- Jul 12, 2022
-
-
Povilas Kanapickas authored
-
No validation of the various fields on that report were done, so a malicious client could send a short request that claims it had N sections, or rows, or keys, and the server would process the request for N sections, running out of bounds of the actual request data. Fix this by adding size checks to ensure our data is valid. ZDI-CAN 16062, CVE-2022-2319. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Signed-off-by:
Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 6907b6ea)
-
XKB often uses a FooCheck and Foo function pair, the former is supposed to check all values in the request and error out on BadLength, BadValue, etc. The latter is then called once we're confident the values are good (they may still fail on an individual device, but that's a different topic). In the case of XkbSetDeviceInfo, those functions were incorrectly named, with XkbSetDeviceInfo ending up as the checker function and XkbSetDeviceInfoCheck as the setter function. As a result, the setter function was called before the checker function, accessing request data and modifying device state before we ensured that the data is valid. In particular, the setter function relied on values being already byte-swapped. This in turn could lead to potential OOB memory access. Fix this by correctly naming the functions and moving the length checks over to the checker function. These were added in 87c64fc5 to the wrong function, probably due to the incorrect naming. Fixes ZDI-CAN 16070, CVE-2022-2320. This vulnerability was discovered by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative Introduced in c06e27b2 Signed-off-by:
Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit dd8caf39)
-
Most similar loops here use a pointer that advances with each loop iteration, let's do the same here for consistency. No functional changes. Signed-off-by:
Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by:
Olivier Fourdan <ofourdan@redhat.com> (cherry picked from commit f1070c01)
-
- Jul 04, 2022
-
-
Jeremy Huddleston Sequoia authored
Fixes: #1346 Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-
- Jul 02, 2022
-
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 4cfdc5af)
-
Jeremy Huddleston Sequoia authored
Crashing on exception: -[__NSCFArray replaceObjectAtIndex:withObject:]: mutating method sent to immutable object Application Specific Backtrace 0: 0 CoreFoundation 0x00007ff80d2c5e9b __exceptionPreprocess + 242 1 libobjc.A.dylib 0x00007ff80d027e48 objc_exception_throw + 48 2 CoreFoundation 0x00007ff80d38167b _CFThrowFormattedException + 194 3 CoreFoundation 0x00007ff80d382a25 -[__NSCFArray removeObjectAtIndex:].cold.1 + 0 4 CoreFoundation 0x00007ff80d2e6c0b -[__NSCFArray replaceObjectAtIndex:withObject:] + 119 5 X11.bin 0x00000001003180f9 -[X11Controller tableView:setObjectValue:forTableColumn:row:] + 169 Fixes: https://github.com/XQuartz/XQuartz/issues/267 Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit dfd05799)
-
- Jul 01, 2022
-
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit aa636b97)
-
Povilas Kanapickas authored
This fixes address sanitizer errors when running unit tests. The additional copying may reduce performance by a small amount, but we don't care about that because this driver is used for testing only. Signed-off-by:
Povilas Kanapickas <povilas@radix.lt> (cherry picked from commit 7d2014e7)
-
Povilas Kanapickas authored
GTK3 menu widget creates a selection for touch and other events and after receiving touch events creates an async grab that excludes touch events. Unfortunately it relies on X server not sending the touch end event in order to function properly. Sending touch end event will cause it to think that the initiating touch ended and when it actually ends, the ButtonRelease event will make it think that the menu should be closed. As a result, the menu will be open only for the duration of the touch making it useless. This commit reverts f682e056. Fixes: #1255 Signed-off-by:
