Needed to build with IPv6 disabled using gcc 14 on some platforms to avoid:
In file included from /usr/X11/include/X11/Xtrans/transport.c:67,
from xstrans.c:17:
/usr/X11/include/X11/Xtrans/Xtranssock.c: In function ‘_XSERVTransSocketOpen’:
/usr/X11/include/X11/Xtrans/Xtranssock.c:467:28: error: passing argument 5
of ‘getsockopt’ from incompatible pointer type [-Wincompatible-pointer-types]
467 | (char *) &val, &len) == 0 && val < 64 * 1024)
| ^~~~
| |
| size_t * {aka long unsigned int *}
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit a1b5aa5a7f)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1766>
Previously, it was looping through sizeof(ev->valuators.mask) * 8
valuators, where valuators.mask is defined as an array of
(MAX_VALUATORS + 7) / 8 entries. Since MAX_VALUATORS is defined as 36,
this made it actually loop through 40 entries. The last 4 bits in this
array should never be set, so we should never access memory outside the
bounds of the arrays defined to be exactly MAX_VALUATORS in length, but
we can make the static analyzer happier and not waste time checking bits
that should never be set.
Found by Oracle Parfait 13.3 static analyzer:
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 741 of dix/eventconvert.c in function 'eventToDeviceEvent'.
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 808 of dix/eventconvert.c in function 'eventToRawEvent'.
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data_raw[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 809 of dix/eventconvert.c in function 'eventToRawEvent'.
Fixes: b2ba77bac ("dix: add EventToXI2 and GetXI2Type.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit b65eea43dd)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1766>
Found by Oracle Parfait 13.3 static analyzer:
Buffer Overflow in STD C function [buffer-overflow-call-stdc]:
Buffer overflow in call to memcpy. Buffer &bev->buttons[4] of
size 24 is written at an offset of 28
Array size is 28 bytes, index is 32
at line 743 of dix/enterleave.c in function
'DeliverStateNotifyEvent'.
Fixes: a85f0d6b9 ("Xi: fix use of button->down - bitflags instead of int arrays.")
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 4b073d65bb)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1766>
Found by Oracle Parfait 13.3:
Null pointer dereference [null-pointer-deref]:
Read from null pointer pVisual
at line 257 of dix/colormap.c in function 'CreateColormap'.
Null pointer introduced at line 412 of render/picture.c in
function 'PictureFindVisual'.
Constant 'NULL' passed into function CreateColormap, argument
pVisual, from call at line 431 in function
'PictureInitIndexedFormat'.
Function PictureFindVisual may return constant 'NULL' at
line 412, called at line 429.
Fixes: d4a101d4e ("Integration of DAMAGE-XFIXES branch to trunk")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7af077dd2f)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1766>
The comments in that function say "This only happens if master is a
slave device. don't do that" but static analysis doesn't respect that.
Found by Oracle Parfait 13.3:
Null pointer dereference [null-pointer-deref]:
Read from null pointer XTestptr
at line 274 of Xi/xichangehierarchy.c in function 'remove_master'.
Null pointer introduced at line 691 of Xext/xtest.c in function
'GetXTestDevice'.
Function GetXTestDevice may return constant 'NULL' at line 691,
called at line 273 of Xi/xichangehierarchy.c in function
'remove_master'.
Null pointer dereference [null-pointer-deref]:
Read from null pointer XTestkeybd
at line 279 of Xi/xichangehierarchy.c in function 'remove_master'.
Null pointer introduced at line 691 of Xext/xtest.c in function
'GetXTestDevice'.
Function GetXTestDevice may return constant 'NULL' at line 691,
called at line 278 of Xi/xichangehierarchy.c in function
'remove_master'.
Fixes: 0814f511d ("input: store the master device's ID in the devPrivate for XTest devices.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit d10589cc09)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1766>
eglCreateSyncKHR takes ownership of the file descriptor. Noticed by
inspection.
While we're at it, move the fence_fd declaration to the scope where
it's used.
Last but not least, close the fd in xwl_glamor_wait_fence when bailing
before calling eglCreateSyncKHR, and document that it takes ownership.
(cherry picked from commit 91b5a003a5)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1766>
The comment at the top of the function tells humans the fallthroughs
are intentional, but gcc doesn't parse that.
Clears 3 -Wimplicit-fallthrough warnings from gcc 14.1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit b306df5a60)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1766>
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.
However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.
This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).
