1
0
OBS User unknown 2008-06-25 23:19:13 +00:00 committed by Git OBS Bridge
parent 3133398ed7
commit a2eb7a9f58
15 changed files with 116 additions and 786 deletions

View File

@ -1,15 +0,0 @@
diff --git a/hw/xfree86/common/xf86MiscExt.c b/hw/xfree86/common/xf86MiscExt.c
index c1b9c60..40c196a 100644
--- a/hw/xfree86/common/xf86MiscExt.c
+++ b/hw/xfree86/common/xf86MiscExt.c
@@ -548,6 +548,10 @@ MiscExtPassMessage(int scrnIndex, const char *msgtype, const char *msgval,
{
ScrnInfoPtr pScr = xf86Screens[scrnIndex];
+ /* should check this in the protocol, but xf86NumScreens isn't exported */
+ if (scrnIndex >= xf86NumScreens)
+ return BadValue;
+
if (*pScr->HandleMessage == NULL)
return BadImplementation;
return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr);

View File

@ -1,244 +0,0 @@
diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
index 8fc24d5..696b74a 100644
--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
@@ -302,18 +302,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
xStringFeedbackCtl * f)
{
char n;
- long *p;
int i, j;
KeySym *syms, *sup_syms;
syms = (KeySym *) (f + 1);
if (client->swapped) {
swaps(&f->length, n); /* swapped num_keysyms in calling proc */
- p = (long *)(syms);
- for (i = 0; i < f->num_keysyms; i++) {
- swapl(p, n);
- p++;
- }
+ SwapLongs((CARD32 *) syms, f->num_keysyms);
}
if (f->num_keysyms > s->ctrl.max_symbols)
diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
index 3361e98..df334c1 100644
--- a/Xi/chgkmap.c
+++ b/Xi/chgkmap.c
@@ -75,18 +75,14 @@ int
SProcXChangeDeviceKeyMapping(ClientPtr client)
{
char n;
- long *p;
- int i, count;
+ unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
- p = (long *)&stuff[1];
count = stuff->keyCodes * stuff->keySymsPerKeyCode;
- for (i = 0; i < count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), count);
return (ProcXChangeDeviceKeyMapping(client));
}
@@ -102,10 +98,14 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
int ret;
unsigned len;
DeviceIntPtr dev;
+ unsigned int count;
REQUEST(xChangeDeviceKeyMappingReq);
REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
+ count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+ REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+
dev = LookupDeviceIntRec(stuff->deviceid);
if (dev == Success)
SendErrorToClient(client, IReqCode, X_ChangeDeviceKeyMapping, 0,
diff --git a/Xi/chgprop.c b/Xi/chgprop.c
index 58db886..3fb33e1 100644
--- a/Xi/chgprop.c
+++ b/Xi/chgprop.c
@@ -77,19 +77,15 @@ int
SProcXChangeDeviceDontPropagateList(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xChangeDeviceDontPropagateListReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
swapl(&stuff->window, n);
swaps(&stuff->count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
+ stuff->count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
return (ProcXChangeDeviceDontPropagateList(client));
}
diff --git a/Xi/grabdev.c b/Xi/grabdev.c
index 110fc6b..0671e0e 100644
--- a/Xi/grabdev.c
+++ b/Xi/grabdev.c
@@ -78,8 +78,6 @@ int
SProcXGrabDevice(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xGrabDeviceReq);
swaps(&stuff->length, n);
@@ -87,11 +85,11 @@ SProcXGrabDevice(ClientPtr client)
swapl(&stuff->grabWindow, n);
swapl(&stuff->time, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
+
+ if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
+ return BadLength;
+
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDevice(client));
}
diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c
index c2661e8..ce0dcc5 100644
--- a/Xi/grabdevb.c
+++ b/Xi/grabdevb.c
@@ -77,8 +77,6 @@ int
SProcXGrabDeviceButton(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xGrabDeviceButtonReq);
swaps(&stuff->length, n);
@@ -86,11 +84,9 @@ SProcXGrabDeviceButton(ClientPtr client)
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
+ stuff->event_count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDeviceButton(client));
}
diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c
index 43b1928..d4b7fe8 100644
--- a/Xi/grabdevk.c
+++ b/Xi/grabdevk.c
@@ -77,8 +77,6 @@ int
SProcXGrabDeviceKey(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xGrabDeviceKeyReq);
swaps(&stuff->length, n);
@@ -86,11 +84,8 @@ SProcXGrabDeviceKey(ClientPtr client)
swapl(&stuff->grabWindow, n);
swaps(&stuff->modifiers, n);
swaps(&stuff->event_count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->event_count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
return (ProcXGrabDeviceKey(client));
}
diff --git a/Xi/selectev.c b/Xi/selectev.c
index b93618a..d3670ab 100644
--- a/Xi/selectev.c
+++ b/Xi/selectev.c
@@ -127,19 +127,16 @@ int
SProcXSelectExtensionEvent(ClientPtr client)
{
char n;
- long *p;
- int i;
REQUEST(xSelectExtensionEventReq);
swaps(&stuff->length, n);
REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
swapl(&stuff->window, n);
swaps(&stuff->count, n);
- p = (long *)&stuff[1];
- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
+ REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
+ stuff->count * sizeof(CARD32));
+ SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+
return (ProcXSelectExtensionEvent(client));
}
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index e4e38d7..588c910 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -80,7 +80,7 @@ int
SProcXSendExtensionEvent(ClientPtr client)
{
char n;
- long *p;
+ CARD32 *p;
int i;
xEvent eventT;
xEvent *eventP;
@@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
swapl(&stuff->destination, n);
swaps(&stuff->count, n);
+
+ if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
+ (stuff->num_events * (sizeof(xEvent) >> 2)))
+ return BadLength;
+
eventP = (xEvent *) & stuff[1];
for (i = 0; i < stuff->num_events; i++, eventP++) {
proc = EventSwapVector[eventP->u.u.type & 0177];
@@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client)
*eventP = eventT;
}
- p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
- for (i = 0; i < stuff->count; i++) {
- swapl(p, n);
- p++;
- }
+ p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
+ SwapLongs(p, stuff->count);
return (ProcXSendExtensionEvent(client));
}

