| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Multiple functions in the Xinput extension handling of requests from
clients failed to check that the length of the request sent by the
client was large enough to perform all the required operations and
thus could read or write to memory outside the bounds of the request
buffer.
This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
macro in include/dix.h for the common case of needing to ensure a
request is large enough to include both the request itself and a
minimum amount of extra data following the request header.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
from a buffer. The length is never validated, which can lead to out of
bound reads, and possibly returning the data read from out of bounds to
the misbehaving client via an X Error packet.
SProcDbeSwapBuffers() swaps data (for correct endianness) before
handing it off to the real proc. While doing the swapping, the
length field is not validated, which can cause memory corruption.
v2: reorder checks to avoid compilers optimizing out checks for overflow
that happen after we'd already have done the overflowing multiplications.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
ProcDRI2GetBuffers() tries to validate a length field (count).
There is an integer overflow in the validation. This can cause
out of bound reads and memory corruption later on.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Force use of 64-bit integers when evaluating data provided by clients
in 32-bit fields which can overflow when added or multiplied during
checks.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
RegionSizeof contains several integer overflows if a large length
value is passed in. Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition
v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.
It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
|
Pageflips for Pixmap presents were not synchronized to vblank on
drivers with support for PresentCapabilityAsync, due to some
missing init for vblank->sync_flips. The PresentOptionAsync
flag was completely ignored for pageflipped presents.
Vsynced flips only worked by accident on the intel-ddx, as that
driver doesn't have PresentCapabilityAsync support.
On nouveau-ddx, which supports PresentCapabilityAsync, this
always caused non-vsynced pageflips with pretty ugly tearing.
This patch fixes the problem, as tested on top of XOrg 1.16.2
on nouveau and intel.
v4: Add additional PresentCapabilityAsync caps check, as
suggested by Eric Anholt.
Please also apply to XOrg 1.17 and XOrg 1.16.2 stable.
Applying on top of XOrg 1.16.2 requires cherry-picking
commit 2051514652481a83bd7cf22e57cb0fcd40333f33
which trivially fixes lack of support for protocol option
PresentOptionCopy - get two bug fixes for the price of one!
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
DebugPresent() crashed the server when a dri3 drawable
was closed while a pageflipped present was still pending,
due to vblank->window-> Null-Ptr deref, so debug builds
caused new problems to debug.
E.g.,
glXSwapBuffers(...);
glXDestroyWindow(...);
-> Pageflip for non-existent window completes -> boom.
Also often happens when switching desktop compositor on/off
due to Present unflips, or when logging out of session.
Also add info if a Present is queued for copyswap or pageflip,
if the present is vsynced, and the serial no of the Present
request, to aid debugging of pageflip and vsync issues. The
serial number is useful as Mesa's dri3/present backend encodes
its sendSBC in the serial number, so one can easily correlate
server debug output with Mesa and with the SBC values returned
to actual OpenGL client applications via OML_sync_control and
INTEL_swap_events extension, makes debugging quite a bit more
easy.
Please also cherry-pick this for a 1.16.x stable update.
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
drmmode_output_init() doesn't touch (the int*) num_dvi and num_hdmi.
Remove both parameters.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
We don't define HAVE_UDEV, that's a remnant from xf86-video-modesetting.
But, we have CONFIG_UDEV_KMS.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
If we don't glamor_egl_create_textured_screen_ext() in
drmmode_xf86crtc_resize() we end up with a black screen and no client
window(s) visible.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
Move the boolean glamor from struct modesetting into struct drmmode for
later re-use in drmmode_display.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
The message "removing GPU device ..." appeared even if the removal was
skipped (when path == NULL). Move it below the path check and make it a
LogMessage with config/udev prefix.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
With the previous patches applied, we now have crash due to use-after-free when
a client exits without deleting all it's GL contexts
On client exit, CloseDownClient first calls glxClientCallback() with
ClientStateGone, which calls __glXFreeContext() directly.
Subsequently CloseDownClient() frees all the clients resources, which leads to
ContextGone() being called for a context resource where the context has already
been freed.
Fix this by modifiying glxClientCallback() to free the context resource.
Also make __glXFreeContext() static, as calling it directly leads to this
problem, instead the context resource should be released.
With the previous patches applied, this can be demonstrated with e.g. glxinfo,
which doesn't delete it's context before exit.
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
|
Some sequences of glean tests fail with GLXBadCurrentWindow when using indirect
rendering, e.g. glean -t 'fpexceptions getString'.
Flush a context which is being made non-current due to the drawable on which is
it is current going away. Waiting until another context is made current is too
late, as the drawable no longer exists.
v2: Rewrite for direct GL dispatch
v3: Inline FlushContext(), doesn't need to be a separate function
e.g. LIBGL_ALWAYS_INDIRECT=1 ./glean -r results -o --quick -t "fpexceptions
getString" fails with a BadContextTag error.
