diff --git a/Replace-malloc-with-calloc-to-initialize-the-buffers.patch b/Replace-malloc-with-calloc-to-initialize-the-buffers.patch new file mode 100644 index 0000000..a65201b --- /dev/null +++ b/Replace-malloc-with-calloc-to-initialize-the-buffers.patch @@ -0,0 +1,34 @@ +From a73c28f0bdafb1c5cb8129179188a99c0ca052e2 Mon Sep 17 00:00:00 2001 +From: Justin Dou +Date: Thu, 10 Feb 2011 16:27:29 -0500 +Subject: [PATCH] Replace malloc with calloc to initialize the buffers[] as NULL in do_get_buffers function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The calling for allocate_or_reuse_buffer may fail due to some reason, e.g. out of memory. +If the buffers[] were not initialized to be NULL, the following err_out may try to access an illegal memory, which will cause X crash afterward. + +Reviewed-by: Kristian Høgsberg +Signed-off-by: Justin Dou +Signed-off-by: Keith Packard +--- + hw/xfree86/dri2/dri2.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c +index 39996f9..9ca378f 100644 +--- a/hw/xfree86/dri2/dri2.c ++++ b/hw/xfree86/dri2/dri2.c +@@ -403,7 +403,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height, + && (pDraw->height == pPriv->height) + && (pPriv->serialNumber == DRI2DrawableSerial(pDraw)); + +- buffers = malloc((count + 1) * sizeof(buffers[0])); ++ buffers = calloc((count + 1), sizeof(buffers[0])); + + for (i = 0; i < count; i++) { + const unsigned attachment = *(attachments++); +-- +1.7.4.1 + diff --git a/record-avoid-crash-when-calling-RecordFlushReplyBuff.patch b/record-avoid-crash-when-calling-RecordFlushReplyBuff.patch new file mode 100644 index 0000000..e7e58f3 --- /dev/null +++ b/record-avoid-crash-when-calling-RecordFlushReplyBuff.patch @@ -0,0 +1,70 @@ +From 0801afbd7c2c644c672b37f8463f1a0cbadebd2e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Erkki=20Sepp=C3=A4l=C3=A4?= +Date: Thu, 10 Feb 2011 15:35:14 +0200 +Subject: [PATCH] record: avoid crash when calling RecordFlushReplyBuffer recursively +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RecordFlushReplyBuffer can call itself recursively through +WriteClient->CallCallbacks->_CallCallbacks->RecordFlushAllContexts +when the recording client's buffer cannot be completely emptied in one +WriteClient. When a such a recursion occurs, it will not be broken out +of which results in segmentation fault when the stack is exhausted. + +This patch adds a counter (a flag, really) that guards against this +situation, to break out of the recursion. + +One alternative to this change would be to change _CallCallbacks to +check the corresponding counter before the callback loop, but that +might affect existing behavior, which may be relied upon. + +Reviewed-by: Rami Ylimäki +Signed-off-by: Erkki Seppälä +Signed-off-by: Keith Packard +--- + record/record.c | 6 +++++- + 1 files changed, 5 insertions(+), 1 deletions(-) + +diff --git a/record/record.c b/record/record.c +index 6a93d7a..facaebb 100644 +--- a/record/record.c ++++ b/record/record.c +@@ -77,6 +77,7 @@ typedef struct { + char bufCategory; /* category of protocol in replyBuffer */ + int numBufBytes; /* number of bytes in replyBuffer */ + char replyBuffer[REPLY_BUF_SIZE]; /* buffered recorded protocol */ ++ int inFlush; /* are we inside RecordFlushReplyBuffer */ + } RecordContextRec, *RecordContextPtr; + + /* RecordMinorOpRec - to hold minor opcode selections for extension requests +@@ -245,8 +246,9 @@ RecordFlushReplyBuffer( + int len2 + ) + { +- if (!pContext->pRecordingClient || pContext->pRecordingClient->clientGone) ++ if (!pContext->pRecordingClient || pContext->pRecordingClient->clientGone || pContext->inFlush) + return; ++ ++pContext->inFlush; + if (pContext->numBufBytes) + WriteToClient(pContext->pRecordingClient, pContext->numBufBytes, + (char *)pContext->replyBuffer); +@@ -255,6 +257,7 @@ RecordFlushReplyBuffer( + WriteToClient(pContext->pRecordingClient, len1, (char *)data1); + if (len2) + WriteToClient(pContext->pRecordingClient, len2, (char *)data2); ++ --pContext->inFlush; + } /* RecordFlushReplyBuffer */ + + +@@ -1938,6 +1941,7 @@ ProcRecordCreateContext(ClientPtr client) + pContext->numBufBytes = 0; + pContext->pBufClient = NULL; + pContext->continuedReply = 0; ++ pContext->inFlush = 0; + + err = RecordRegisterClients(pContext, client, + (xRecordRegisterClientsReq *)stuff); +-- +1.7.4.1 + diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index 2a0b367..7ab1b22 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Mar 17 16:55:16 UTC 2011 - sndirsch@novell.com + +- Replace-malloc-with-calloc-to-initialize-the-buffers.patch + * Replace malloc with calloc to initialize the buffers[] as NULL + in do_get_buffers function (bnc #673595) + +------------------------------------------------------------------- +Thu Mar 17 13:35:55 UTC 2011 - sndirsch@novell.com + +- record-avoid-crash-when-calling-RecordFlushReplyBuff.patch + * record: avoid crash when calling RecordFlushReplyBuffer + recursively (bnc #673575) + ------------------------------------------------------------------- Sat Feb 26 10:52:15 UTC 2011 - devel@navlost.eu diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index e33ee33..b3bcab5 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -122,6 +122,8 @@ Patch222: sync-fix.patch Patch223: use-last-screen.patch Patch224: pad-size-of-system-memory-copy-for-1x1-pixmaps Patch225: xorg-server-stop-cpu-eating.diff +Patch226: record-avoid-crash-when-calling-RecordFlushReplyBuff.patch +Patch227: Replace-malloc-with-calloc-to-initialize-the-buffers.patch %if %moblin Patch300: moblin-use_preferred_mode_for_all_outputs.diff %endif @@ -255,6 +257,8 @@ popd %patch223 -p1 %patch224 -p1 %patch225 -p1 +%patch226 -p1 +%patch227 -p1 %if %moblin %patch300 -p1 %endif