View File

@ -1,14 +0,0 @@
diff --git a/Xext/cup.c b/Xext/cup.c
index d0e820c..fd1409e 100644
--- a/Xext/cup.c
+++ b/Xext/cup.c
@@ -176,6 +176,9 @@ int ProcGetReservedColormapEntries(
REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
+ if (stuff->screen >= screenInfo.numScreens)
+ return BadValue;
+
#ifndef HAVE_SPECIAL_DESKTOP_COLORS
citems[CUP_BLACK_PIXEL].pixel =
screenInfo.screens[stuff->screen]->blackPixel;

View File

@ -1,298 +0,0 @@
diff --git a/Xext/EVI.c b/Xext/EVI.c
index 4bd050c..a637bae 100644
--- a/Xext/EVI.c
+++ b/Xext/EVI.c
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/XEVIstr.h>
#include "EVIstruct.h"
#include "modinit.h"
+#include "scrnintstr.h"
static EviPrivPtr eviPriv;
@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
{
REQUEST(xEVIGetVisualInfoReq);
xEVIGetVisualInfoReply rep;
- int n, n_conflict, n_info, sz_info, sz_conflict;
+ int i, n, n_conflict, n_info, sz_info, sz_conflict;
VisualID32 *conflict;
+ unsigned int total_visuals = 0;
xExtendedVisualInfo *eviInfo;
int status;
+
+ /*
+ * do this first, otherwise REQUEST_FIXED_SIZE can overflow. we assume
+ * here that you don't have more than 2^32 visuals over all your screens;
+ * this seems like a safe assumption.
+ */
+ for (i = 0; i < screenInfo.numScreens; i++)
+ total_visuals += screenInfo.screens[i]->numVisuals;
+ if (stuff->n_visual > total_visuals)
+ return BadValue;
+
REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
&eviInfo, &n_info, &conflict, &n_conflict);
diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
index 7508aa7..b871bfd 100644
--- a/Xext/sampleEVI.c
+++ b/Xext/sampleEVI.c
@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/XEVIstr.h>
#include "EVIstruct.h"
#include "scrnintstr.h"
+
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
static int sampleGetVisualInfo(
VisualID32 *visual,
int n_visual,
@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
VisualID32 **conflict_rn,
int *n_conflict_rn)
{
- int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
+ unsigned int max_sz_evi;
VisualID32 *temp_conflict;
xExtendedVisualInfo *evi;
- int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
+ unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
- *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
- if (!*evi_rn)
- return BadAlloc;
+
+ if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
+ return BadAlloc;
+ max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
+
for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
if (screenInfo.screens[scrI]->numVisuals > max_visuals)
max_visuals = screenInfo.screens[scrI]->numVisuals;
}
+
+ if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens
+ * max_visuals))
+ return BadAlloc;
max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals;
+
+ *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
+ if (!*evi_rn)
+ return BadAlloc;
+
temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
if (!temp_conflict) {
xfree(*evi_rn);
return BadAlloc;
}
+
for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
for (visualI = 0; visualI < n_visual; visualI++) {
evi[sz_evi].core_visual_id = visual[visualI];
diff --git a/Xext/shm.c b/Xext/shm.c
index e3d7a23..c545e49 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -757,6 +757,8 @@ ProcPanoramiXShmCreatePixmap(
int i, j, result, rc;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
