Use fchmod() to change permissions of the lock file instead
of chmod(), thus avoid the race that can be exploited to set
a symbolic link to any file or directory in the system.
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit b67581cf82)
(cherry picked from commit 12f65819ff)
use O_NOFOLLOW to open the existing lock file, so symbolic links
aren't followed, thus avoid revealing if it point to an existing
file.
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6ba44b91e3)
(cherry picked from commit f80d233578)
mesa used to send too long requests for GLXDestroyPixmap,
GLXDestroyWindow, GLXChangeDrawableAttributes, GLXGetDrawableAttributes
and GLXGetFBConfigsSGIX.
Fixes a regression introduced in ec9c97c6bf
X.Org bug#33324 <https://bugs.freedesktop.org/show_bug.cgi?id=33324>
Reported-by: xunx.fang@intel.com
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 402b329c3a)
The request is followed by a list of attributes.
X.Org bug#33449
Reported-and-tested-by: meng <mengmeng.meng@intel.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 1137c11be0)
The request is followed by an attribute list.
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit a883cf1545)
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit d9225b9602)
Various glx requests include a list of pairs of attributes. We were
only swapping the first half.
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 62319e8381)
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 6c69235a9d)
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry-picked from commit ec9c97c6bf)
This fixes a build failure I found on tinderbox.
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
(cherry picked from commit f641e4b34a)
Conflicts:
hw/xquartz/GL/Makefile.am
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
High resolution devices was generating integer overflow.
For instance the wacom Cintiq 21UX has an axis value up to
87000. Thus the term (dSx * (Cx - Rxlow)) is greater than
MAX_INT32.
Using 64bits integer avoids such problem.
Signed-off-by: Philippe Ribet <ribet@cena.fr>
Signed-off-by: Benjamin Tissoires <tissoire@cena.fr>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit a780e5b363)
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 3f0d3f4d97)
The subtype in the DGA event is the core type and all ET_ event types (where
applicable) are identical to the core types. Thus the switch statement below
will work as required and assign the right master device.
Fixes a crasher bug on keyboard devices with valuators. If a device sends a
motion event while grabbed and a DGA client is active (but has not selected
input through DGA), the valuator event is posted through the VCK and
eventually results in a NULL-pointer dereference on dev->valuator.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 31ab9f8860)
(cherry picked from commit faecab3b13)
Assume that a mode can be used in either landscape or portrait
orientation. I suppose the correct thing to do would be to
collect all the supported rotations from the CRTCs that can be used
with a specific output, but that information doesn't seem to be
readily available when these checks are done. So just assume that
either orientation is fine.
Signed-off-by: Ville Syrjälä <ville.syrjala@nokia.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 2e781457d4)
(cherry picked from commit aec278eb65)
Return a error if the screen is configured to an invalid size.
Signed-off-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit d1107918d4)
Fixes http://bugs.freedesktop.org/show_bug.cgi?id=24703 .
Signed-off-by: Michel Dänzer <daenzer@vmware.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit e06fa80400)
Like some other LPL panels, this one reports the vertical size in cm rather
than mm.
Patch taken from Launchpad bug #380009 <https://launchpad.net/bugs/380009>
X.Org Bug 28414 <https://bugs.freedesktop.org/show_bug.cgi?id=28414>
Signed-off-by: Christopher James Halse Rogers <christopher.halse.rogers@canonical.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 4b88c7be8d)
cc2c73ddcb4370a7c3ad439cda4da825156c26c9's three-cent titanium tax
doesn't go too far enough. Fix the rest of the call and jmp
instructions to handle the data prefix correctly.
Reference: Intel 64 and IA-32 Architectures Software Developer's Manual
Volume 2A: Instruction Set Reference, A-M
http://www.intel.com/Assets/PDF/manual/253666.pdf
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit bb18f27715)
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=24348
Before (data flag ignored -> broken):
66 DATA:
e944f1 JMP 1ff6
After (fixed):
66 DATA:
e944f1ffff JMP 00001ff8
This subtle difference in the length of decoded instruction meant
that the VBE call jumped to the routine setting AX=0x14F (VBE Failed)
instead of the routine that set AX=0x4F (VBE success).
The ability to run the same code in vm86 significantly aided the
debugging of this issue. Those X.org developers who would like to drop
vm86 better take special care towards _all_ vesa bugs, as those will
expose further issues.
Patch applies easily to even xserver 1.4.2.
Signed-off-by: Luc Verhaegen <libv@skynet.be>
Tested-by: Luc Verhaegen <libv@skynet.be>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit cc2c73ddcb)
Most extensions have a version defined
in the protocol headers, and also in the
server's protocol-versions.h. The latter
defines which version the server advertises
support for. Sync wasn't included in
protocol-versions.h, and was advertising
support for whatever was in the protocol
headers the server was built against.
Signed-off-by: James Jones <jajones@nvidia.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 27593eea7e)
The function swapStops repeatedly swaps the color components as
CARD16, but incorrectly steps over them as if they were CARD32.
This causes half of the stops not to be swapped at all and some
unrelated data be swapped instead.
