- Feb 10, 2015
-
-
Julien Cristau authored
Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Ensure that the given strings length in an XkbSetGeometry request remain within the limits of the size of the request. Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 20079c36) (cherry picked from commit f160e722) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
The XkbSetGeometry request embeds data which needs to be swapped when the server and the client have different endianess. _XkbSetGeometry() invokes functions that swap these data directly in the input buffer. However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once (if there is more than one keyboard), thus causing on swapped clients the same data to be swapped twice in memory, further causing a server crash because the strings lengths on the second time are way off bounds. To allow _XkbSetGeometry() to run reliably more than once with swapped clients, do not swap the data in the buffer, use variables instead. Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 81c90dc8) (cherry picked from commit 29be310c) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
- Jan 31, 2015
-
-
As a DDX may declare offload support without supporting DRI2 (because it is using an alternative acceleration mechanism like DRI3), when iterating the list of offload_source Screens to find a matching DRI2 provider we need to check before assuming it is DRI2 capable. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=88514 Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Reviewed-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Keith Packard <keithp@keithp.com> (cherry picked from commit 08293101)
-
The CVE fix in: commit 97015a07 Author: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Wed Jan 22 22:37:15 2014 -0800 dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4] offended the C++ demons: ../../include/regionstr.h:147:45: error: invalid conversion from 'void*' to 'pixman_region16_data_t* {aka pixman_region16_data*}' [-fpermissive] Normally this isn't a problem, because around here we have the sense and common decency to not use C++, but this does make tigervnc fail to build, which is a little rude of us. Signed-off-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Keith Packard <keithp@keithp.com> (cherry picked from commit bb23fbf5)
-
Jonathan Dieter posted a few patches to do this inside the Xorg server but it makes no sense to do it there, just have the code we use to probe the device list at startup check seat assignments using the same code we check at hotplug time. Bugilla: https://bugzilla.redhat.com/show_bug.cgi?id=1183654 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Acked-by: Hans de Goede <hdegoede@redhat.com> Tested-by: Jonathan Dieter <jdieter@lesbg.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Keith Packard <keithp@keithp.com> (cherry picked from commit 697b696e)
-
If the user wants to set one of the slave devices as the primary output, we shouldn't fail to do so, we were returning BadMatch which was tripping up gnome-settings-daemon and bad things ensues. Fix all the places we use primaryOutput to work out primaryCrtc and take it into a/c when slave gpus are in use. v2: review from Aaron, fix indent, unhide has_primary from macro. I left the int vs Bool alone to be consistent with code below, a future patch could fix both. Signed-off-by: Dave Airlie <airlied@redhat.com> Reviewed-by: Aaron Plattner <aplattner@nvidia.com> Signed-off-by: Keith Packard <keithp@keithp.com> (cherry picked from commit df1b401f)
-
Fixing following kind of race-conditions - WaitForSomething() | ----> // timers -> timer-1 -> timer-2 -> null while (timers && (int) (timers->expires - now) <= 0) // prototype - DoTimer(OsTimerPtr timer, CARD32 now, OsTimerPtr *prev) DoTimer(timers, now, &timers) | | ----> OsBlockSignals(); .... OS Signal comes just before blocking it, .... timer-1 handler gets called. // timer-1 gets served and scheduled again; // timers -> timer-2 -> timer-1 -> null .... *prev = timer->next; timer->next = NULL; // timers -> null // timers list gets corrupted here and timer-2 gets removed from list. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=86288 Signed-off-by: Nikhil Mahale <nmahale@nvidia.com> Reviewed-by: Julien Cristau <jcristau@debian.org> v2: Apply warning fixes from Keith Packard <keithp@keithp.com> Reviewed-by: Aaron Plattner <aplattner@nvidia.com> Signed-off-by: Aaron Plattner <aplattner@nvidia.com> Signed-off-by: Keith Packard <keithp@keithp.com> (cherry picked from commit fe4c774c)
-
- Jan 05, 2015
-
-
The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit dc777c34) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
- Dec 20, 2014
-
-
Julien Cristau authored
Signed-off-by: Julien Cristau <jcristau@debian.org>
-
- Dec 09, 2014
-
-
Julien Cristau authored
Signed-off-by: Julien Cristau <jcristau@debian.org>
-
GetHosts saves the pointer to allocated memory in *data, and then wants to bounds-check writes to that region, but was mistakenly using a bare 'data' instead of '*data'. Also, data is declared as void **, so we need a cast to turn it into a byte pointer so we can actually do pointer comparisons. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 1559a943) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
The 'n' parameter must be surrounded by parens in both places to prevent precedence from mis-computing things. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 9802a016) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
