| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
We already send this for fbconfigs. Mesa happens to implement
glXChooseVisual relative to the fbconfig data, but that might not be
true of NVIDIA's libGL.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 43efaa6e4fd903229dc9c508da4177ad4bbdd4d8)
|
|
As of ea483af9 we're calling this unconditionally from the GLX code so
the synthetic visual is in a lower select group. If Composite has been
disabled then GetCompScreen() will return NULL, and this would crash.
Rather than force the caller to check first, just always return FALSE if
Composite is disabled (which is correct, since none of the visuals will
be synthetic in that case).
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
(cherry picked from commit f80119120c487581ac050ce741808f7c8f438f35)
|
|
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit ef2345aaa28461a76f77c65240ce5facc180f98e)
|
|
This comment is above compIsAlternateVisual, which used to be the only
thing determining whether implicit redirect was needed. It's not anymore
due to the redirection exception list. That job is now performed by
compImplicitRedirect, whose code is self-explanitory.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit bccbaf7c113b1300071601879002682ebbe8b1c1)
|
|
Don't reuse cmd for strtok output to ensure the proper pointer is
freed afterwards.
The code incorrectly assumed the pointer returned by strtok(cmd, ":")
would always point to cmd. However, strtok(str, sep) != str if str
begins with sep. This caused an invalid-free crash when running
a program under X with a name beginning with a colon.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=104123
Signed-off-by: Tomasz Śniatowski <kailoran@gmail.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
(cherry picked from commit 6883ae43eb72fe4e2651c1dca209563323fad2db)
|
|
PtrCtrl really makes sense for relative pointing device only, absolute
devices such as touch devices do not have any PtrCtrl set.
In some cases, if the client issues a XGetPointerControl() immediatlely
after a ChangeMasterDeviceClasses() copied the touch device to the VCP,
a NULL pointer dereference will occur leading to a crash of Xwayland.
Check whether the PtrCtrl is not NULL in ProcGetPointerControl() and
return the default control values otherwise, to avoid the NULL pointer
dereference.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1519533
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 9f7a9be13d6449c00c86d3035374f4f543654b3f)
|
|
From the bug: "What happens if bits->width is less than 8? :)"
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103012
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
(cherry picked from commit 97ac59b1ed3624f7c04e54dd3e3dadfa46a8f170)
|
|
Just never filled in, oops. Seems to have gone unnoticed because
normally glXQueryContext simply returns the values filled in by the
client library when the context was created. The only path by which you
normally get to a GLXQueryContext request is glXImportContext, and then
only if the context is already indirect.
However, that's a statement about Mesa's libGL (and anything else that
inherited that bit of the SGI SI more or less intact). Nothing prevents
a mischeivous client from issuing that request of a direct context, and
if they did we'd be in trouble because we never bothered to preserve the
associated fbconfig in the context state, so we'd crash looking up
GLX_VISUAL_ID_EXT. So let's fix that too.
v2: Fixed missing preservation of the config in DRI2 (Eric Anholt)
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
(cherry picked from commit 5d667df6ea1634191a26f9a7c26bc883701d62b0)
|
|
Terminate a dead session when -once was passed. Don't restart it.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Walter Harms <wharms@bfs.de>
(cherry picked from commit 918afeecbc63d70413e222efdb2ac4cfb16eae9e)
|
|
We were sending the events to all clients listening for them on the
window. But clients can get confused by events from another client, and
I can't imagine any case where receiving events from other clients would
be required.
v2:
* Also restrict events sent to additional windows to the presenting
client
* Don't shorten line lengths
Reviewed-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 559954aaa8d811a22cf918cc16a7d618e12201a0)
|
|
Similarly to bb766ef11227bd8c71ac65845d1930edd0eda40d, ensure that the
extra padding is set to 0.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
(cherry picked from commit fb5ee77b91a93e27801006be8ee34d27984e7fa6)
|
|
If the context is direct none of the GL commands were issued by this
process, the server couldn't flush them even if it wanted to.
v2: Fix embarassingly obvious boolean inversion (Michel Dänzer)
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
(cherry picked from commit 307c124d6bcfe26057767b2c0990dc9ac66b9c93)
|
|
The CEA extension short video descriptors contain the VIC, which starts
at 1, not 0.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Hector Martin <marcan@marcan.st>
(cherry picked from commit 68556d74b49e99d3490166c446079f7d5de26ca4)
|
|
The trailing \n are just wrong here, __glXEnableExtension wants a string
without them.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
(cherry picked from commit fd0eafb18426da14601d5c0d0a50092c49a7aff8)
|
|
Running Xephyr under valgrind reveals that we're sending some
uninitialized memory over the wire (particularly, the leftover padding
that comes from rounding extraLen to the next 32-bit multiple).
Solve by calloc()ing the memory instead of malloc()ing (the alternative
would be to memset just the padding, but I'm not sure it's more
convenient.)
Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit bb766ef11227bd8c71ac65845d1930edd0eda40d)
|
|
This fixes some “Conditional jump depends on uninitialized value(s)”
errors spotted by valgrind.