PanoramiXRes *newPix;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -770,11 +772,26 @@ ProcPanoramiXShmCreatePixmap(
return rc;
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -785,9 +802,7 @@ ProcPanoramiXShmCreatePixmap(
return BadValue;
}
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
return BadAlloc;
@@ -1086,6 +1101,8 @@ ProcShmCreatePixmap(client)
register int i, rc;
ShmDescPtr shmdesc;
REQUEST(xShmCreatePixmapReq);
+ unsigned int width, height, depth;
+ unsigned long size;
REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
client->errorValue = stuff->pid;
@@ -1098,11 +1115,26 @@ ProcShmCreatePixmap(client)
return rc;
VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
- if (!stuff->width || !stuff->height)
+
+ width = stuff->width;
+ height = stuff->height;
+ depth = stuff->depth;
+ if (!width || !height || !depth)
{
client->errorValue = 0;
return BadValue;
}
+ if (width > 32767 || height > 32767)
+ return BadAlloc;
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
if (stuff->depth != 1)
{
pDepth = pDraw->pScreen->allowedDepths;
@@ -1113,9 +1145,7 @@ ProcShmCreatePixmap(client)
return BadValue;
}
CreatePmap:
- VERIFY_SHMSIZE(shmdesc, stuff->offset,
- PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
- client);
+ VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
stuff->height, stuff->depth,
diff --git a/Xext/shm.c b/Xext/shm.c
index c545e49..e46f6fc 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -783,14 +783,6 @@ ProcPanoramiXShmCreatePixmap(
}
if (width > 32767 || height > 32767)
return BadAlloc;
- size = PixmapBytePad(width, depth) * height;
- if (sizeof(size) == 4) {
- if (size < width * height)
- return BadAlloc;
- /* thankfully, offset is unsigned */
- if (stuff->offset + size < size)
- return BadAlloc;
- }
if (stuff->depth != 1)
{
@@ -801,7 +793,17 @@ ProcPanoramiXShmCreatePixmap(
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
@@ -1126,14 +1128,6 @@ ProcShmCreatePixmap(client)
}
if (width > 32767 || height > 32767)
return BadAlloc;
- size = PixmapBytePad(width, depth) * height;
- if (sizeof(size) == 4) {
- if (size < width * height)
- return BadAlloc;
- /* thankfully, offset is unsigned */
- if (stuff->offset + size < size)
- return BadAlloc;
- }
if (stuff->depth != 1)
{
@@ -1144,7 +1138,17 @@ ProcShmCreatePixmap(client)
client->errorValue = stuff->depth;
return BadValue;
}
+
CreatePmap:
+ size = PixmapBytePad(width, depth) * height;
+ if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+ if (size < width * height)
+ return BadAlloc;
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
+ }
+
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
pDraw->pScreen, stuff->width,
diff --git a/Xext/shm.c b/Xext/shm.c
index e46f6fc..a7a1ecf 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -799,10 +799,10 @@ CreatePmap:
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
if (size < width * height)
return BadAlloc;
- /* thankfully, offset is unsigned */
- if (stuff->offset + size < size)
- return BadAlloc;
}
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
@@ -1144,10 +1144,10 @@ CreatePmap:
if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
if (size < width * height)
return BadAlloc;
- /* thankfully, offset is unsigned */
- if (stuff->offset + size < size)
- return BadAlloc;
}
+ /* thankfully, offset is unsigned */
+ if (stuff->offset + size < size)
+ return BadAlloc;
VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(