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
|
This reverts commit 7f5adf73a0f9a951a6df201532b4031d38054369.
This seems to miss the whole point of the idExists flag, as it makes the
lifetime of that being true the same as the lifetime of the Context resource.
The previously current context tag is always given in a MakeContextCurrent
request, even if that context tag is no longer valid (for example, the context
has been deleted), so this leads to BadContextTag errors.
See fd.o bug #30089 for the makecurrenttest.c testcase, and some discussion of
previous manifestations of this bug.
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Adam Jackson <ajax@redhat.com>
|
|
When (long) is larger than (int), and when realloc succeeds with sizes
larger than INT_MAX, ConnectionOutput->size and ConnectionOutput->count
overflow and become negative.
When ConnectionOutput->count is negative, InsertIOV does not actually
insert an IOV, and FlushClient goes into an infinite loop of writev(fd,
iov, 0) [an empty list].
Avoid this situation by killing the client when it has more than INT_MAX
unread bytes of data.
Signed-off-by: Peter Harris <pharris@opentext.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
ChangePicture takes wire XIDs, but didn't do any Xinerama translation,
which meant setting a clip pixmap or a separate alpha picture would
result in those elements pointing at the instance of the pixmap on
screen 0. Which is, you know, bad.
v2: This one actually builds.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=49170
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
ErrorFSigSafe calls LogVMessageVerbSigSafe with the message type set to X_ERROR.
That generates this in the log:
(EE) Server terminated successfully (0). Closing log file.
People periodically report this as an error, sometimes quoting this "error"
rather than an earlier error that actually caused a problem.
v2: Use X_INFO instead of X_NOTICE
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
Covers the current state after commits 99f0365b1fbdfd9238b9f,
d0da0e9c3bb8fe0cd4879, & e3aa13b8d63ea2fba6eb4 were all applied.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: James Jones <jajones@nvidia.com>
Reviewed-by: Robert Morell <rmorell@nvidia.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
xts' XDrawArcs/15 regressed (turning into a server-side infinite loop)
after:
commit 7679afd4da8b86aed27e5916ba723116a3c8bb4a
Author: Adam Jackson <ajax@redhat.com>
Date: Fri Sep 26 12:01:37 2014 -0400
mi: Fold mifpolycon.c into miarc.c
The reason is miarc.c provided its own definitions (sigh) of min/max,
that both accept int arguments and return an int. Since miFillSppPoly
uses a double (sigh) and some min-involving math for its loop index
variable, things do not go well.
Since the integer versions of min/max are redundant, nuke 'em.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
Tested-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
|
|
Mark fbos created from external buffers so that when the associated
pixmap is destroyed, they aren't put into the fbo cache for later
re-use and are instead freed immediately.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
|
|
Changed when we added barriers, documentation didn't get updated.
Reported-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Dave Airlie <airlied@redhat.com>
|
|
Signed-off-by: John Hunter <zhaojunwang@pku.edu.cn>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
sed -i "s/[ ]\+$//g" **/*.(c|h)
happy reviewing...
git diff -w is an empty diff.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
window.c:3246:36: warning: comparison of constant -1 with expression of type
'CARD32' (aka 'unsigned int') is always true
[-Wtautological-constant-out-of-range-compare]
if (optional->backingBitPlanes != ~0L)
~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~~~
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Michel Dänzer <michel@daenzer.net>
|
|
inpututils.c:243:26: warning: comparison of constant 256 with expression of
type 'KeyCode' (aka 'unsigned char') is always false
[-Wtautological-constant-out-of-range-compare]
if (modkeymap[i] >= MAP_LENGTH)
~~~~~~~~~~~~ ^ ~~~~~~~~~~
MAP_LENGTH depends on MAX_BUTTONS which is somewhat arbitrarily chosen. We
don't expect this to ever change, but just in case leave the condition there
so the code is correct if we drop the number down.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
xwayland.c:661:1: warning: function 'xwl_log_handler' could be declared with
attribute 'noreturn' [-Wmissing-noreturn]
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Just include dbus.h, it's been typedef'd there since 2003.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
shm.c:1150:24: warning: equality comparison with extraneous parentheses
[-Wparentheses-equality]
if ((shmdesc->addr == ((char *) -1))) {
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
/usr/include/xorg/regionstr.h:130:36: warning: implicit conversion changes
signedness: 'int' to 'unsigned long' [-Wsign-conversion]
return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
^ ~
Really only just pushes the problem to the caller, but maybe that motivates
someone to fix it.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Windows clipboard
The count of wchar_t returned by MultiByteToWideChar() includes the terminating
null character, so don't add one to it.
