The handling of appending/prepending properties was incorrect, with at
least two bugs: the property length was set to the length of the new
part only, i.e. appending or prepending N elements to a property with P
existing elements always resulted in the property having N elements
instead of N + P.
Second, when pre-pending a value to a property, the offset for the old
values was incorrect, leaving the new property with potentially
uninitalized values and/or resulting in OOB memory writes.
For example, prepending a 3 element value to a 5 element property would
result in this 8 value array:
[N, N, N, ?, ?, P, P, P ] P, P
^OOB write
The XI2 code is a copy/paste of the RandR code, so the bug exists in
both.
CVE-2023-5367, ZDI-CAN-22153
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 541ab2ecd4)
This is more portable than libbsd as everything Just Works, even on BSD systems,
and is the recommended method of consuming libbsd nowadays.
It also helpfully lets things work with glibc-provided functions for new
enough glibc.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/973
Co-authored-by: Guillem Jover <guillem@hadrons.org>
Signed-off-by: Sam James <sam@gentoo.org>
(cherry picked from commit 94945a5274)
Xwayland maintains a connection to EI up for 10 minutes after an X11
client has vanished, to avoid going through the connection phase every
time a short lived X11 client comes and goes.
However, if the EI client gets freed (through some other event, e.g. the
user decides to terminate the EI session), Xwayland would still keep the
callback alive and end up trying to free an already freed EI client:
Invalid read of size 4
at 0x4C5E6F9: object_unref (util-object.h:89)
by 0x4C5E6F9: ei_unref (libei.c:77)
by 0x429525: free_ei (xwayland-xtest.c:224)
by 0x429A6E: disconnect_timer_cb (xwayland-xtest.c:404)
by 0x5E63FF: DoTimer (WaitFor.c:276)
by 0x5E6463: DoTimers (WaitFor.c:290)
by 0x5E6164: check_timers (WaitFor.c:133)
by 0x5E61E9: WaitForSomething (WaitFor.c:195)
by 0x4AD50E: Dispatch (dispatch.c:487)
by 0x4BBA0B: dix_main (main.c:272)
by 0x43615D: main (stubmain.c:34)
Address 0x15cc6ee8 is 8 bytes inside a block of size 240 free'd
at 0x48452AC: free (vg_replace_malloc.c:974)
by 0x4C5E729: object_destroy (util-object.h:73)
by 0x4C5E729: object_unref (util-object.h:91)
by 0x4C5E729: ei_unref (libei.c:77)
by 0x429525: free_ei (xwayland-xtest.c:224)
by 0x42A946: xwl_handle_ei_event (xwayland-xtest.c:804)
by 0x5EA977: HandleNotifyFd (connection.c:809)
by 0x5EE8E3: ospoll_wait (ospoll.c:657)
by 0x5E624D: WaitForSomething (WaitFor.c:208)
by 0x4AD50E: Dispatch (dispatch.c:487)
by 0x4BBA0B: dix_main (main.c:272)
by 0x43615D: main (stubmain.c:34)
Block was alloc'd at
at 0x484782C: calloc (vg_replace_malloc.c:1554)
by 0x4C5E777: ei_create (libei.c:73)
by 0x4C5E777: ei_create_context (libei.c:97)
by 0x42994B: setup_ei (xwayland-xtest.c:366)
by 0x42A383: xwayland_xtest_send_events (xwayland-xtest.c:658)
by 0x54ED4C: ProcXTestFakeInput (xtest.c:441)
by 0x54EE56: ProcXTestDispatch (xtest.c:475)
by 0x4AD6E6: Dispatch (dispatch.c:546)
by 0x4BBA0B: dix_main (main.c:272)
by 0x43615D: main (stubmain.c:34)
To avoid that issue, make sure to cancel the timer as soon as a EI
client is freed.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
See-also: https://bugzilla.redhat.com/2243076
(cherry picked from commit 9617de733b)
If we fail to setup EI, give up on using EI for XTEST and restore the
default XTEST handlers.
This happens when neither the portal nor the socket backends are usable.
