100644 --- a/xfixes/cursor.c +++ b/xfixes/cursor.c @@ -281,6 +281,7 @@ int SProcXFixesSelectCursorInput(ClientPtr client) { REQUEST(xXFixesSelectCursorInputReq); + REQUEST_SIZE_MATCH(xXFixesSelectCursorInputReq); swaps(&stuff->length); swapl(&stuff->window); @@ -414,7 +415,7 @@ ProcXFixesSetCursorName(ClientPtr client) REQUEST(xXFixesSetCursorNameReq); Atom atom; - REQUEST_AT_LEAST_SIZE(xXFixesSetCursorNameReq); + REQUEST_FIXED_SIZE(xXFixesSetCursorNameReq, stuff->nbytes); VERIFY_CURSOR(pCursor, stuff->cursor, client, DixSetAttrAccess); tchar = (char *) &stuff[1]; atom = MakeAtom(tchar, stuff->nbytes, TRUE); @@ -1007,6 +1008,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client) int i; CARD16 *in_devices = (CARD16 *) &stuff[1]; + REQUEST_AT_LEAST_SIZE(xXFixesCreatePointerBarrierReq); + swaps(&stuff->length); swaps(&stuff->num_devices); REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices)); diff --git a/xfixes/region.c b/xfixes/region.c index dd74d7f7e..f300d2b6e 100644 --- a/xfixes/region.c +++ b/xfixes/region.c @@ -359,6 +359,7 @@ ProcXFixesCopyRegion(ClientPtr client) RegionPtr pSource, pDestination; REQUEST(xXFixesCopyRegionReq); + REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); VERIFY_REGION(pSource, stuff->source, client, DixReadAccess); VERIFY_REGION(pDestination, stuff->destination, client, DixWriteAccess); @@ -375,7 +376,7 @@ SProcXFixesCopyRegion(ClientPtr client) REQUEST(xXFixesCopyRegionReq); swaps(&stuff->length); - REQUEST_AT_LEAST_SIZE(xXFixesCopyRegionReq); + REQUEST_SIZE_MATCH(xXFixesCopyRegionReq); swapl(&stuff->source); swapl(&stuff->destination); return (*ProcXFixesVector[stuff->xfixesReqType]) (client); diff --git a/xfixes/saveset.c b/xfixes/saveset.c index eb3f6589e..aa365cfe5 100644 --- a/xfixes/saveset.c +++ b/xfixes/saveset.c @@ -62,6 +62,7 @@ int SProcXFixesChangeSaveSet(ClientPtr client) { REQUEST(xXFixesChangeSaveSetReq); + REQUEST_SIZE_MATCH(xXFixesChangeSaveSetReq); swaps(&stuff->length); swapl(&stuff->window); diff --git a/xfixes/xfixes.c b/xfixes/xfixes.c index 8d1bd4cc6..8b45c5349 100644 --- a/xfixes/xfixes.c +++ b/xfixes/xfixes.c @@ -160,6 +160,7 @@ static int SProcXFixesQueryVersion(ClientPtr client) { REQUEST(xXFixesQueryVersionReq); + REQUEST_SIZE_MATCH(xXFixesQueryVersionReq); swaps(&stuff->length); swapl(&stuff->majorVersion); |