Similarly to bb766ef112, ensure that the
extra padding is set to 0.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
(cherry picked from commit fb5ee77b91)
If the context is direct none of the GL commands were issued by this
process, the server couldn't flush them even if it wanted to.
v2: Fix embarassingly obvious boolean inversion (Michel Dänzer)
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
(cherry picked from commit 307c124d6b)
The CEA extension short video descriptors contain the VIC, which starts
at 1, not 0.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Hector Martin <marcan@marcan.st>
(cherry picked from commit 68556d74b4)
The trailing \n are just wrong here, __glXEnableExtension wants a string
without them.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
(cherry picked from commit fd0eafb184)
Running Xephyr under valgrind reveals that we're sending some
uninitialized memory over the wire (particularly, the leftover padding
that comes from rounding extraLen to the next 32-bit multiple).
Solve by calloc()ing the memory instead of malloc()ing (the alternative
would be to memset just the padding, but I'm not sure it's more
convenient.)
Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit bb766ef112)
This fixes some “Conditional jump depends on uninitialized value(s)”
errors spotted by valgrind.
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
(cherry picked from commit b216701504)
I don't know how many times I've had a broken server due to a bad
directory to xkbcomp, and only finding the whole path has shown me
where I went wrong.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 30f4d440eb)
Historically we didn't need to care about this case but more devices are
having invalid types set and they cannot be unset with a hwdb entry (which
doesn't handle the empty string). Allow for "0" to mean "unset" because
anything else would be crazy anyway.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 5aad81445c)
unsigned_tests[] was used to compute the amount of signed numbers to
test.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
(cherry picked from commit 15a32ee5d1)
input.c: In function ‘dix_event_to_core’:
../include/inputstr.h:61:55: warning: ‘*((void *)&ev+80)’ is used uninitialized in this function [-Wuninitialized]
#define SetBit(ptr, bit) (((BYTE *) (ptr))[(bit)>>3] |= (1 << ((bit) & 7)))
^~
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
(cherry picked from commit 0bcc65f2bf)
If one misconfigures a ZaphodHeads value (more than 20 characters
without a delimiter), we get an overflow of our buffer. Use
xstrtokenize() instead of writing/fixing our own tokenizer.
Signed-off-by: Daniel Martin <consume.noise@gmail.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
(cherry picked from commit 04a305121f)
Similar to change cba5a10f, xf86ScreenSetCursor() would dereference ScreenPriv
without NULL checking it. If Option "SWCursor" is specified, ScreenPriv == NULL.
Without this fix, it is observed that setting Option "SWCursor" "on" on the
modesetting driver in a PRIME configuration will segfault the server.
It is important to return success rather than failure in the instance that
ScreenPriv == NULL and pCurs == NullCursor, because otherwise xf86SetCursor()
can fall into infinite recursion: xf86SetCursor(pCurs) calls
xf86ScreenSetCursor(pCurs), and if FALSE, calls xf86SetCursor(NullCursor). If
xf86ScreenSetCursor(NullCursor) returns FALSE, it calls
xf86SetCursor(NullCursor) again and this repeats forever.
Signed-off-by: Alex Goins <agoins@nvidia.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
(cherry picked from commit 68d95e759f)
It looks like offsets calculated during image censoring are wrong.
This results in black (empty) images returns.
This fix is very similar to 6c6f09aac7
that was applied to XGetImage
Visually this fixes chromium/firefox window sharing in multiscreen
configurations - without this patch most of the windows on 'secodnary'
screens are black.
This also should fix https://bugs.freedesktop.org/show_bug.cgi?id=101730.
Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 885636b7d4)
We're not wrapping all the ways a cursor can be destroyed, so this array
ends up with stale data. Rather than try harder to wrap more code paths,
just look up the cursor when we need it.
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit aa6651f83c)
[jcristau: originally this patch fixed the same issue as commit
211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]
This addresses CVE-2017-12179
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit d088e3c128)
A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF. Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 9c23685009)
Later events are sometimes added in front of the queue (e.g.
if page flipping fails) so we need to check the whole queue
on event.