Also, reduce the scope of various length variables
Signed-off-by: Colin Harrison <colin.harrison@virgin.net>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
|
|
If we are the clipboard owner when we are shutdown, we recieve a
WM_RENDERALLFORMATS, to render the clipboard, so it's contents will remain
available to other applications. Unfortunately, this is far too late to do
anything useful with, as the server is waiting for the clipboard thread to exit,
and so can't process requests to convert clipboard contents.
Change so we just do nothing on WM_RENDERALLFORMATS. (I'm not convinced that
WM_RENDERALLFORMATS has ever worked usefully, in any case).
(To make this work, I guess we would need to rearrange the way shutdown works
completely: first synchronously stop the clipboard, then stop the X server)
We also then receive a WM_DRAWCLIPBOARD, perhaps telling us that the available
clipboard formats have changed (as ones which haven't been rendered are now
removed), but the clipboard owner is now the system, not us, which we have to
arrange to ignore.
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
|
|
It seems that the clipboard thread restart mechanism has been broken for a
while, which can be demonstrated using XDMCP with KDM (e.g. to a Kubutunu 12.04
host)
KDM kills all attached clients, including the clipboard integration client,
which restarts, but then exits on WM_QUIT.
Using PostQuitMessage() in WM_DESTROY is unhelpful, as we may not actually be
quitting the thread, if we just destroyed the window because the clipboard
thread is about to retry, because he WM_QUIT message sticks around, and is
noticed the next time we look at the window message queue and confuses us into
thinking we need to quit.
Sending a WM_DESTROY is apparently never correct anyhow, see [1]
So:
1/ Use DestroyWindow() to destroy the clipboard messaging window when cleaning
up for retry or exit in winClipboardProc (the clipboard thread main proc)
2/ Send a special WM_WM_QUIT message in winClipboardWindowDestroy() from the X
server thread when the X server is resetting.
3/ When processing that WM_WM_QUIT message in the clipboard thread, cause the
clipboard window to PostQuitMessage(), which causes the clipboard thread to
exit.
[1] http://blogs.msdn.com/b/oldnewthing/archive/2011/09/26/10216420.aspx
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
|
|
Sometimes, particularly with large clipboard pastes to Windows, we could end up
waiting for the timeout to expire, rather than pasting the data.
Various changes to improve reliability:
1. Use XFlush() not XSync() in winProcessXEventsTimeout().
It makes no sense to ensure we have received replies to outstanding requests if
we are going to wait for them using select()
2. Add XFlush() to winClipboardProc()
Make sure we have sent any requests before we wait using select()
3. Don't use FD_ISSET() to check which fd is ready
This looks like a Cygwin select() bug in that it sometimes returns 0 with an
empty fd set before the timeout expires, but a fd appears to be ready.
Add select() return value to debug output when we are warning that this has
happened.
4. Drain event queues before entering select()
Unconditionally drain event queues before entering select(). This seems to be
the recommended way of writing select() and X event processing loops.
winClipboardFlushXEvents() checks using XPending(), and
winClipboardFlushWindowsMessageQueue() checks using PeekMessage() so this is
safe against blocking, but means that may not need to enter select() at all
sometimes.
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
|
|
xwinclip: Add -noprimary option
Xwin: Add -primary and -noprimary options and tray-menu control
v2:
Use Bool type for fPrimarySelection
Add -noprimary to usage message
Fix indentation in hw/xwin/winwndproc.c
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
|
|
See http://cygwin.com/ml/cygwin-xfree/2013-07/msg00016.html
It looks like the change in a9aca218f557c723e637287272819a7c17174e1e had some
unforseen consequences.
If the X11 selection contents are not convertable to COMPOUND_TEXT, UTF8_STRING
or STRING format (for example, if it is an image), after those conversion
attempts have failed, we sit in winProcessXEventsTimeout() until the timeout
expires.
It also seems that maybe gnuplot doesn't respond correctly to this sequence of
conversion requests and doesn't reply to some of them, which also causes us to
sit in winProcessXEventsTimeout() until the timeout expires.
The Windows application which has requested the clipboard contents via
GetClipboardContents() is blocked until we return from WM_RENDERFORMAT, so
sitting waiting for this timeout to expire should be avoided.
So instead, explicitly request conversion to the TARGETS target, choose
the most preferred format, and request conversion to that.
Also: if there is no owned selection, there is nothing to paste, so don't bother
trying to convert it.
v2: Fix compilation with -Werror=declaration-after-statement
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
|
|
property
Don't pointlessly retrieve just the size of the property, if we are then going
to assume we can retrieve the whole property in one request anyhow...
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
|
|
after we have retrieved it
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
|