This does not affect the portal operation though, if the user choose not
to allow a particular client, Xwayland would continue to use EI.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Joshua Ashton <joshua@froggi.es>
(cherry picked from commit 6b56ae68e5)
With EI support wired to XTEST, and oeffis being enabled unconditionally
means that Xwayland will always go through the XDG portal for XTEST when
supported.
While this the intended behavior for the general use case of Xwayland
running rootless on a desktop compositor, that breaks when Xwayland is
running on a nested compositor, because the portal is for the entire
session and not limited to the nested Wayland compositor.
Xwayland itself, as a regular Wayland client, has no way to tell that it
is running on a nested compositor.
So to keep backward compatibility with existing (and also common) use
cases such as nested compositors, best is to disable support for the XDG
portal by default, and add a new command line option "-enable-ei-portal"
for the Wayland compositors (who spawn Xwayland rootless) to explicitly
enable support for the input emulation XDG portal in Xwayland.
A Wayland compositor running nested should not use that command line
option with Xwayland.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Joshua Ashton <joshua@froggi.es>
Fixes: a1333342 - xwayland: Add XTEST support using EIS
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1586
See-also: https://gitlab.gnome.org/GNOME/mutter/-/issues/3047
(cherry picked from commit cfcbb075c2)
Some drivers might not support explicit format modifiers. On these
drivers `gbm_bo_create_with_modifiers()` will fail and the
`gbm_bo_create()` code path will be used instead.
In this case, if the LINEAR modifier is advertised (and the INVALID
modifier is not) add the `GBM_BO_USE_LINEAR` flag.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1438
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Signed-off-by: José Expósito's avatarJosé Expósito <jexposit@redhat.com>
(cherry picked from commit 287638db59)
This can happen if the window has never completed a Present operation.
Fixes: 4230176080 ("xwayland/present: Embed present_vblank_rec in xwl_present_event")
(cherry picked from commit 32c5b2c044)
If there is no quads to draw, then we have a possibility to call
glDrawElements with type as zero, which will generate
GL_INVALID_ENUM error. While this error is harmless, it is annoying.
Signed-off-by: Konstantin <ria.freelander@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit baaddf47d5)
If a client tries to send XTEST events while there is no sendEventsProc
defined for the given device, Xwayland would call into 0x0 and crash.
Make sure the handler is defined before trying to use it, to avoid the
crash.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1574
(cherry picked from commit e820030de2)
We specify a sensible default geometry for decorated rootful windows,
but not for undecorated ones. Make the default geometry apply to rootful
windows in general.
Signed-off-by: Kenny Levinsen <kl@kl.wtf>
(cherry picked from commit 8128a21554)
While we now have support for resize of the root window through
libdecor, we still ignore toplevel configure dimensions when libdecor is
not in use. This ignores user intent in many Wayland servers, and some
xdg_toplevel states when active have strong requirements for adherence
to configure dimensions.
Resize in response to xdg_toplevel configure dimensions like we do for
libdecor configure events.
Signed-off-by: Kenny Levinsen <kl@kl.wtf>
(cherry picked from commit 53b6d4db7e)
The upcoming handling of plain xdg_toplevel.configure events will need
to use the xwl_window resize helper. Move it outside XWL_HAS_LIBDECOR,
move the remaining dimension logic from handle_libdecor_configure into
it and update the name accordingly.
Signed-off-by: Kenny Levinsen <kl@kl.wtf>
(cherry picked from commit 4f869c6eda)
When handling libdecor configure, we first update our xwl output and
screen if dimensions differ from the current xwl_screen, and then commit
a new libdecor frame which acknowledges the xdg_surface.configure event.
If the initial configure events contains non-zero dimensions, we will
update the xwl output before acknowledging the initial configure. As we
attach a buffer and commit the surface when updating the output, this
leads to a protocol error.
Instead, move the surface commit till the end of the configure handler
so it always happens after the ack.
Signed-off-by: Kenny Levinsen <kl@kl.wtf>
(cherry picked from commit 295fb71653)
Similar to commit 94deed272 - " xwayland: Use sensible defaults for
rootful size", mark fullscreen mode as fixed so that the actual monitor
layout is not reflected in the single fullscreen rootful window.