Signed-off-by: Louis-Francis Ratté-Boulianne <lfrb@collabora.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
(cherry picked from commit c2f2b25ab5)
This provides an API wrapper around the kernel interface for queueing
a vblank event, simplifying all of the callers.
v2: Fix missing '|' in computing vbl.request.type
v3: Remove spurious bit of next patch (thanks, Michel Dänzer)
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 677c32bcda)
Generating strings for XKB data used a single shared static buffer,
which offered several opportunities for errors. Use a ring of
resizable buffers instead, to avoid problems when strings end up
longer than anticipated.
Reviewed-by: Michal Srb <msrb@suse.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 94f11ca5cf)
XkbStringText escapes non-printable characters using octal numbers. Such escape
sequence would be at most 5 characters long ("\0123"), so it reserves 5 bytes
in the buffer. Due to char->unsigned int conversion, it would print much longer
string for negative numbers.
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit eaf1f72ed8)
Otherwise it can belong to a non-existing client and abort X server with
FatalError "client not in use", or overwrite existing segment of another
existing client.
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit b95f25af14)
gcc/glibc think the snprintf in dmxExecOS() might truncate. Yes, it
might, and we also don't care. Just delete all this.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Acked-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit d6db668116)
Modern glibc is very insistent that you care about whether write()
succeeds:
../hw/dmx/input/usb-keyboard.c: In function ‘kbdUSBCtrl’:
../hw/dmx/input/usb-keyboard.c:292:9: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result]
write(priv->fd, &event, sizeof(event));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 17ad6e5d56)
UDL (usb) devices are blacklisted because of they weird behaviour when
it comes to vblank events. As EVDI uses very similar model of handling
vblanks it should be treated similarly.
When doing a page flip, EVDI does not wait for real vblank, but
simulates it by adding constant delay. It also does not support
DRM_IOCTL_WAIT_VBLANK.
In contrast to UDL, EVDI uses platform devices, thus instead of 'usb' in
path they all have 'platform'.
It is possible to blacklist by 'platform', so without explicitly saying
'evdi', but it might be misleading when it comes to real reason for it.
Signed-off-by: Dawid Kurek <dawid.kurek@displaylink.com>
(cherry picked from commit fbd80b2c8e)
Outputs may have NULL mode_output (connector) pointers if the
connector disappears while the server is running. Skip these when
resetting outputs with BAD link status.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 37f4e7651a)
Despite all the careful planning of the kernel, a link may become
insufficient to handle the currently-set mode. At this point, the
kernel should mark this particular configuration as being broken
and potentially prune the mode before setting the offending connector's
link-status to BAD and send the userspace a hotplug event. This may
happen right after a modeset or later on.
Upon receiving a hot-plug event, we iterate through the connectors to
re-apply the currently-set mode on all the connectors that have a
link-status property set to BAD. The kernel may be able to get the
link to work by dropping to using a lower link bpp (with the same
display bpp). However, the modeset may fail if the kernel has pruned
the mode, so to make users aware of this problem a warning is outputed
in the logs to warn about having a potentially-black display.
This patch does not modify the current behaviour of always propagating
the events to the randr clients. This allows desktop environments to
re-probe the connectors and select a new resolution based on the new
(currated) mode list if a mode disapeared. This behaviour is expected in
order to pass the Display Port compliance tests.
Signed-off-by: Martin Peres <martin.peres@linux.intel.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
(cherry picked from commit bcee1b76aa)
./hw/xfree86/common/xf86pciBus.c: In function ‘xf86MatchDriverFromFiles’:
../hw/xfree86/common/xf86pciBus.c:1330:52: warning: ‘snprintf’ output may be
truncated before the last format character [-Wformat-truncation=]
snprintf(path_name, sizeof(path_name), "%s/%s", ^~~~~~~
../hw/xfree86/common/xf86pciBus.c:1330:13: note: ‘snprintf’ output between 2
dirent->d_name is 256, so sprintf("%s/%s") into a 256 buffer gives us:
and 257 bytes into a destination of size 256
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 96af794dc6)
signal-logging.c:182:12: warning: suggest parentheses around assignment used as truth value [-Wparentheses]
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit ea82ececbf)
[Added HAVE_SYS_SYSMACROS_H guard - ajax]
Signed-off-by: Nick Sarnie <commendsarnex@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 84e3b96b53)
glibc would like to stop declaring major()/minor() macros in
<sys/types.h> because that header gets included absolutely everywhere
and unix device major/minor is perhaps usually not what's expected. Fair
enough. If one includes <sys/sysmacros.h> as well then glibc knows we
meant it and doesn't warn, so do that if it exists.