Povilas Kanapickas <povilas@radix.lt> (cherry picked from commit 43e934a1)
-
Povilas Kanapickas authored
When processing events we operate on InternalEvent pointers. They may actually refer to a an instance of DeviceEvent, GestureEvent or any other event that comprises the InternalEvent union. This works well in practice because we always look into event type before doing anything, except in the case of copying the event. *dst_event = *src_event would copy whole InternalEvent event and would cause out of bounds read in case the pointed to event was not InternalEvent but e.g. DeviceEvent. This regression has been introduced in 23a8b62d. Fixes #1261 Signed-off-by:
Povilas Kanapickas <povilas@radix.lt> (cherry picked from commit 6ef5c057)
-
As the comment says: "symsPerKey/mapWidths must be filled regardless of client-side flags" so we always have to call CheckKeyTypes which will notably fill mapWidths and nTypes. That is needed for CheckKeySyms to work since it checks the width. Without it, any request with XkbKeySymsMask but not XkbKeyTypesMask will fail because of the missing width information, for instance this: XkbDescPtr xkb; if (!(xkb = XkbGetMap (dpy, XkbKeyTypesMask|XkbKeySymsMask, XkbUseCoreKbd))) { fprintf (stderr, "ERROR getting map\n"); exit(1); } XFlush (dpy); XSync (dpy, False); XkbMapChangesRec changes = { .changed = 0 }; int oneGroupType[XkbNumKbdGroups] = { XkbOneLevelIndex }; if (XkbChangeTypesOfKey(xkb, keycode, 1, XkbGroup1Mask, oneGroupType, &changes)) { fprintf(stderr, "ERROR changing type of key\n"); exit(1); } XkbKeySymEntry(xkb,keycode,0,0) = keysym; if (!XkbChangeMap(dpy,xkb,&changes)) { fprintf(stderr, "ERROR changing map\n"); exit(1); } XkbFreeKeyboard (xkb, 0, TRUE); XFlush (dpy); XSync (dpy, False); This had being going under the radar since about ever until commit de940e06 ("xkb: fix key type index check in _XkbSetMapChecks") fixed checking the values of kt_index, which was previously erroneously ignoring errors and ignoring all other checks, just because nTypes was not set, precisely because CheckKeyTypes was not called. Note: yes, CheckKeyTypes is meant to be callable without XkbKeyTypesMask, it does properly check for that and just fills nTypes and mapWidths in that case. Signed-off-by:
Samuel Thibault <samuel.thibault@ens-lyon.org> (cherry picked from commit 0217cc6e)
-
Povilas Kanapickas authored
This reverts commit b27eaa72.
-
- Jun 26, 2022
-
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 9ce72648)
-
Jeremy Huddleston Sequoia authored
This brings the change for e1fdc856 into meson based builds Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit b00cf4ae)
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit ef810156)
-
Jeremy Huddleston Sequoia authored
FAILED: test/tests clang -o test/tests test/tests.p/.._mi_miinitext.c.o test/tests.p/fixes.c.o test/tests.p/input.c.o test/tests.p/list.c.o test/tests.p/misc.c.o test/tests.p/signal-logging.c.o test/tests.p/string.c.o test/tests.p/test_xkb.c.o test/tests.p/tests-common.c.o test/tests.p/tests.c.o test/tests.p/touch.c.o test/tests.p/xfree86.c.o test/tests.p/xtest.c.o test/tests.p/hashtabletest.c.o -Wl,-dead_strip_dylibs -Wl,-headerpad_max_install_names -Wl,-undefined,error -fvisibility=hidden -O0 -g3 -gdwarf-2 -mmacosx-version-min=10.9 -Werror=unguarded-availability-new -Werror=format -Werror=objc-method-access -Werror=incompatible-pointer-types -F/Applications/Utilities/XQuartz.app/Contents/Frameworks -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX10.13.sdk -arch x86_64 -O0 -g3 -gdwarf-2 -mmacosx-version-min=10.9 -Werror=unguarded-availability-new -Werror=format -Werror=objc-method-access -Werror=incompatible-pointer-types -F/Applications/Utilities/XQuartz.app/Contents/Frameworks -isysroot /Library/Developer/CommandLineTools/SDKs/MacOSX10.13.sdk -arch x86_64 -Wl,-rpath,/opt/X11/lib mi/liblibxserver_mi.a dix/liblibxserver_dix.a composite/liblibxserver_composite.a damageext/liblibxserver_damageext.a dbe/liblibxserver_dbe.a randr/liblibxserver_randr.a miext/damage/liblibxserver_miext_damage.a render/liblibxserver_render.a present/liblibxserver_present.a Xext/liblibxserver_xext.a miext/sync/liblibxserver_miext_sync.a xfixes/liblibxserver_xfixes.a Xi/liblibxserver_xi.a xkb/liblibxserver_xkb.a record/liblibxserver_record.a os/liblibxserver_os.a os/liblibxlibc.a glx/liblibglxvnd.a hw/xfree86/common/libxorg_common.a hw/xfree86/loader/libxorg_loader.a hw/xfree86/ddc/libxorg_ddc.a hw/xfree86/xkb/libxorg_xkb.a hw/xfree86/i2c/libxorg_i2c.a hw/xfree86/modes/libxorg_modes.a hw/xfree86/os-support/libxorg_os_support.a hw/xfree86/parser/libxorg_parser.a hw/xfree86/ramdac/libxorg_ramdac.a fb/liblibxserver_fb.a Xext/liblibxserver_xext_vidmode.a dix/liblibxserver_main.a config/liblibxserver_config.a /opt/X11/lib/libpixman-1.dylib /opt/X11/lib/libxcvt.dylib /opt/X11/lib/libxkbfile.dylib /opt/X11/lib/libXfont2.dylib /opt/X11/lib/libXdmcp.dylib -lm /opt/X11/lib/libxshmfence.dylib -ldl -lpthread /opt/X11/lib/libXau.dylib /opt/X11/lib/libGL.dylib Undefined symbols for architecture x86_64: "_micmapScrPrivateKeyRec", referenced from: _DGAInstallCmap in libxorg_common.a(xf86DGA.c.o) _xf86HandleColormaps in libxorg_common.a(xf86cmap.c.o) _CMapInstallColormap in libxorg_common.a(xf86cmap.c.o) _CMapEnterVT in libxorg_common.a(xf86cmap.c.o) _CMapSwitchMode in libxorg_common.a(xf86cmap.c.o) _CMapSetDGAMode in libxorg_common.a(xf86cmap.c.o) _CMapChangeGamma in libxorg_common.a(xf86cmap.c.o) ... ld: symbol(s) not found for architecture x86_64 Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 6645ff59)
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 707f23da)
-
Jeremy Huddleston Sequoia authored
../hw/xfree86/ddc/print_edid.c:511:20: error: format specifies type 'unsigned short' but the argument has type 'int' [-Werror,-Wformat] det_mon->type - DS_VENDOR); ^~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 199b8c08)
-
- Jun 21, 2022
-
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-
Jeremy Huddleston Sequoia authored
This bump is causing issues with our CI. Sorry about that. This reverts commit a6a20a7c (cherry picked from commit 8cd0397e)
-
- Jun 20, 2022
-
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 4f599982)
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit b12f5dc6)
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 1d90bef3)
-
Jeremy Huddleston Sequoia authored
WARNING: Project specifies a minimum meson_version '>= 0.47.0' but uses features which were added in newer versions: * 0.50.0: {'install arg in configure_file'} Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 0a27f96d)
-
- Jun 16, 2022
-
-
Jeremy Huddleston Sequoia authored
Fixes: https://github.com/XQuartz/XQuartz/issues/130 Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 4532b696)
-
- Jun 15, 2022
-
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit f40610e0)
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 6134c73a)
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 963ba6d9)
-
Jeremy Huddleston Sequoia authored
This changes away from hard-coding the /tmp/launch-* path to now supporting a generic <absolute path to unix socket>[.<screen>] format for $DISPLAY. cf-libxcb: d978a4f69b30b630f28d07f1003cf290284d24d8 Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> CC: Adam Jackson <ajax@kemper.freedesktop.org> (cherry picked from commit 83d0d911)
-
Jeremy Huddleston Sequoia authored
Fixes: https://github.com/XQuartz/XQuartz/issues/205 Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit b1afcecc)