We're using compiler compatibility settings which generate warnings when a variable is declared after the first statement. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 61b17c0f) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
When the local types used to walk the DBE request were changed, this changed the type of the parameter passed to the DDX SwapBuffers API, but there wasn't a matching change in the API definition. At this point, with the API frozen, I just stuck a new variable in with the correct type. Because we've already bounds-checked nStuff to be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will fit in a signed int without overflow. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit b20912c3) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
On a system where sizeof(unsigned) != sizeof(intptr_t), the unary bitwise not operation will result in a mask that clears all high bits from temp_buf in the expression: temp_buf = (temp_buf + mask) & ~mask; Signed-off-by: Robert Morell <rmorell@nvidia.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 7e7630bb) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit e883c170) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
v2: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v3: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 984583a4) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 44ba149f) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit afe17702) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit c91e4abc) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
This is a half-measure until we start passing request length into the varsize function, but it's better than the nothing we had before. v2: Verify that there's at least a large render header's worth of dataBytes (Julien Cristau) Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit a33a939e) Signed-off-by: Julien Cristau <jcristau@debian.org> Conflicts: glx/glxcmds.c
-
v2: Fix constants in __glXMap2fReqSize (Michal Srb) Validate w/h/d for proxy targets too (Keith Packard) v3: Fix Map[12]Size to correctly reject order == 0 (Julien Cristau) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 698888e6) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Julien Cristau authored
v2: Remove can't-happen comparison for cmdlen < 0 (Michal Srb) Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit be09e0c9) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
These are paranoid about integer overflow, and will return -1 if their operation would overflow a (signed) integer or if either argument is negative. Note that RenderLarge requests are sized with a uint32_t so in principle this could be sketchy there, but dix limits bigreqs to 128M so you shouldn't ever notice, and honestly if you're sending more than 2G of rendering commands you're already doing something very wrong. v2: Use INT_MAX for consistency with the rest of the server (jcristau) v3: Reject negative arguments (anholt) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 2a5cbc17) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Without this we'd reject the request with BadLength. Note that some old versions of Mesa had a bug in the same place, and would _send_ zero bytes of image data; these will now be rejected, correctly. Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 13d36923) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
If the computed reply size is negative, something went wrong, treat it as an error. v2: Be more careful about size_t being unsigned (Matthieu Herrb) v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 717a1b37) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Before this we'd just clamp the image size to 0, which was just hideously stupid; if the parameters were such that they'd overflow an integer, you'd allocate a small buffer, then pass huge values into (say) ReadPixels, and now you're scribbling over arbitrary server memory. Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit ab2ba933) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
If the size computation routine returns -1 we should just reject the request outright. Clamping it to zero could give an attacker the opportunity to also mangle cmdlen in such a way that the subsequent length check passes, and the request would get executed, thus passing data we wanted to reject to the renderer. Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit 23fe7718) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit f4afd53f) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 2df83bb1) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit d153a85f) Signed-off-by: Julien Cristau <jcristau@debian.org> Conflicts: test/Makefile.am
-
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit a0ece23a) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 5d3a788a) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Julien Cristau authored
Otherwise we may be reading outside of the client request. Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> (cherry picked from commit b5f9ef03) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 3df2fcf1) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit d155b7a8) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 0a6085aa) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 32a95fb7) Signed-off-by: Julien Cristau <jcristau@debian.org>
-
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit 7553082b) Signed-off-by: Julien Cristau <jcristau@debian.org>
-