glamor_sync.c calls miSyncShmScreenInit if HAVE_XSHMFENCE is defined,
but it was only being built if either dri3 or xwayland were enabled.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2070>
(cherry picked from commit a8f8ec7e7d)
For cpu_family(), meson returns "sparc" for 32-bit sparc,
and "sparc64" for 64-bit sparc, regardless of the OS in use.
For cpu(), meson returns values like "sun4v" on Solaris/SPARC,
and doesn't promise stability of the values, or portability across
OS'es, unlike cpu_family().
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 908f0a488d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2077>
Simple confirmation of known values, not exhaustive testing.
Tested with SHA-1 implementations from:
- libcrypto (OpenSSL 3)
- libgcrypt
- libnettle
- Solaris libmd
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2066>
(cherry picked from commit 7013984b5f)
In the doListFontsWithInfo function in dixfonts.c, when a font alias is
encountered (err == FontNameAlias), the code saves the current state
and allocates memory for c->savedName.
If the malloc(namelen + 1) call fails, c->savedName remains NULL,
but c->haveSaved is still set to TRUE. Later, when a font is
successfully resolved (err == Successful), the code uses c->savedName
without checking if it is NULL, so there is potential null ptr
dereference. XNFalloc will check result of malloc and stop
program execution if allocation was failed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1842
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2062>
(cherry picked from commit dd5c2595a4)
The LogVHdrMessageVerb function may access an array out of bounds in a
specific edge case. Specifically, the line:
newline = (buf[len - 1] == '\n');
can result in accessing buf[-1] if len == 0, which is undefined behavior.
Commit adds check to avoid access out of bounds at pointed line.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1841
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2061>
(cherry picked from commit 8d25a89143)
Commit d36f66f15d ("Check for duplicate output names") would walk the
list of existing outputs and leases to check that no other existing
output has the same name.
The change however, inadvertently reused the regular screen outputs when
searching the leased names.
Fix this by using the lease name, not the regular output names that we
already checked just above.
Found by SAST tool Svace.
Fixes: d36f66f15d - xwayland: Check for duplicate output names
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1843
Reviewed-by Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2063>
(cherry picked from commit b096785df4)
Commit 54f8fc4090 introduced the use of
wl_surface::set_buffer_scale, which is only available starting with
version 3 of the wl_compositor protocol. Because we already prefer
version 4 when available, this went unnoticed but broke versions 1, 2
and 3 when reaching the wl_surface::set_buffer_scale call.
This restores functionality for version 3 and properly document that
versions 1 and 2 are not supported anymore.
Signed-off-by: Nicolas Guichard <nicolas.guichard@kdab.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1862>
(cherry picked from commit bcc0587ab9)
The commit referenced below partially resolved an issue with grabs being made
on the root window. Unfortunately it assumes that the application uses
the same client for all windows. VMware Workstation uses nested windows
for each VM, each of which runs its own process with this own client.
Theses windows are managed by the GUI which is the top level for the
application and maps the windows based on which tab is selected.
Because the VM windows issue a grab on the root window and don't share
the same client as the GUI, grabs don't work properly with global shortcut
inhibition being completely broken.
Getting the parent top-level of the nested windows fixes this issue.
Fixes: c7730cfe55 ("xwayland: Translate keyboard grabs on the root window")
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2016>
(cherry picked from commit afc8b781d8)
CI meson-disable-options builds were failing with:
../hw/xwayland/xwayland-screen.c: In function ‘xwl_close_screen’:
../hw/xwayland/xwayland-screen.c:246:5: error: implicit declaration of
function ‘XaceDeleteCallback’; did you mean ‘DeleteCallback’?