CVE-2024-9632, ZDI-CAN-24756
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: José Expósito <jexposit@redhat.com>
(cherry picked from commit 85b7765714)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1735>
using EGL (e.g., eglQueryString, epoxy_has_egl_extension)
before establishing this connection
enables the GBM/EGL implementation to potentially consume the
WAYLAND_SOCKET fd, which, if closed, will cause the compositor
to kill this xserver
(cherry picked from commit ff8ec59c97)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1702>
The install_demo meson_option was added in
libdecor/libdecor@7106f5e329
which is in the 0.1.1 tag, but not 0.1.0.
If we upgrade the version of meson used in the CI to 1.0.0, then it fails
to build libdecor 0.1.0 with: ERROR: Unknown options: "install_demo"
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 32adf434b7)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1702>
Clears warning from gcc 14.1:
../dix/resource.c: In function ‘HashResourceID’:
../dix/resource.c:691:44: warning: left shift of negative value
[-Wshift-negative-value]
691 | return (id ^ (id >> numBits)) & ~((~0) << numBits);
| ^~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 26a7ab09ea)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1702>
No real harm, but clears warning from gcc 14.1:
../dix/property.c: In function ‘ProcListProperties’:
..//dix/property.c:605:27: warning: dereference of NULL ‘temppAtoms’
[CWE-476] [-Wanalyzer-null-dereference]
605 | *temppAtoms++ = pProp->propertyName;
| ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 39f337fd49)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1702>
It shouldn't matter, since it would have a length of 0, but it
clears warnings from gcc 14.1:
../dix/property.c: In function ‘dixChangeWindowProperty’:
../dix/property.c:287:9: warning: use of possibly-NULL ‘data’ where
non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
287 | memcpy(data, value, totalSize);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../dix/property.c:324:13: warning: use of possibly-NULL ‘data’ where
non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
324 | memcpy(data, value, totalSize);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 10cafd0bbe)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1702>
Clears warning from gcc 14.1:
../dix/dixfonts.c: In function ‘SetFontPath’:
../dix/dixfonts.c:1697:28: warning: use of uninitialized value ‘bad’
[CWE-457] [-Wanalyzer-use-of-uninitialized-value]
1697 | client->errorValue = bad;
| ~~~~~~~~~~~~~~~~~~~^~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 1a86fba0d9)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1702>
Clears warning from gcc 14.1:
../dix/dixfonts.c:1352:15: warning: use of uninitialized value ‘*c.data’
[CWE-457] [-Wanalyzer-use-of-uninitialized-value]
1352 | free(c->data);
| ~^~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit d78836a3a6)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1702>
Commit 96bdc156 added a check for <sys/eventfd.h> to enable DRI3.
DragonFly and OpenBSD however rely on epoll-shim for <sys/eventfd.h>,
so that must be added as a dependency for the <sys/eventfd.h> check.
Fixes: commit 96bdc156 - xwayland: Do not enable DRI3 without eventfd
Suggested-by: Jan Beich <jbeich@freebsd.org>
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 8fe15a60c5)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1702>
DragonFly and OpenBSD rely on epoll-shim to provide eventfd.
Move the check for epoll dependency to the root meson.build script so
that we can use that for the <sys/evenfd.h> check as well.
This is preparation work for the following commits, no functional change
intended at this point.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 673b56e61c)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1702>
If either the master pointer or keyboard was disabled, the respective
GetMaster() call returns NULL, causing a segfault later accessing the
deviceid.
Fix this by looking in the off_devices list for any master
device of the type we're looking for. Master devices lose the pairing
when disabled (on enabling a keyboard we simply pair with the first
available unpaired pointer).
And for readability, split the device we get from the protocol request
into a new "dev" variable instead of re-using ptr.
Fixes#1611
(cherry picked from commit e7c876ab0b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1702>
The vidmode extension emulation in Xwayland reports the modeline based
on the current mode.
To do so, it searches for the mode using `xwl_output_find_mode(-1, -1)`
which is supposed to return the current mode, whatever that mode is.
With XRandR emulation, in rootless mode, the default value is the mode
at index 0. That assumption, however is not true when running rootful.
That means that the vidmode extension will always return the highest
mode available, which is 5120x2880, with Xwayland running rootful:
$ xwayland-run -geometry 1024x768 -- xvidtune -show
"5120x2880" 1276.50 5120 5560 6128 7136 2880 2883 2888 2982 -hsync +vsync
Luckily, when Xwayland is running rootful, we have the current mode size
conveniently stored in dedicated fields of the xwayland output struct,
so we can use that to search for the right mode being used and report
that through the vidmode extension:
$ xwayland-run -geometry 1024x768 -- xvidtune -show
"1024x768" 63.50 1024 1064 1176 1328 768 771 775 798 -hsync +vsync
That fixes legacy games using the vidmode extension and rendering at the
wrong size when running within Xwayland rootful.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit e2e5842444)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1702>
The code here assumed a `leave` event always occurs between two `enter`
events. On Sway (and presumably other compositors) this happens even if
the client has destroyed the `wl_surface`, but the client gets a null
`surface` here. (Which presumably on on the wire is the id of the
destroyed surface.)