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit d732c36597)
The meson build gives me:
../os/utils.c: In function ‘LockServer’:
../os/utils.c:310:40: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
snprintf(pid_str, sizeof(pid_str), "%10ld\n", (long) getpid());
^~~~~~~~~
../os/utils.c:310:5: note: ‘snprintf’ output between 12 and 13 bytes into a destination of size 12
snprintf(pid_str, sizeof(pid_str), "%10ld\n", (long) getpid());
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Which seems to be due to the %d part meaning that a negative number's -
sign would be one wider than we're expecting. Fine, just coerce it to
unsigned.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit aabf65d2a0)
glamor_compute_transform_clipped_regions() uses a temporary box32
internally which is copied back to a box16 to init the regions16,
thus causing a potential overflow.
If an overflow occurs, the given region is invalid and the pixmap
init region will fail.
Simply check that the coordinates won't overflow when copying back to
the box16, avoiding a crash later down the line in glamor.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Tested-by: Fabrice Bellet <fabrice@bellet.info>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 9869dcb349)
COMPOSITE_REGION() can pass NULL as a source picture, make sure we
handle that nicely in both glamor_composite_clipped_region() and
glamor_composite_choose_shader().
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit bd353e9b84)
Xwayland would crash in some circumstances while trying to issue a
pointer locking when the cursor is hidden when there is no seat focus
window set.
The crash signature looks like:
#0 zwp_pointer_constraints_v1_lock_pointer ()
#1 xwl_pointer_warp_emulator_lock () at xwayland-input.c:2584
#2 xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2756
#3 xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2765
#4 xwl_seat_cursor_visibility_changed () at xwayland-input.c:2768
#5 xwl_set_cursor () at xwayland-cursor.c:245
#6 miPointerUpdateSprite () at mipointer.c:468
#7 miPointerDisplayCursor () at mipointer.c:206
#8 CursorDisplayCursor () at cursor.c:150
#9 AnimCurDisplayCursor () at animcur.c:220
#10 ChangeToCursor () at events.c:936
#11 ActivatePointerGrab () at events.c:1542
#12 GrabDevice () at events.c:5120
#13 ProcGrabPointer () at events.c:4908
#14 Dispatch () at dispatch.c:478
#15 dix_main () at main.c:276
xwl_pointer_warp_emulator_lock() tries to use the surface from the
xwl_seat->focus_window leading to a NULL pointer dereference when that
value is NULL.
Check that xwl_seat->focus_window is not NULL earlier in the stack in
xwl_seat_maybe_lock_on_hidden_cursor() and return early if not the case
to avoid the crash.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=102474
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit cdd0352ba0)
Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 211e05ac85)
Copied from Mesa with no modifications.
Gives us Coffee Lake and Cannon Lake PCI IDs.
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Acked-by: Kenneth Graunke <kenneth@whitecape.org>
(cherry picked from commit abb031e731)
... where it is named src/egl/wayland/wayland-drm/wayland-drm.xml and
has its requests sorted by protocol version number, avoiding a warning
from wayland-scanner.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
(cherry picked from commit 04511a0476)
Currently, RRCrtcPendingTransform returns false unless the
transformation matrix itself is changing. This makes RRCrtcSet skip
doing anything if the only thing that is changing is the transform
filter.
There's already a function for comparing RRTransformPtrs, so use that
instead.
Tested by running
xrandr --output DP-1 --mode 1920x1080 --rate 144 --scale 0.5x0.5 --filter nearest
follwed by
xrandr --output DP-1 --mode 1920x1080 --rate 144 --scale 0.5x0.5 --filter bilinear
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer@amd.com>
(cherry picked from commit 091af80be4)
The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
it is assuming that the event has fixed size and gives the swapping function
xEvent-sized buffer.
A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
Signed-off-by: Michal Srb <msrb@suse.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit ba336b2405)