Without this, if "-fullscreen" is used without "-geometry", the XRandR
configuration is taken from the compositor via wl_output/xdg-output and
cannot be changed by the X11 clients.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 34446a9952)
Enforce sensible min/max values for the window size when using libdecor.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 881e1a5693)
This is to avoid repeating the same code in two places.
This is essentially a cosmetic change, not a functional change.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit f19fe9d260)
Allow passing an optional libdecor configuration pointer to
xwl_window_update_libdecor_size() so that we can reuse it from more than
one place and avoid duplicating that code.
No functional change.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit c180eca8ef)
The configure handler in libdecor is triggered any time a new
configuration is received.
According to the documentation from libdecor, an application should
respond to that event by creating a suitable libdecor_state, and apply
it using libdecor_frame_commit().
So we ought to attach a new buffer matching the new size and commit
the Wayland surface.
The actual content of the window does not need to be explicitly
repainted, that occurs through the call to SetRootClip():
xwl_output_set_mode_fixed()
-> update_screen_size()
-> SetRootClip()
-> miHandleValidateExposures()
-> miWindowExposures()
-> miPaintWindow()
This fixes an issue with mutter where maximizing a window and then
switching to another window would sometimes resize the Xwayland window
back to its pre-maximized size, or with Weston where the Xwayland window
would initially show up black until the pointer moves to the window.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 6d00c2bc10)
This moves the code which updates the XRandR modes and sets the root
window size to its own function.
This preparation work for the next commit, no functional change.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit e37539e1e2)
The configure handler for libdecor, namely handle_libdecor_configure(),
is where both the content and the decorations get resized (when needed).
If for any reason, the actual size of the Xwayland screen fails to be
updated, we would still appy the expected size rather than the actual
one for the libdecor state.
To avoid this, use the actual xwl_screen width/height for the libdecor
state.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit cda004c2a9)
For libdecor, we will have to attach a new buffer and commit from two
different handlers (libdecor configure and commit).
Having xwl_window_attach_buffer() separate from xwl_window_post_damage()
is to allow for that.
This commit should not introduce any functional change.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
(cherry picked from commit 8bbd908d1d)
glamor ensures that a depth 32 pixmap backing a depth 24 window contains
fully opaque alpha channel values for the window's pixels, so we can
allow this without implicit redirection, saving pixmap storage and
intermediate copies.
Second attempt, after fixing a few regressions from the first attempt.
(cherry picked from commit 4bb1f976d5)
Consider the following window hierarchy, from ancestors to descendants:
A
|
B
|
C
If both A & C have depth 32, but B has depth 24, C must effectively
behave as if it had depth 24, even if its backing pixmap has depth 32
as well.
Fixes the xmag issue described in the GitLab issue below.
Issue: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1564
(cherry picked from commit 3e044b1e64)
We're keeping it for unit tests, but we don't want to ship it from this
branch.
Also disable Xvfb in CI for ninja test. It's still built and used for
unit tests as part of ninja dist, but we don't want to run XTS on Xvfb.
(cherry picked from commit 0408fcb329)
And simplify build_glamor logic, we don't need the separate
glamor_option variable anymore.
(cherry picked from commit fdc61c5a3c)
(cherry picked from commit 274d54d1c3)
If "-decorate" is used but no "-geometry" is specified, Xwayland rootful
would take its size from the actual Wayland outputs combined.
That is not practical, especially when using multiple outputs, as the
resulting Xwayland window would be much larger than a single monitor.
To avoid that, set a sensible default size for the Xwayland decorate
window, using 640x480 to match what Xephyr does.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
libdecor support seems quite stable, no need to mark that experimental.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
By default, the Xwayland window in rootful mode was not resizable.
Make the Xwayland window resizable using libdecor in rootful mode.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
This is preparation work for making Xwayland rootful resizeable.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
glamor ensures that a depth 32 pixmap backing a depth 24 window contains
fully opaque alpha channel values for the window's pixels, so we can
allow this without implicit redirection, saving pixmap storage and
intermediate copies.
This will be needed with the next commit: If a child window completely
obscures a toplevel ancestor of different depth, the child window can
use page flipping only if the depth of the presented pixmap matches that
of the window's backing pixmap, or the former may contain pixel values
which are not suitable for the toplevel window's depth.