View File

@ -1,18 +0,0 @@
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index 2979c64..04f1f1b 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -326,6 +326,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
err = BadFontName;
goto bail;
}
+ /* check values for firstCol, lastCol, firstRow, and lastRow */
+ if (pfont->info.firstCol > pfont->info.lastCol ||
+ pfont->info.firstRow > pfont->info.lastRow ||
+ pfont->info.lastCol - pfont->info.firstCol > 255) {
+ err = AllocError;
+ goto bail;
+ }
if (!pfont->fpe)
pfont->fpe = fpe;
pfont->refcnt++;

View File

@ -1,76 +0,0 @@
commit 37b1258f0a288a79ce6a3eef3559e17a67c4dd96
Author: Thomas Jaeger <thjaeger@gmail.com>
Date: Tue Apr 1 15:27:06 2008 +0300
XKB: Fix processInputProc wrapping
If input processing is frozen, only wrap realInputProc: don't smash
processInputProc as well. When input processing is thawed, pIP will be
rewrapped correctly.
This supersedes the previous workaround in 50e80c9.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
diff --git a/include/xkbsrv.h b/include/xkbsrv.h
index ef99e94..040bb93 100644
--- a/include/xkbsrv.h
+++ b/include/xkbsrv.h
@@ -237,6 +237,14 @@ typedef struct _XkbSrvLedInfo {
typedef struct
{
ProcessInputProc processInputProc;
+ /* If processInputProc is set to something different than realInputProc,
+ * UNWRAP and COND_WRAP will not touch processInputProc and update only
+ * realInputProc. This ensures that
+ * processInputProc == (frozen ? EnqueueEvent : realInputProc)
+ *
+ * WRAP_PROCESS_INPUT_PROC should only be called during initialization,
+ * since it may destroy this invariant.
+ */
ProcessInputProc realInputProc;
DeviceUnwrapProc unwrapProc;
} xkbDeviceInfoRec, *xkbDeviceInfoPtr;
@@ -254,14 +262,14 @@ typedef struct
device->public.processInputProc = proc; \
oldprocs->processInputProc = \
oldprocs->realInputProc = device->public.realInputProc; \
- if (proc != device->public.enqueueInputProc) \
- device->public.realInputProc = proc; \
+ device->public.realInputProc = proc; \
oldprocs->unwrapProc = device->unwrapProc; \
device->unwrapProc = unwrapproc;
#define UNWRAP_PROCESS_INPUT_PROC(device, oldprocs, backupproc) \
- backupproc = device->public.processInputProc; \
- device->public.processInputProc = oldprocs->processInputProc; \
+ backupproc = device->public.realInputProc; \
+ if (device->public.processInputProc == device->public.realInputProc)\
+ device->public.processInputProc = oldprocs->realInputProc; \
device->public.realInputProc = oldprocs->realInputProc; \
device->unwrapProc = oldprocs->unwrapProc;
diff --git a/xkb/xkbActions.c b/xkb/xkbActions.c
index 890cf42..8c72874 100644
--- a/xkb/xkbActions.c
+++ b/xkb/xkbActions.c
@@ -49,15 +49,14 @@ xkbUnwrapProc(DeviceIntPtr device, DeviceHandleProc proc,
pointer data)
{
xkbDeviceInfoPtr xkbPrivPtr = XKBDEVICEINFO(device);
- ProcessInputProc tmp = device->public.processInputProc;
- ProcessInputProc dummy; /* unused, but neede for macro */
+ ProcessInputProc backupproc;
if(xkbPrivPtr->unwrapProc)
xkbPrivPtr->unwrapProc = NULL;
- UNWRAP_PROCESS_INPUT_PROC(device,xkbPrivPtr, dummy);
+ UNWRAP_PROCESS_INPUT_PROC(device,xkbPrivPtr, backupproc);
proc(device,data);
- WRAP_PROCESS_INPUT_PROC(device,xkbPrivPtr,
- tmp,xkbUnwrapProc);
+ COND_WRAP_PROCESS_INPUT_PROC(device,xkbPrivPtr,
+ backupproc,xkbUnwrapProc);
}