-
Jeremy Huddleston Sequoia authored
Signed-off-by:
Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit c11b55f3)
-
- Jan 28, 2022
-
-
Olivier Fourdan authored
The xserver fails to compile with the latest gcc 12: render/picture.c: In function ‘CreateSolidPicture’: render/picture.c:874:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Werror=array-bounds] 874 | pPicture->pSourcePict->type = SourcePictTypeSolidFill; | ^~ render/picture.c:868:45: note: object of size 16 allocated by ‘malloc’ 868 | pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictSolidFill)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ render/picture.c: In function ‘CreateLinearGradientPicture’: render/picture.c:906:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds] 906 | pPicture->pSourcePict->linear.type = SourcePictTypeLinear; | ^~ render/picture.c:899:45: note: object of size 32 allocated by ‘malloc’ 899 | pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictLinearGradient)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ render/picture.c: In function ‘CreateConicalGradientPicture’: render/picture.c:989:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds] 989 | pPicture->pSourcePict->conical.type = SourcePictTypeConical; | ^~ render/picture.c:982:45: note: object of size 32 allocated by ‘malloc’ 982 | pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictConicalGradient)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: some warnings being treated as errors ninja: build stopped: subcommand failed. This is because gcc 12 has become stricter and raises a warning now. Fix the warning/error by allocating enough memory to store the union struct. Signed-off-by:
Olivier Fourdan <ofourdan@redhat.com> Acked-by:
Michel Dänzer <mdaenzer@redhat.com> Closes: xorg/xserver#1256 (cherry picked from commit c6b0dcb8)
-
- Jan 19, 2022
-
-
Closes: #1275 Signed-off-by:
Błażej Szczygieł <spaz16@wp.pl> Tested-by:
Aaron Plattner <aplattner@nvidia.com> (cherry picked from commit 22d58188)
-
- Jan 02, 2022
-
-
Povilas Kanapickas authored
Signed-off-by:
Povilas Kanapickas <povilas@radix.lt>
-
- Jan 01, 2022
-
-
For depth 30 in particular it's not uncommon for the DDX to not have a configured pixmap format. Since the client expects to back both GLXPixmaps and GLXPbuffers with X Pixmaps, trying to use an x2rgb10 fbconfig would fail along various paths to CreatePixmap. Filter these fbconfigs out so the client can't ask for something that we know won't work. (cherry picked from commit f6c070a1)
-
- Dec 20, 2021
-
-
Jocelyn Falempe authored
If there is one platform device, which is not paused nor resumed, systemd_logind_vtenter() will never get called. This break suspend/resume, and switching to VT on system with Nvidia proprietary driver. This is a regression introduced by f5bd0396 So now call systemd_logind_vtenter() if there are no paused platform devices. Closes: #1271 Fixes: f5bd0396 - xf86/logind: fix call systemd_logind_vtenter after receiving drm device resume Signed-off-by:
Jocelyn Falempe <jfalempe@redhat.com> Tested-by:
Olivier Fourdan <ofourdan@redhat.com> Reviewed-by:
Hans de Goede <hdegoede@redhat.com>
-
Jocelyn Falempe authored
This was introduced by commit 8eb1396d Closes: #1269 Fixes: da9d012a - xf86/logind: Fix drm_drop_master before vt_reldisp Signed-off-by:
Jocelyn Falempe <jfalempe@redhat.com> Reviewed-by:
Hans de Goede <hdegoede@redhat.com>
-
- Dec 19, 2021
-
-
This fixes a crash when a DeviceEvent struct converted to InteralEvent was beeing copied as InternalEvent (and thus causing out of bounds reads) in ActivateGrabNoDelivery() in events.c: 3876 *grabinfo->sync.event = *real_event; Possible fix for #1253 Signed-off-by:
Matthieu Herrb <matthieu@herrb.eu> (cherry picked from commit 5b8817a0)
-
(cherry picked from commit ca1dfdc9)
-