[-Werror=implicit-function-declaration]
246 | XaceDeleteCallback(XACE_PROPERTY_ACCESS, xwl_access_property_callback, screen);
| ^~~~~~~~~~~~~~~~~~
| DeleteCallback
../hw/xwayland/xwayland-screen.c:246:24: error: ‘XACE_PROPERTY_ACCESS’
undeclared (first use in this function)
246 | XaceDeleteCallback(XACE_PROPERTY_ACCESS, xwl_access_property_callback, screen);
| ^~~~~~~~~~~~~~~~~~~~
../hw/xwayland/xwayland-screen.c: In function ‘xwl_screen_init’:
../hw/xwayland/xwayland-screen.c:1174:5: error: implicit declaration of
function ‘XaceRegisterCallback’ [-Werror=implicit-function-declaration]
1174 | XaceRegisterCallback(XACE_PROPERTY_ACCESS, xwl_access_property_callback, pScreen);
| ^~~~~~~~~~~~~~~~~~~~
../hw/xwayland/xwayland-screen.c:1174:26: error: ‘XACE_PROPERTY_ACCESS’
undeclared (first use in this function)
1174 | XaceRegisterCallback(XACE_PROPERTY_ACCESS, xwl_access_property_callback, pScreen);
| ^~~~~~~~~~~~~~~~~~~~
Fixes: a07c2cda9 ("xwayland: Add an XACE property access handler")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2056>
(cherry picked from commit 48acd1ae78)
CI meson-disable-options builds were failing with:
../hw/xfree86/drivers/modesetting/driver.c:127:5: error: ‘ms_device_match’
undeclared here (not in a function)
127 | ms_device_match,
| ^~~~~~~~~~~~~~~
../hw/xfree86/drivers/modesetting/driver.c: In function ‘ms_get_drm_master_fd’:
../hw/xfree86/drivers/modesetting/driver.c:1179:19: error: variable ‘pEnt’
set but not used [-Werror=unused-but-set-variable]
1179 | EntityInfoPtr pEnt;
| ^~~~
../hw/xfree86/drivers/modesetting/driver.c: At top level:
../hw/xfree86/drivers/modesetting/driver.c:84:13: error: ‘ms_pci_probe’
used but never defined [-Werror]
84 | static Bool ms_pci_probe(DriverPtr driver,
| ^~~~~~~~~~~~
../hw/xfree86/drivers/modesetting/driver.c:313:1: error: ‘probe_hw_pci’
defined but not used [-Werror=unused-function]
313 | probe_hw_pci(const char *dev, struct pci_device *pdev)
| ^~~~~~~~~~~~
Fixes: a72bdf170 ("modesetting: rewrite probing based on fbdev.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2056>
(cherry picked from commit ec14ecf751)
Building with -Dxace=false was generating many failures of the form:
../dix/cursor.c: In function ‘AllocARGBCursor’:
../dix/cursor.c:281:10: error: implicit declaration of function
‘XaceHookResourceAccess’; did you mean ‘XaceHookPropertyAccess’?
[-Werror=implicit-function-declaration]
281 | rc = XaceHookResourceAccess(client, cid, X11_RESTYPE_CURSOR,
| ^~~~~~~~~~~~~~~~~~~~~~
| XaceHookPropertyAccess
Fixes: ae3c57333 ("xace: typesafe hook function for XACE_RESOURCE_ACCESS")
Fixes: 9524ffee8 ("xace: typesafe hook function for XACE_DEVICE_ACCESS")
Fixes: 67e468c8b ("xace: typesafe hook function for XACE_SEND_ACCESS")
Fixes: 3dfe00d5e ("xace: typesafe hook function for XACE_RECEIVE_ACCESS")
Fixes: 922b7685d ("xace: typesafe hook function for XACE_CLIENT_ACCESS")
Fixes: 0f6bb23bc ("xace: typesafe hook function for XACE_EXT_ACCESS")
Fixes: 47d6c3ad7 ("xace: typesafe hook function for XACE_SERVER_ACCESS")
Fixes: 51d8bcfc0 ("xace: typesafe hook function for XACE_SCREEN_ACCESS")
Fixes: 305f2d59d ("xace: typesafe hook function for XACE_SCREENSAVER_ACCESS")
Fixes: 591d95c79 ("xace: typesafe hook function for XACE_AUTH_AVAIL")
Fixes: facdaae4e ("xace: typesafe hook function for XACE_KEY_AVAIL")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2056>
(cherry picked from commit 8bbf497e22)
We have too many options to run an exhaustive matrix of the combinations,
but this should at least help us catch code that won't compile in many
of the ifdef paths we don't go down in the default configs.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2056>
(cherry picked from commit 6f6a635363)
Build breaks with gcc 14 & later when xf86bigfont is enabled:
../Xext/xf86bigfont.c: In function ‘XFree86BigfontExtensionInit’:
../Xext/xf86bigfont.c:709:28: error: implicit declaration of function
‘xfont2_allocate_font_private_index’;
did you mean ‘AllocateFontPrivateIndex’? [-Wimplicit-function-declaration]
709 | FontShmdescIndex = xfont2_allocate_font_private_index();
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| AllocateFontPrivateIndex
Fixes: 05a793f5b ("dix: Switch to the libXfont2 API (v2)")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2053>
(cherry picked from commit 0617f6075b)
In most typical Linux X servers (like Xvfb, Xephyr, or Xwayland),
no child process outlives the server, so this issue rarely arises.
However, in embedded X servers (based on Xvfb or Kdrive) or in
custom Xorg modules, the server might launch a long-running command
with regular fork+exec calls. If the X server crashes or exits while
that command is still running (for example, it spawns a tombstone
generator or any process that hangs or turns to zombie), the file
descriptor associated with the abstract socket can remain open in the
child process. This leads to the kernel refusing to allow another X
server to bind the same socket until the child process terminates
(because there is no explicit way to unlink abstract socket, unlike
Unix socket). By marking the file descriptor as close-on-exec, we
ensure it is automatically closed in child processes, preserving the
ability of a new X server process to bind the socket immediately.