View File

@ -1,35 +0,0 @@
commit a6a7fadbb03ee99312dfb15ac478ab3c414c1c0b
Author: Kristian Høgsberg <krh@redhat.com>
Date: Wed Jan 16 20:24:11 2008 -0500
Don't break grab and focus state for a window when redirecting it.
Composite uses an unmap/map cycle to trigger backing pixmap allocation
and cliprect recomputation when a window is redirected or unredirected.
To avoid protocol visible side effects, map and unmap events are
disabled temporarily. However, when a window is unmapped it is also
removed from grabs and loses focus, but these state changes are not
disabled.
This change supresses the unmap side effects during the composite
unmap/map cycle and fixes this bug:
http://bugzilla.gnome.org/show_bug.cgi?id=488264
where compiz would cause gnome-screensaver to lose its grab when
compiz unredirects the fullscreen lock window.
diff --git a/dix/window.c b/dix/window.c
index 33cf76b..1ccf126 100644
--- a/dix/window.c
+++ b/dix/window.c
@@ -2993,7 +2993,8 @@ UnrealizeTree(
}
#endif
(* Unrealize)(pChild);
- DeleteWindowFromAnyEvents(pChild, FALSE);
+ if (MapUnmapEventsEnabled(pWin))
+ DeleteWindowFromAnyEvents(pChild, FALSE);
if (pChild->viewable)
{
#ifdef DO_SAVE_UNDERS

View File

@ -1,17 +0,0 @@
diff --git a/hw/xfree86/modes/xf86EdidModes.c b/hw/xfree86/modes/xf86EdidModes.c
index 2f26a64..9489947 100644
--- a/hw/xfree86/modes/xf86EdidModes.c
+++ b/hw/xfree86/modes/xf86EdidModes.c
@@ -327,6 +327,12 @@ DDCModeFromDetailedTiming(int scrnIndex, struct detailed_timings *timing,
Mode->VSyncEnd = Mode->VSyncStart + timing->v_sync_width;
Mode->VTotal = timing->v_active + timing->v_blanking;
+ /* perform basic check on the detail timing */
+ if (Mode->HSyncEnd > Mode->HTotal || Mode->VSyncEnd > Mode->VTotal) {
+ xfree(Mode);
+ return NULL;
+ }
+
xf86SetModeDefaultName(Mode);
/* We ignore h/v_size and h/v_border for now. */

View File

@ -276,9 +276,9 @@ diff -pNur xorg-server-1.4.orig/hw/dmx/Makefile.am xorg-server-1.4/hw/dmx/Makefi
+ vnc/libdmxvnc.a \
config/libdmxconfig.a \
+ -ljpeg -lcrypt \
@XSERVER_LIBS@ \
@DMXMODULES_LIBS@
# Man page
diff -pNur xorg-server-1.4.orig/hw/dmx/vnc/Makefile.am xorg-server-1.4/hw/dmx/vnc/Makefile.am
--- xorg-server-1.4.orig/hw/dmx/vnc/Makefile.am 1969-12-31 16:00:00.000000000 -0800
+++ xorg-server-1.4/hw/dmx/vnc/Makefile.am 2007-09-06 16:09:45.000000000 -0700

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b89f2d17be5ba71e3cc25379e18155c55ea36ba94ac1abae953214f13c020ffe
size 6315011

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:829c66ec4c295822700067c87afae796b8e67530cc65a7b83060ea29a4ff316d
size 6216638