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
(cherry picked from commit b2167015043a458e9cf93b827b43eb5b7c552ce9)
|
|
I don't know how many times I've had a broken server due to a bad
directory to xkbcomp, and only finding the whole path has shown me
where I went wrong.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 30f4d440ebc3517fdcc1d3c6a422a8fbf3af1f23)
|
|
Historically we didn't need to care about this case but more devices are
having invalid types set and they cannot be unset with a hwdb entry (which
doesn't handle the empty string). Allow for "0" to mean "unset" because
anything else would be crazy anyway.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 5aad81445c8c3d6b7b30d503cfe26027fa482870)
|
|
unsigned_tests[] was used to compute the amount of signed numbers to
test.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
(cherry picked from commit 15a32ee5d1fffa171bb05af9a0e5b472e4af1488)
|
|
input.c: In function ‘dix_event_to_core’:
../include/inputstr.h:61:55: warning: ‘*((void *)&ev+80)’ is used uninitialized in this function [-Wuninitialized]
#define SetBit(ptr, bit) (((BYTE *) (ptr))[(bit)>>3] |= (1 << ((bit) & 7)))
^~
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
(cherry picked from commit 0bcc65f2bf479c6a74ac70bb5b5181d6834dded6)
|
|
If one misconfigures a ZaphodHeads value (more than 20 characters
without a delimiter), we get an overflow of our buffer. Use
xstrtokenize() instead of writing/fixing our own tokenizer.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
(cherry picked from commit 04a305121fbc08ecc2ef345ee7155d6087a43fd1)
|
|
Similar to change cba5a10f, xf86ScreenSetCursor() would dereference ScreenPriv
without NULL checking it. If Option "SWCursor" is specified, ScreenPriv == NULL.
Without this fix, it is observed that setting Option "SWCursor" "on" on the
modesetting driver in a PRIME configuration will segfault the server.
It is important to return success rather than failure in the instance that
ScreenPriv == NULL and pCurs == NullCursor, because otherwise xf86SetCursor()
can fall into infinite recursion: xf86SetCursor(pCurs) calls
xf86ScreenSetCursor(pCurs), and if FALSE, calls xf86SetCursor(NullCursor). If
xf86ScreenSetCursor(NullCursor) returns FALSE, it calls
xf86SetCursor(NullCursor) again and this repeats forever.
Signed-off-by: Alex Goins <agoins@nvidia.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
(cherry picked from commit 68d95e759f8b6ebca6bd52e69e6bc34cc174f8ca)
|
|
It looks like offsets calculated during image censoring are wrong.
This results in black (empty) images returns.
This fix is very similar to 6c6f09aac7f1d1367a042087b7681c7fdf1d1e0f
that was applied to XGetImage
Visually this fixes chromium/firefox window sharing in multiscreen
configurations - without this patch most of the windows on 'secodnary'
screens are black.
This also should fix https://bugs.freedesktop.org/show_bug.cgi?id=101730.
Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 885636b7d42b3c7b151fc386d358184db004ce45)
|
|
We're not wrapping all the ways a cursor can be destroyed, so this array
ends up with stale data. Rather than try harder to wrap more code paths,
just look up the cursor when we need it.
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit aa6651f83c698e8cc40de61aad36c73ca7a6adcf)
|
|
Signed-off-by: Adam Jackson <ajax@redhat.com>
|
|
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81)
|
|
(CVE-2017-12177)
v2: Protect against integer overflow (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831)
|
|
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 859b08d523307eebde7724fd1a0789c44813e821)
|
|
[jcristau: originally this patch fixed the same issue as commit
211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]
This addresses CVE-2017-12179
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8)
|
|
This addresses:
CVE-2017-12180 in XFree86-VidModeExtension
CVE-2017-12181 in XFree86-DGA
CVE-2017-12182 in XFree86-DRI
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b)
|
|
v2: Use before swap (Jeremy Huddleston Sequoia)
v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)
|
|
v2: Add overflow check and remove unnecessary check (Julien Cristau)
This addresses:
CVE-2017-12184 in XINERAMA
CVE-2017-12185 in MIT-SCREEN-SAVER
CVE-2017-12186 in X-Resource
CVE-2017-12187 in RENDER
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)
|
|
A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF. Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9)
|
|
Apparently introduces a regression:
https://bugs.freedesktop.org/103243
This reverts commit 388dc1aeac9acf2d51ad5103570beffd81d78b96.
|
|
Signed-off-by: Adam Jackson <ajax@redhat.com>
|
|
Later events are sometimes added in front of the queue (e.g.
if page flipping fails) so we need to check the whole queue
on event.
Signed-off-by: Louis-Francis Ratté-Boulianne <lfrb@collabora.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
(cherry picked from commit c2f2b25ab55c67f9f3ad07c02fa746eae7c61196)
|
|
This provides an API wrapper around the kernel interface for queueing
a vblank event, simplifying all of the callers.
v2: Fix missing '|' in computing vbl.request.type
v3: Remove spurious bit of next patch (thanks, Michel Dänzer)
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 677c32bcda98a96585bb1f66b57e0755a157b772)
|
|
Generating strings for XKB data used a single shared static buffer,
which offered several opportunities for errors. Use a ring of
resizable buffers instead, to avoid problems when strings end up
longer than anticipated.