This seems like a bad thing to rely on, and is easy to avoid. But if
this is correct to assume, the Wayland protocol should be explicit about
this.
(cherry picked from commit 386b54fbe9)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1635>
Now that we won't enable DRI3 if <sys/eventfd.h> is not available, there
is not point in trying to include that header without DRI3.
That allows to build Xwayland with GLAMOR enabled (without DRI3) on
platforms which do not support eventfd.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 23c295ea8b)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1635>
DRI3 version 1.4 which supports explicit buffers synchronization relies
on the eventfd interface.
As result, building would fail with DRI3 enabled on platforms without
the eventfd interface.
Check for the availability of the sys/eventfd.h header and disable DRI3
support if missing.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 96bdc156a1)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1635>
This rewrites the shader so that we use the same (more flexible) CSC as
we have for I420 and NV12. This also fixes the reverse of odd/even which
caused chroma shift.
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
(cherry picked from commit 39c8a6f367)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1635>
UYVY videos should be aligned by 2 to avoid breakups in the shader
Fixes: 832b392f7 - glamor: xv: enable UYVY acceleration
Suggested-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Konstantin <ria.freelander@gmail.com>
(cherry picked from commit eb26f32368)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1635>
Check actual BPP by render_format in upload_boxes, not by drawable BPP.
It is required when we used different BPP formats for storing and
rendering (for example, in the case of UYVY).
The problem of UYVY size lies inside method of glamor downloading boxes.
When we set GLAMOR_CREATE_FORMAT_CBCR, it actually uses 16-bit GL and
Pixman formats, but before this change in glamor_download_boxes, that
function deduces GL and Pixman formats from BPP, which is wrong in this
case (will be deduced to 32).
When GL and Pixman format BPP is identical to drawable BPP, this change
does nothing, but when it is different - it will prioritize Pixman
format, not the format deduced from BPP.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1730
Signed-off-by: Konstantin Pugin <ria.freelander@gmail.com>
(cherry picked from commit 75f56b7923)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1635>
Currently, we would start dequeuing events as soon as a device is
resumed, regardless of its capabilities.
If the capabilities are not available, we would just fallback to the
regular XTEST code path and not use input emulation.
As a result, it is very likely that we shall lose the first events until
the compositor resumes first a device with the requested capabilities.
To avoid that issue, start emulating only once we have the requested
capabilities, if they match the seat capabilities.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1732
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 0525b9a5b9)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1635>
This is a small code refactoring to help with clarity, simply move the
code from the switch case for device resume to a dedicated function.
No functional change.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 68ec297ee9)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1635>
If glamor_link_glsl_prog() fails, we may jump to the failed code path
which frees the variable vs_prog_string and fs_prog_string.
But those variables were already freed just before, so in that case we
end up freeing the memory twice.
Simply move the free at the end of the success code path so we are sure
to free the values only once, either in the successful of failed code
paths.
Fixes: 2906ee5e4 - glamor: Fix leak in glamor_build_program()
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 34ea020344)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1635>
Currently, we would log only the event type, use the libei API to also
log the name in plain text, so we can quickly identify the events we're
missing out.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 1a42fe40d0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1635>
Since commit d370f1e58, Xwayland can optionally be started rootful and
fullscreen.
To do so, it will setup a viewport to scale the root window to match the
size of the output.
However, if the rootful Xwayland window receives an xdg-surface configure
event before the output definition is complete, as with e.g. the labwc
Wayland compositor, we might end up trying to setup a viewport with a
destination size of 0x0 which is a protocol violation, and that kills
Xwayland.
To avoid that issue, only setup the viewport if the output size is
meaningful.
Also, please note that once the output definition is complete, i.e. when
the "done" event is eventually received, we shall recompute the size for
fullscreen again, hence achieving the desired fullscreen state.
Fixes: d370f1e58 - xwayland: add fullscreen mode for rootful
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1717
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 66f5e7e96a)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1635>
Clears -Wcalloc-transposed-args warnings from gcc 14.1, such as:
../dix/main.c:165:42: warning: ‘calloc’ sizes specified with ‘sizeof’ in the
earlier argument and not in the later argument [-Wcalloc-transposed-args]
165 | serverClient = calloc(sizeof(ClientRec), 1);
| ^~~~~~~~~
../dix/main.c:165:42: note: earlier argument should specify number of
elements, later size of each element
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 522f469fe9)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1635>
