- record-avoid-crash-when-calling-RecordFlushReplyBuff.patch

* record: avoid crash when calling RecordFlushReplyBuffer
    recursively (bnc #673575)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=336

record-avoid-crash-when-calling-RecordFlushReplyBuff.patch

@@ -0,0 +1,70 @@
+From 0801afbd7c2c644c672b37f8463f1a0cbadebd2e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Erkki=20Sepp=C3=A4l=C3=A4?= <erkki.seppala@vincit.fi>
+Date: Thu, 10 Feb 2011 15:35:14 +0200
+Subject: [PATCH] record: avoid crash when calling RecordFlushReplyBuffer recursively
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RecordFlushReplyBuffer can call itself recursively through
+WriteClient->CallCallbacks->_CallCallbacks->RecordFlushAllContexts
+when the recording client's buffer cannot be completely emptied in one
+WriteClient. When a such a recursion occurs, it will not be broken out
+of which results in segmentation fault when the stack is exhausted.
+
+This patch adds a counter (a flag, really) that guards against this
+situation, to break out of the recursion.
+
+One alternative to this change would be to change _CallCallbacks to
+check the corresponding counter before the callback loop, but that
+might affect existing behavior, which may be relied upon.
+
+Reviewed-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
+Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+---
+ record/record.c |    6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+diff --git a/record/record.c b/record/record.c
+index 6a93d7a..facaebb 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -77,6 +77,7 @@ typedef struct {
+     char	bufCategory;	   /* category of protocol in replyBuffer */
+     int		numBufBytes;	   /* number of bytes in replyBuffer */
+     char	replyBuffer[REPLY_BUF_SIZE]; /* buffered recorded protocol */
++    int		inFlush;           /*  are we inside RecordFlushReplyBuffer */
+ } RecordContextRec, *RecordContextPtr;
+ 
+ /*  RecordMinorOpRec - to hold minor opcode selections for extension requests
+@@ -245,8 +246,9 @@ RecordFlushReplyBuffer(
+     int len2
+ )
+ {
+-    if (!pContext->pRecordingClient || pContext->pRecordingClient->clientGone) 
++    if (!pContext->pRecordingClient || pContext->pRecordingClient->clientGone || pContext->inFlush)
+ 	return;
++    ++pContext->inFlush;
+     if (pContext->numBufBytes)
+ 	WriteToClient(pContext->pRecordingClient, pContext->numBufBytes,
+ 		      (char *)pContext->replyBuffer);
+@@ -255,6 +257,7 @@ RecordFlushReplyBuffer(
+ 	WriteToClient(pContext->pRecordingClient, len1, (char *)data1);
+     if (len2)
+ 	WriteToClient(pContext->pRecordingClient, len2, (char *)data2);
++    --pContext->inFlush;
+ } /* RecordFlushReplyBuffer */
+ 
+ 
+@@ -1938,6 +1941,7 @@ ProcRecordCreateContext(ClientPtr client)
+     pContext->numBufBytes = 0;
+     pContext->pBufClient = NULL;
+     pContext->continuedReply = 0;
++    pContext->inFlush = 0;
+ 
+     err = RecordRegisterClients(pContext, client,
+ 				(xRecordRegisterClientsReq *)stuff);
+-- 
+1.7.4.1
+

xorg-x11-server.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Mar 17 13:35:55 UTC 2011 - sndirsch@novell.com
+
+- record-avoid-crash-when-calling-RecordFlushReplyBuff.patch
+  * record: avoid crash when calling RecordFlushReplyBuffer
+    recursively (bnc #673575) 
+
 -------------------------------------------------------------------
 Sat Feb 26 10:52:15 UTC 2011 - devel@navlost.eu
 

xorg-x11-server.spec

@@ -122,6 +122,7 @@ Patch222:       sync-fix.patch
 Patch223:       use-last-screen.patch
 Patch224:       pad-size-of-system-memory-copy-for-1x1-pixmaps
 Patch225:       xorg-server-stop-cpu-eating.diff
+Patch226:       record-avoid-crash-when-calling-RecordFlushReplyBuff.patch
 %if %moblin
 Patch300:       moblin-use_preferred_mode_for_all_outputs.diff
 %endif
@@ -255,6 +256,7 @@ popd
 %patch223 -p1
 %patch224 -p1
 %patch225 -p1
+%patch226 -p1
 %if %moblin
 %patch300 -p1
 %endif