Accepting request 64441 from X11:XOrg

Accepted submit request 64441 from user sndirsch

OBS-URL: https://build.opensuse.org/request/show/64441
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xorg-x11-server?expand=0&rev=206

Replace-malloc-with-calloc-to-initialize-the-buffers.patch

@@ -0,0 +1,34 @@
+From a73c28f0bdafb1c5cb8129179188a99c0ca052e2 Mon Sep 17 00:00:00 2001
+From: Justin Dou <Justin.Dou@intel.com>
+Date: Thu, 10 Feb 2011 16:27:29 -0500
+Subject: [PATCH] Replace malloc with calloc to initialize the buffers[] as NULL in do_get_buffers function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The calling for allocate_or_reuse_buffer may fail due to some reason, e.g. out of memory.
+If the buffers[] were not initialized to be NULL, the following err_out may try to access an illegal memory, which will cause X crash afterward.
+
+Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
+Signed-off-by: Justin Dou <Justin.Dou@intel.com>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+---
+ hw/xfree86/dri2/dri2.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
+index 39996f9..9ca378f 100644
+--- a/hw/xfree86/dri2/dri2.c
++++ b/hw/xfree86/dri2/dri2.c
+@@ -403,7 +403,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
+ 	&& (pDraw->height == pPriv->height)
+ 	&& (pPriv->serialNumber == DRI2DrawableSerial(pDraw));
+ 
+-    buffers = malloc((count + 1) * sizeof(buffers[0]));
++    buffers = calloc((count + 1), sizeof(buffers[0]));
+ 
+     for (i = 0; i < count; i++) {
+ 	const unsigned attachment = *(attachments++);
+-- 
+1.7.4.1
+

record-avoid-crash-when-calling-RecordFlushReplyBuff.patch

@@ -0,0 +1,70 @@
+From 0801afbd7c2c644c672b37f8463f1a0cbadebd2e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Erkki=20Sepp=C3=A4l=C3=A4?= <erkki.seppala@vincit.fi>
+Date: Thu, 10 Feb 2011 15:35:14 +0200
+Subject: [PATCH] record: avoid crash when calling RecordFlushReplyBuffer recursively
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RecordFlushReplyBuffer can call itself recursively through
+WriteClient->CallCallbacks->_CallCallbacks->RecordFlushAllContexts
+when the recording client's buffer cannot be completely emptied in one
+WriteClient. When a such a recursion occurs, it will not be broken out
+of which results in segmentation fault when the stack is exhausted.
+
+This patch adds a counter (a flag, really) that guards against this
+situation, to break out of the recursion.
+
+One alternative to this change would be to change _CallCallbacks to
+check the corresponding counter before the callback loop, but that
+might affect existing behavior, which may be relied upon.
+
+Reviewed-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
+Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi>
+Signed-off-by: Keith Packard <keithp@keithp.com>
+---
+ record/record.c |    6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+diff --git a/record/record.c b/record/record.c
+index 6a93d7a..facaebb 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -77,6 +77,7 @@ typedef struct {
+     char	bufCategory;	   /* category of protocol in replyBuffer */
+     int		numBufBytes;	   /* number of bytes in replyBuffer */
+     char	replyBuffer[REPLY_BUF_SIZE]; /* buffered recorded protocol */
++    int		inFlush;           /*  are we inside RecordFlushReplyBuffer */
+ } RecordContextRec, *RecordContextPtr;
+ 
+ /*  RecordMinorOpRec - to hold minor opcode selections for extension requests
+@@ -245,8 +246,9 @@ RecordFlushReplyBuffer(
+     int len2
+ )
+ {
+-    if (!pContext->pRecordingClient || pContext->pRecordingClient->clientGone) 
++    if (!pContext->pRecordingClient || pContext->pRecordingClient->clientGone || pContext->inFlush)
+ 	return;
++    ++pContext->inFlush;
+     if (pContext->numBufBytes)
+ 	WriteToClient(pContext->pRecordingClient, pContext->numBufBytes,
+ 		      (char *)pContext->replyBuffer);
+@@ -255,6 +257,7 @@ RecordFlushReplyBuffer(
+ 	WriteToClient(pContext->pRecordingClient, len1, (char *)data1);
+     if (len2)
+ 	WriteToClient(pContext->pRecordingClient, len2, (char *)data2);
++    --pContext->inFlush;
+ } /* RecordFlushReplyBuffer */
+ 
+ 
+@@ -1938,6 +1941,7 @@ ProcRecordCreateContext(ClientPtr client)
+     pContext->numBufBytes = 0;
+     pContext->pBufClient = NULL;
+     pContext->continuedReply = 0;
++    pContext->inFlush = 0;
+ 
+     err = RecordRegisterClients(pContext, client,
+ 				(xRecordRegisterClientsReq *)stuff);
+-- 
+1.7.4.1
+

xorg-x11-server.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu Mar 17 16:55:16 UTC 2011 - sndirsch@novell.com
+
+- Replace-malloc-with-calloc-to-initialize-the-buffers.patch
+  * Replace malloc with calloc to initialize the buffers[] as NULL
+    in do_get_buffers function (bnc #673595)
+
+-------------------------------------------------------------------
+Thu Mar 17 13:35:55 UTC 2011 - sndirsch@novell.com
+
+- record-avoid-crash-when-calling-RecordFlushReplyBuff.patch
+  * record: avoid crash when calling RecordFlushReplyBuffer
+    recursively (bnc #673575) 
+
 -------------------------------------------------------------------
 Sat Feb 26 10:52:15 UTC 2011 - devel@navlost.eu
 

xorg-x11-server.spec

@@ -122,6 +122,8 @@ Patch222:       sync-fix.patch
 Patch223:       use-last-screen.patch
 Patch224:       pad-size-of-system-memory-copy-for-1x1-pixmaps
 Patch225:       xorg-server-stop-cpu-eating.diff
+Patch226:       record-avoid-crash-when-calling-RecordFlushReplyBuff.patch
+Patch227:       Replace-malloc-with-calloc-to-initialize-the-buffers.patch
 %if %moblin
 Patch300:       moblin-use_preferred_mode_for_all_outputs.diff
 %endif
@@ -255,6 +257,8 @@ popd
 %patch223 -p1
 %patch224 -p1
 %patch225 -p1
+%patch226 -p1
+%patch227 -p1
 %if %moblin
 %patch300 -p1
 %endif