View File

@ -1,3 +1,54 @@
-------------------------------------------------------------------
Fri Jun 13 15:31:51 CEST 2008 - sndirsch@suse.de
- xorg-x11-Xvnc: added meta file for SuSEfirewall2 (bnc #398855)
-------------------------------------------------------------------
Wed Jun 11 18:19:43 CEST 2008 - sndirsch@suse.de
- xorg-server 1.4.2
* CVE-2008-2360 - RENDER Extension heap buffer overflow
* CVE-2008-2361 - RENDER Extension crash
* CVE-2008-2362 - RENDER Extension memory corruption
* CVE-2008-1377 - RECORD and Security extensions memory corruption
* CVE-2008-1379 - MIT-SHM arbitrary memory read
- obsoletes bfo-bug15222.diff
-------------------------------------------------------------------
Tue Jun 10 22:22:18 CEST 2008 - sndirsch@suse.de
- xorg-server 1.4.1
* Contains a few security and input fixes, some memory leak
fixes, and a few misc bits.
* obsolete patches:
- CVE-2007-5760-xf86misc.diff
- CVE-2007-6427-xinput.diff
- CVE-2007-6428-TOG-cup.diff
- CVE-2007-6429-shm_evi.diff
- CVE-2008-0006-pcf_font.diff
- commit-37b1258.diff
- commit-a6a7fad.diff
- remove_bogus_modeline.diff
- xserver-1.3.0-xkb-and-loathing.patch
* adjusted patches
- xorg-server-1.4-vnc.patch
-------------------------------------------------------------------
Thu Jun 5 23:04:47 CEST 2008 - sndirsch@suse.de
- bfo-bug15222.diff (bfo #15222, bnc #374318)
* CVE-2008-2360 - RENDER Extension heap buffer overflow
* CVE-2008-2361 - RENDER Extension crash
* CVE-2008-2362 - RENDER Extension memory corruption
* CVE-2008-1379 - MIT-SHM arbitrary memory read
* CVE-2008-1377 - RECORD and Security extensions memory corruption
-------------------------------------------------------------------
Tue May 27 17:51:32 CEST 2008 - sndirsch@suse.de
- xserver-mode-fuzzy-check.diff
* Make mode checking more tolerant like in pre-RandR times.
-------------------------------------------------------------------
Mon May 26 19:27:39 CEST 2008 - sndirsch@suse.de