Signed-off-by: Twaik Yont <9674930+twaik@users.noreply.github.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1906>
(cherry picked from commit 5568b0f83f)
Previously, when parsing multiple configuration files containing the same
section names, only the last occurrence of each section would be retained.
Earlier definitions were silently discarded due to unconditional memory
allocation and overwriting of pointers during parsing.
This resulted in incomplete or incorrect configuration state when users
intended to merge or extend configuration through multiple files.
The section parsing functions in Files.c, Flags.c, and Module.c now
accept existing section pointers. These functions allocate new memory only
if the input pointer is NULL, preserving earlier data when re-parsing.
read.c has been updated to detect and pass existing section pointers when
encountering duplicate sections across files, preventing loss of prior content.
With these changes, the parser properly accumulates and merges configuration
data across multiple files, ensuring that all relevant settings are preserved.
Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/467
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2045>
(cherry picked from commit 9b6f72395a)
Previously we leaked stack when invalid enum parameters were
specified and caused __glGet*_size functions to return a 0 size.
Further, we read out-of-bounds (and leaked) when the input data was less
than 8 bytes (__glXDispSwap_GetFramebufferAttachmentParameteriv and
__glXDisp_GetRenderbufferParameteriv).
Now we only write a single element in the reply padding, and only when there
is a single element. This is what the Mesa client-side libGL expects, and
restores original GLX server behaviour, matching both pre-public (1996) SGI GLX
and XFree86 4.
The main risk of this change is if we have any error in element count or size;
previously it may not have mattered but now it does.
There are no piglit result changes from this modification using either mesa
libGLX or NVIDIA libGLX.
For performance considerations, an extra conditional and variable-length
memcpy has no meaningful impact on the indirect rendering pipeline cost.
There is still the possiblity to leak if our size checks allow an enum that
the GL implemention does not. Guarding against that requires zero-initializing
all temp storage, which wants re-evaluation of the blind 200-byte buffers
used for many calls and thus is a much bigger change.
Signed-off-by: Nathan Kidd <nkidd@rocketsoftware.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1647>
(cherry picked from commit a4df686888)
The callers of these functions were casting -1 to unsigned and then
using 4GB indexes. By returning 0 we match all the other size functions.
GLX size functions return -1 to indicate error, but GL size functions return 0.
Signed-off-by: Nathan Kidd <nkidd@rocketsoftware.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1647>
(cherry picked from commit 29cfcf5259)
The EXT_blend_func_extended extension on ESSL always requires explicit
request to allow two FS out variables because of limitations of the ESSL
language, which is mentioned as the No.6 issue of the extension's
specification.
Fix this by adding the extension request.
The original behavior on GLES3 is slightly against the specification of
GL_EXT_blend_func_extended extension, however Mesa and older version of
PowerVR closed drivers will just ignore this issue. Newest PowerVR
closed driver will bail out on this problem, so it deems a fix now.
Fixes: ee107cd491 ("glamor: support GLES3 shaders")
Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1750>
(cherry picked from commit eba15f1ba7)
Xwayland dispatches tablet tool tip events immediately when they arrive.
With compositors such as mutter and sway, it is not an issue because
their libinput backends synthetize axis events before tip events. In
other words, axis data and the tip status belong to different frames.
On the other hand, kwin sends axis and tip events in a single frame
(its libinput backend generates a single tip event with axis data
attached to it). Since the tip events are dispatched immediately,
they can have wrong information associated with them, for example tool
position or pressure. It results in undesired "streaks" when the user
presses the tablet tool against the tablet.
See also https://bugs.kde.org/show_bug.cgi?id=479856.
Signed-off-by: Vlad Zahorodnii <vlad.zahorodnii@kde.org>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2032>
(cherry picked from commit 60f0bfe852)
When changing the RandR provider property, if the property does not
already exists, it is created.
In case of error, however, it doesn't get freed, leading to a leak of
the allocated property.
Make sure to free the RandR property in case of error if was to be
added.
Found by OpenScanHub.
Fixes: 3c3a4b767 - randr: Check for overflow in RRChangeProviderProperty()
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2035>
(cherry picked from commit c34f59ee15)
Check for another possible integer overflow once we get a complete xReq
with BigRequest.
Related to CVE-2025-49176
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
(cherry picked from commit 4fc4d76b2c)
Changing XRandR provider properties if the driver has set no provider
function such as the modesetting driver will cause a NULL pointer
dereference and a crash of the Xorg server.
Related to CVE-2025-49180
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
(cherry picked from commit 0235121c6a)
A client might send a request causing an integer overflow when computing
the total size to allocate in RRChangeProviderProperty().
