Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>

Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>

Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>

Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>

Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>

Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>

Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>

Signed-off-by: Thomas E. Dickey <dickey@invisible-island.net>

Xrender.c: In function ‘XRenderQueryFormats’:
Xrender.c:406:19: warning: declaration of ‘xDepth’ shadows a global declaration [-Wshadow]
     xPictDepth   *xDepth;
                   ^~~~~~
In file included from /net/also.us.oracle.com/export/alanc/X.Org/amd64-gcc/install/usr/X11R7/include/X11/Xlibint.h:43:0,
                 from Xrenderint.h:31,
                 from Xrender.c:28:
/net/also.us.oracle.com/export/alanc/X.Org/amd64-gcc/install/usr/X11R7/include/X11/Xproto.h:329:7: note: shadowed declaration is here
     } xDepth;
       ^~~~~~

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

These are not needed in C89 and later

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Dmitry Karasik authored Aug 07, 2021 and Alan Coopersmith committed Jul 18, 2022

Rationale: I don't have enough expertise to judge on how the tessellation
algorithm is broken in XRenderComputeTrapezoids but I do trust Keith Packard
that it is. However using cairo for proper tessellation, as he suggests, is
too heavyweight, and here I propose to alter the code to at least do not cause
coredumps.

Even if/when the function will be marked as obsolete, I believe it is pretty
much capable of rendering relatively simple shapes, and still retains some
value.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Found by using:
    codespell --builtin clear,rare,usage,informal,code,names

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Signed-off-by: Robin Linden <dev@robinlinden.eu>

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Mihail Konev authored Jan 26, 2017 and Peter Hutterer committed Jan 26, 2017

Signed-off-by: Mihail Konev <k.mvc@ya.ru>

Emil Velikov authored Mar 09, 2015 and Peter Hutterer committed Jan 26, 2017

Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent
fall-outs, when they contain space.

Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

Syncs the invocation of configure with the one from the server.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>

Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>

Tobias Stoeckmann authored Sep 25, 2016 and Matthieu Herrb committed Sep 25, 2016

Individual lengths inside received server data can overflow
the previously reserved memory.

It is therefore important to validate every single length
field to not overflow the previously agreed sum of all invidual
length fields.

v2: consume remaining bytes in the reply buffer on error.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu <Herrb@laas.fr>

Tobias Stoeckmann authored Sep 25, 2016 and Matthieu Herrb committed Sep 25, 2016

The memory for filter names is reserved right after receiving the reply.
After that, filters are iterated and each individual filter name is
stored in that reserved memory.

The individual name lengths are not checked for validity, which means
that a malicious server can reserve less memory than it will write to
during each iteration.

v2: consume remaining bytes in reply buffer on error.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

Lauri Kasanen authored May 18, 2015 and Adam Jackson committed May 21, 2015

Before this patch, it wasn't mentioned in this file at all, which
is a monumental oversight.

Signed-off-by: Lauri Kasanen <cand@gmx.com>

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Clemens Eisserer authored Nov 23, 2013 and Keith Packard committed Nov 23, 2013

Request length calculation inside XRenderCompositeText32 is broken for
the case where the number of glyphs fits exactky inside the last
xGlyphElt.

In XRenderCompositeText8 and XRenderCompositeText16 this case is
handled properly, somehow the "-1" got missing in
XRenderCompositeText32.

Reviewed-by: Keith Packard <keithp@keithp.com>

Michael Joost authored Nov 18, 2013 and Alan Coopersmith committed Nov 22, 2013

_XEatDataWords was orignally introduced with the May 2013 security
patches, and in order to ease the process of delivering those,
fallback versions of _XEatDataWords were included in the X extension
library patches so they could be applied to older versions that didn't
have libX11 1.6 yet.   Now that we're past that hurdle, we can drop
the fallbacks and just require libX11 1.6 for building new versions
of the extension libraries.

Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

The length and numIndexValues members of the reply are both CARD32 and
need to be bounds checked before multiplying by sizeof (XIndexValue) to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

The length, numFormats, numScreens, numDepths, and numVisuals members of
the reply are all CARD32 and need to be bounds checked before multiplying
and adding them together to come up with the total size to allocate, to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

The length, numFilters & numAliases members of the reply are all CARD32
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Colin Walters authored Jan 04, 2012 and Adam Jackson committed Jan 15, 2013

http://people.gnome.org/~walters/docs/build-api.txt



Signed-off-by: Adam Jackson <ajax@redhat.com>

Signed-off-by: Adam Jackson <ajax@redhat.com>

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Emanuele Giaquinta authored Jan 02, 2012 and Jeremy Huddleston Sequoia committed Feb 28, 2012

Due to C arithmetic conversion rules we must use an unsigned constant (or a
cast) to perform the multiplication using unsigned arithmetic.

Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>