View File

@ -12,7 +12,7 @@
Name: xorg-x11-server
%define dirsuffix 1.4.0.90
%define dirsuffix 1.4.2
%define fglrx_driver_hack 0
%define vnc 1
BuildRequires: Mesa-devel fontconfig-devel freetype2-devel ghostscript-library glitz-devel libdrm-devel pkgconfig xorg-x11 xorg-x11-devel xorg-x11-libICE-devel xorg-x11-libSM-devel xorg-x11-libX11-devel xorg-x11-libXau-devel xorg-x11-libXdmcp-devel xorg-x11-libXext-devel xorg-x11-libXfixes-devel xorg-x11-libXmu-devel xorg-x11-libXp-devel xorg-x11-libXpm-devel xorg-x11-libXprintUtil-devel xorg-x11-libXrender-devel xorg-x11-libXt-devel xorg-x11-libXv-devel xorg-x11-libfontenc-devel xorg-x11-libxkbfile-devel xorg-x11-proto-devel xorg-x11-xtrans-devel
@ -22,7 +22,7 @@ BuildRequires: libjpeg-devel
Url: http://xorg.freedesktop.org/
%define EXPERIMENTAL 0
Version: 7.3
Release: 106
Release: 112
License: X11/MIT
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Group: System/X11/Servers/XF86_4
@ -86,7 +86,6 @@ Patch69: xserver-mode-fuzzy-check.diff
Patch72: randr12-8d230319040f0a7f72231da2bf5ec97dc3612e21.diff
Patch77: fbdevhw.diff
Patch79: edit_data_sanity_check.diff
Patch81: xserver-1.3.0-xkb-and-loathing.patch
Patch83: ia64linuxPciInit.diff
Patch84: commit-feac075.diff
Patch85: commit-29e0e18.diff
@ -96,20 +95,12 @@ Patch88: commit-f6401f9.diff
Patch89: commit-184e571.diff
Patch90: commit-fa19e84.diff
Patch91: commit-f7dd0c7.diff
Patch92: remove_bogus_modeline.diff
Patch93: pixman.diff
Patch94: CVE-2007-5760-xf86misc.diff
Patch95: CVE-2007-6427-xinput.diff
Patch96: CVE-2007-6428-TOG-cup.diff
Patch97: CVE-2007-6429-shm_evi.diff
Patch98: CVE-2008-0006-pcf_font.diff
Patch99: commit-50e80c3.diff
Patch100: commit-a6a7fad.diff
Patch101: zap_warning_xserver.diff
Patch102: xorg-server-1.4-vnc-memory.diff
Patch103: confine_to_shape.diff
Patch104: bitmap_always_unscaled.diff
Patch105: commit-37b1258.diff
Patch106: randr1_1-sig11.diff
Patch107: XAANoOffscreenPixmaps.diff
Patch108: xkb_action.diff
@ -236,7 +227,6 @@ popd
%patch72 -p1
%patch77
%patch79 -p1
%patch81 -p1
%patch83
%patch84 -p1
%patch85 -p1
@ -246,19 +236,11 @@ popd
%patch89 -p1
%patch90 -p1
%patch91 -p1
%patch92 -p1
%patch93
%patch94 -p1
%patch95 -p1
%patch96 -p1
%patch97 -p1
%patch98 -p1
%patch99 -p1
%patch100 -p1
%patch101 -p1
%patch103
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch107 -p0
%patch108 -p1
@ -383,6 +365,12 @@ install -m 644 $RPM_SOURCE_DIR/modprobe.nvidia $RPM_BUILD_ROOT/etc/modprobe.d/nv
rm $RPM_BUILD_ROOT/mfb.h
%endif
%endif
mkdir -p $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services
cat > $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/%{name} << EOF
## Name: VNC Server
## Description: Opens ports for VNC Server
TCP="5801 5901"
EOF
%clean
rm -rf "$RPM_BUILD_ROOT"
@ -566,10 +554,47 @@ exit 0
%files -n xorg-x11-Xvnc
%defattr(-, root, root)
/etc/sysconfig/SuSEfirewall2.d/services/%{name}
/usr/bin/Xvnc
%endif
%changelog
* Fri Jun 13 2008 sndirsch@suse.de
- xorg-x11-Xvnc: added meta file for SuSEfirewall2 (bnc #398855)
* Wed Jun 11 2008 sndirsch@suse.de
- xorg-server 1.4.2
* CVE-2008-2360 - RENDER Extension heap buffer overflow
* CVE-2008-2361 - RENDER Extension crash
* CVE-2008-2362 - RENDER Extension memory corruption
* CVE-2008-1377 - RECORD and Security extensions memory corruption
* CVE-2008-1379 - MIT-SHM arbitrary memory read
- obsoletes bfo-bug15222.diff
* Wed Jun 11 2008 sndirsch@suse.de
- xorg-server 1.4.1
* Contains a few security and input fixes, some memory leak
fixes, and a few misc bits.
* obsolete patches:
- CVE-2007-5760-xf86misc.diff
- CVE-2007-6427-xinput.diff
- CVE-2007-6428-TOG-cup.diff
- CVE-2007-6429-shm_evi.diff
- CVE-2008-0006-pcf_font.diff
- commit-37b1258.diff
- commit-a6a7fad.diff
- remove_bogus_modeline.diff
- xserver-1.3.0-xkb-and-loathing.patch
* adjusted patches
- xorg-server-1.4-vnc.patch
* Fri Jun 06 2008 sndirsch@suse.de
- bfo-bug15222.diff (bfo #15222, bnc #374318)
* CVE-2008-2360 - RENDER Extension heap buffer overflow
* CVE-2008-2361 - RENDER Extension crash
* CVE-2008-2362 - RENDER Extension memory corruption
* CVE-2008-1379 - MIT-SHM arbitrary memory read
* CVE-2008-1377 - RECORD and Security extensions memory corruption
* Tue May 27 2008 sndirsch@suse.de
- xserver-mode-fuzzy-check.diff
* Make mode checking more tolerant like in pre-RandR times.
* Mon May 26 2008 sndirsch@suse.de
- fix-dpi-values.diff
* fixes DPI values for RANDR 1.2 capable drivers (bnc #393001)