To avoid the issue, check that total length in bytes won't exceed the
maximum integer value.
CVE-2025-49180
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
(cherry picked from commit 3c3a4b767b)
The RecordSanityCheckRegisterClients() checks for the request length,
but does not check for integer overflow.
A client might send a very large value for either the number of clients
or the number of protocol ranges that will cause an integer overflow in
the request length computation, defeating the check for request length.
To avoid the issue, explicitly check the number of clients against the
limit of clients (which is much lower than an maximum integer value) and
the number of protocol ranges (multiplied by the record length) do not
exceed the maximum integer value.
This way, we ensure that the final computation for the request length
will not overflow the maximum integer limit.
CVE-2025-49179
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 2bde9ca49a)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
When reading requests from the clients, the input buffer might be shared
and used between different clients.
If a given client sends a full request with non-zero bytes to ignore,
the bytes to ignore may still be non-zero even though the request is
full, in which case the buffer could be shared with another client who's
request will not be processed because of those bytes to ignore, leading
to a possible hang of the other client request.
To avoid the issue, make sure we have zero bytes to ignore left in the
input request when sharing the input buffer with another client.
CVE-2025-49178
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
(cherry picked from commit d55c54cecb)
The handler of XFixesSetClientDisconnectMode does not check the client
request length.
A client could send a shorter request and read data from a former
request.
Fix the issue by checking the request size matches.
CVE-2025-49177
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Fixes: e167299f6 - xfixes: Add ClientDisconnectMode
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
(cherry picked from commit ab02fb96b1)
The BigRequest extension allows requests larger than the 16-bit length
limit.
It uses integers for the request length and checks for the size not to
exceed the maxBigRequestSize limit, but does so after translating the
length to integer by multiplying the given size in bytes by 4.
In doing so, it might overflow the integer size limit before actually
checking for the overflow, defeating the purpose of the test.
To avoid the issue, make sure to check that the request size does not
overflow the maxBigRequestSize limit prior to any conversion.
The caller Dispatch() function however expects the return value to be in
bytes, so we cannot just return the converted value in case of error, as
that would also overflow the integer size.
To preserve the existing API, we use a negative value for the X11 error
code BadLength as the function only return positive values, 0 or -1 and
update the caller Dispatch() function to take that case into account to
return the error code to the offending client.
CVE-2025-49176
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
(cherry picked from commit 03731b326a)
Animated cursors use a series of cursors that the client can set.
By default, the Xserver assumes at least one cursor is specified
while a client may actually pass no cursor at all.
That causes an out-of-bound read creating the animated cursor and a
crash of the Xserver:
| Invalid read of size 8
| at 0x5323F4: AnimCursorCreate (animcur.c:325)
| by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
| by 0x4A1E9D: Dispatch (dispatch.c:560)
| by 0x4B0169: dix_main (main.c:284)
| by 0x4287F5: main (stubmain.c:34)
| Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd
| at 0x48468D3: reallocarray (vg_replace_malloc.c:1803)
| by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802)
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
| by 0x4A1E9D: Dispatch (dispatch.c:560)
| by 0x4B0169: dix_main (main.c:284)
| by 0x4287F5: main (stubmain.c:34)
|
| Invalid read of size 2
| at 0x5323F7: AnimCursorCreate (animcur.c:325)
| by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
| by 0x52DC80: ProcRenderDispatch (render.c:1999)
| by 0x4A1E9D: Dispatch (dispatch.c:560)
| by 0x4B0169: dix_main (main.c:284)
| by 0x4287F5: main (stubmain.c:34)
| Address 0x8 is not stack'd, malloc'd or (recently) free'd
To avoid the issue, check the number of cursors specified and return a
BadValue error in both the proc handler (early) and the animated cursor
creation (as this is a public function) if there is 0 or less cursor.
CVE-2025-49175
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
(cherry picked from commit 0885e0b262)
Xwayland has its own XYToWindow() handler to account for the case when
the pointer leaves an X11 surface to enter another Wayland native
window.
When that occurs, Xwayland will treat it as if the pointer had entered
the root window so that the X11 clients receive an appropriate leave
event.
When the pointer leaves the X11 surface, Xwayland will call
CheckMotion() to update the sprite coordinates and possibly the cursor.
However, if we left the surface with a button down, it means the wayland
compositor has grabbed the pointer so we will not get button release
events from the compositor.
Once the button is released, Xwayland will get a pointer enter event from
the compositor, and Xwayland will clear up the buttons pressed.
But that might confuse Xwayland in thinking the pointer has crossed the
windows and leave the wrong cursor showing in the X11 surface.
To avoid the issue, if buttons are down, do not pretend the cursor has
left the X11 surface for the root window.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1811
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2008>
(cherry picked from commit 8cb078f8b6)