Reviewed-by: Michal Srb <msrb@suse.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 94f11ca5cf011ef123bd222cabeaef6f424d76ac)
|
|
XkbStringText escapes non-printable characters using octal numbers. Such escape
sequence would be at most 5 characters long ("\0123"), so it reserves 5 bytes
in the buffer. Due to char->unsigned int conversion, it would print much longer
string for negative numbers.
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit eaf1f72ed8994b708d94ec2de7b1a99f5c4a39b8)
|
|
Otherwise it can belong to a non-existing client and abort X server with
FatalError "client not in use", or overwrite existing segment of another
existing client.
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit b95f25af141d33a65f6f821ea9c003f66a01e1f1)
|
|
gcc/glibc think the snprintf in dmxExecOS() might truncate. Yes, it
might, and we also don't care. Just delete all this.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Acked-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit d6db66811643d3762716f6b144a7358572216a4f)
|
|
Modern glibc is very insistent that you care about whether write()
succeeds:
../hw/dmx/input/usb-keyboard.c: In function ‘kbdUSBCtrl’:
../hw/dmx/input/usb-keyboard.c:292:9: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result]
write(priv->fd, &event, sizeof(event));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 17ad6e5d5616039021455bc821d6ee2497f7ebde)
|
|
[ajax: Fixed test/Makefile.am as well]
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit fbdd73fac68383c93f6f5c6a7615860503039999)
|
|
UDL (usb) devices are blacklisted because of they weird behaviour when
it comes to vblank events. As EVDI uses very similar model of handling
vblanks it should be treated similarly.
When doing a page flip, EVDI does not wait for real vblank, but
simulates it by adding constant delay. It also does not support
DRM_IOCTL_WAIT_VBLANK.
In contrast to UDL, EVDI uses platform devices, thus instead of 'usb' in
path they all have 'platform'.
It is possible to blacklist by 'platform', so without explicitly saying
'evdi', but it might be misleading when it comes to real reason for it.
Signed-off-by: Dawid Kurek <dawid.kurek@displaylink.com>
(cherry picked from commit fbd80b2c8ebe9fd41229dc5438524d107c071ff1)
|
|
Outputs may have NULL mode_output (connector) pointers if the
connector disappears while the server is running. Skip these when
resetting outputs with BAD link status.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 37f4e7651a2fd51efa613a08a1e705553be33e76)
|
|
Despite all the careful planning of the kernel, a link may become
insufficient to handle the currently-set mode. At this point, the
kernel should mark this particular configuration as being broken
and potentially prune the mode before setting the offending connector's
link-status to BAD and send the userspace a hotplug event. This may
happen right after a modeset or later on.
Upon receiving a hot-plug event, we iterate through the connectors to
re-apply the currently-set mode on all the connectors that have a
link-status property set to BAD. The kernel may be able to get the
link to work by dropping to using a lower link bpp (with the same
display bpp). However, the modeset may fail if the kernel has pruned
the mode, so to make users aware of this problem a warning is outputed
in the logs to warn about having a potentially-black display.
This patch does not modify the current behaviour of always propagating
the events to the randr clients. This allows desktop environments to
re-probe the connectors and select a new resolution based on the new
(currated) mode list if a mode disapeared. This behaviour is expected in
order to pass the Display Port compliance tests.
Signed-off-by: Martin Peres <martin.peres@linux.intel.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
(cherry picked from commit bcee1b76aa0db8525b491485e90b8740763d7de6)
|
|
./hw/xfree86/common/xf86pciBus.c: In function ‘xf86MatchDriverFromFiles’:
../hw/xfree86/common/xf86pciBus.c:1330:52: warning: ‘snprintf’ output may be
truncated before the last format character [-Wformat-truncation=]
snprintf(path_name, sizeof(path_name), "%s/%s", ^~~~~~~
../hw/xfree86/common/xf86pciBus.c:1330:13: note: ‘snprintf’ output between 2
dirent->d_name is 256, so sprintf("%s/%s") into a 256 buffer gives us:
and 257 bytes into a destination of size 256
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 96af794dc648eadcd596893412d7530e92cb5421)
|
|
signal-logging.c:182:12: warning: suggest parentheses around assignment used as truth value [-Wparentheses]
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit ea82ececbf85a7ac3d0931687f44c57534fde17c)
|
|
[Added HAVE_SYS_SYSMACROS_H guard - ajax]
Signed-off-by: Nick Sarnie <commendsarnex@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 84e3b96b531363e47f6789aacfcae4aa60135e2e)
|
|
glibc would like to stop declaring major()/minor() macros in
<sys/types.h> because that header gets included absolutely everywhere
and unix device major/minor is perhaps usually not what's expected. Fair
enough. If one includes <sys/sysmacros.h> as well then glibc knows we
meant it and doesn't warn, so do that if it exists.
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit d732c36597fab2e9bc4f2aa72cf1110997697557)
|