View File

@ -1,36 +0,0 @@
--- xorg-server-1.3.0.0/os/utils.c.jx 2007-04-25 13:28:05.000000000 -0400
+++ xorg-server-1.3.0.0/os/utils.c 2007-04-30 14:33:04.000000000 -0400
@@ -1725,6 +1725,8 @@
int pid;
} *pidlist;
+static sighandler_t old_alarm = NULL; /* XXX horrible awful hack */
+
pointer
Popen(char *command, char *type)
{
@@ -1746,11 +1748,15 @@
return NULL;
}
+ /* Ignore the smart scheduler while this is going on */
+ old_alarm = signal(SIGALRM, SIG_IGN);
+
switch (pid = fork()) {
case -1: /* error */
close(pdes[0]);
close(pdes[1]);
xfree(cur);
+ signal(SIGALRM, old_alarm);
return NULL;
case 0: /* child */
if (setgid(getgid()) == -1)
@@ -1926,6 +1932,8 @@
/* allow EINTR again */
OsReleaseSignals ();
+ signal(SIGALRM, old_alarm);
+
return pid == -1 ? -1 : pstat;
}

View File

@ -1,35 +1,42 @@
commit 45cc03726b49f6ad4afe6c3fb4ad65d1051928b4
Author: Matthias Hopf <mhopf@suse.de>
Date: Thu Oct 11 18:23:25 2007 +0200
Make mode checking more tolerant like in pre-RandR times.
diff --git a/hw/xfree86/modes/xf86Modes.c b/hw/xfree86/modes/xf86Modes.c
index ea9f85b..0ead704 100644
index f49c292..9981789 100644
--- a/hw/xfree86/modes/xf86Modes.c
+++ b/hw/xfree86/modes/xf86Modes.c
@@ -389,8 +389,8 @@ xf86ValidateModesSync(ScrnInfoPtr pScrn,
@@ -389,8 +389,8 @@ xf86ValidateModesSync(ScrnInfoPtr pScrn, DisplayModePtr modeList,
bad = TRUE;
for (i = 0; i < mon->nHsync; i++) {
- if (xf86ModeHSync(mode) >= mon->hsync[i].lo &&
- xf86ModeHSync(mode) <= mon->hsync[i].hi)
+ if (xf86ModeHSync(mode) >= mon->hsync[i].lo - .5 &&
+ xf86ModeHSync(mode) <= mon->hsync[i].hi + .5)
+ if (xf86ModeHSync(mode) >= mon->hsync[i].lo * (1-SYNC_TOLERANCE) &&
+ xf86ModeHSync(mode) <= mon->hsync[i].hi * (1+SYNC_TOLERANCE))
{
bad = FALSE;
}
@@ -400,8 +400,8 @@ xf86ValidateModesSync(ScrnInfoPtr pScrn,
@@ -400,8 +400,8 @@ xf86ValidateModesSync(ScrnInfoPtr pScrn, DisplayModePtr modeList,
bad = TRUE;
for (i = 0; i < mon->nVrefresh; i++) {
- if (xf86ModeVRefresh(mode) >= mon->vrefresh[i].lo &&
- xf86ModeVRefresh(mode) <= mon->vrefresh[i].hi)
+ if (xf86ModeVRefresh(mode) >= mon->vrefresh[i].lo - .5 &&
+ xf86ModeVRefresh(mode) <= mon->vrefresh[i].hi + .5)
+ if (xf86ModeVRefresh(mode) >= mon->vrefresh[i].lo * (1-SYNC_TOLERANCE) &&
+ xf86ModeVRefresh(mode) <= mon->vrefresh[i].hi * (1+SYNC_TOLERANCE))
{
bad = FALSE;
}
@@ -434,7 +434,7 @@ xf86ValidateModesClocks(ScrnInfoPtr pScr
@@ -434,7 +434,8 @@ xf86ValidateModesClocks(ScrnInfoPtr pScrn, DisplayModePtr modeList,
for (mode = modeList; mode != NULL; mode = mode->next) {
Bool good = FALSE;
for (i = 0; i < n_ranges; i++) {
- if (mode->Clock >= min[i] && mode->Clock <= max[i]) {
+ if (mode->Clock >= min[i] - .5 && mode->Clock <= max[i] + .5) {
+ if (mode->Clock >= min[i] * (1-SYNC_TOLERANCE) &&
+ mode->Clock <= max[i] * (1+SYNC_TOLERANCE)) {
good = TRUE;
break;
}