Signed-off-by: Andrea Canciani <ranma42@gmail.com>
Reviewed-by: Soren Sandmann <sandmann@daimi.au.dk>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit dab064fa5e)
screenInfo.numScreens is not a valid screen number, they go from 0 to
numScreens - 1.
Signed-off-by: Cyril Brulebois <kibi@debian.org>
Reviewed-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 279ef1ffd7)
screenInfo.numScreens is not a valid screen number, they go from 0 to
numScreens - 1.
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 8684543021)
This fixes a gamma issue on vt switch observed with KDM. VT switching away
and back would result in a black screen. Avoid this by storing the current
gamma information on init.
https://bugzilla.redhat.com/show_bug.cgi?id=533217
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 566d09a5cd)
When entering the VT, re-apply the saved gamma settings for each screen.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit c050aa2f5f)
If any part of the stack calls XIGetKnownProperty during device shutdown
the property is re-initialized before the server generation resets, leaving
the value invalid again.
Move the reset to the extension init which happens before input devices are
initialized before the first property is requested.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 5cd11d2356)
Properties allocated through XIGetKnownProperty() aren't reset on the second
server generation but keep the old value. As a result, wrong Atoms are
supplied to the driver, resulting in potential data corruption or weird
error message.
Reproducible by running "xlsatom | grep FLOAT" twice on a plain X server.
The second X server generation won't have the FLOAT atom defined anymore,
despite the users of this atom not noticing any errors.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 9802839d35)
For whatever reason, some (broken) monitors will crash if you do this.
We're not actually using this information for anything, so let's just
not do it.
Originally reported as http://bugzilla.redhat.com/620333
Reviewed-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit d2064fbb68)
_XkbCopyGeom did not copy all of the data from the source geometry. This
resulted in failures when trying to obtain the keymap from a server
where the default geometry has not been replaced by a custom
configuration.
Signed-off-by: Dirk Wallenstein <halsmit@t-online.de>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit bac1c5f1be)
Makes the use of IsMaster in ProcChangeKeyboardControl consistent with other
similar loops.
Signed-off-by: Nicolas George <nicolas.george@normalesup.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 968a79dcf5)
crtc->{x,y} is always 0 when xf86DefaultScreenLimits() is called, so we
calculate too small an area for the initial framebuffer and force a resize
to happen.
This commit fixes the code to use desired{X,Y} instead, which contains the
initial output positions.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit f7af00e9f0)
The modifier key count is maintained by the XKB layer and
increased/decreased for all modifiers that set state.
Test case, MD/SD modifier key count in comment:
1. keyboard 1: press and hold Shift_L # SD:1 MD:1
2. keyboard 2: press and release Shift_L # SD:1,0 MD:1,0
<class copy happens> # SD:1 MD:1
3. keyboard 1: release Shift_L # SD:0 MD:1
4. keyboard 1: press and release Shift_L # SD:1,0 MD:2,1
The modifier is now logically down on the MD but not on keyboard 1 or
keyboard 2.
XKB is layered in before the DIX, it increases/decreases the modifier key
count accordingly. In the above example, during (2), the MD gets the key
release and thus clears the modifier bit. (3) doesn't forward the release to
the MD because it is already cleared. The copy of modifierKeysDown when the
lastSlave changes however increases the counter for the held key. On (4),
the press and release are both forwarded to the MD, causing a offset by 1
and thus do not clear the logical modifier state.
X.Org Bug 25480 <http://bugs.freedesktop.org/show_bug.cgi?id=25480>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Daniel Stone <daniel@fooishbar.org>
(cherry picked from commit dc614484f9)
Commit 77c7a64e88 was introduced to fix
a cursor off by one on Intel hw, however it also move the whole crtc
into an off by one position and you could see gnom-eshell overlapping.
This commit reverts that and instead fixes the cursor hotspot
translation to work like pixman does. We add 0.5 to the cursor vector
before translating, and floor the value afterwards.
Thanks to Soeren (ssp) for pointing out where the real problem was
after explaning how pixman translates points.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 80d1a548d6)
Behaviour of earlier X servers was to deliver the ButtonPress event
unconditionally, regardless of the actual event mask being set. This is
documented in the protocol:
"This request establishes a passive grab. In the future, the pointer is
actively grabbed as described in GrabPointer, the last-pointer-grab time is
set to the time at which the button was pressed (as transmitted in the
ButtonPress event), and the ButtonPress event is reported if all of the
following conditions are true:
<list of conditions, event mask is not one of them>"
Thus, a GrabButton event will always deliver the button press event, a
GrabKey always the key press event, etc. Same goes for XI and XI2.
Reproducible with a simple client requesting a button grab in the form of:
XGrabButton(dpy, AnyButton, AnyModifier, win, True, ButtonReleaseMask,
GrabModeAsync, GrabModeAsync, None, None);
On servers before MPX/XI2, the client will receive a button press and
release event. On current servers, the client receives only the release.
Clients that expect the press event to be delivered unconditionally.
XTS Xlib13 XGrabButton 5/39 now passes.
This reverts commit 48585bd1e3.
Effectively reverts commit 1c612acca8 as well,
the code introduced with 1c612 is not needed anymore.
Conflicts:
dix/events.c
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 1884db430a)
Without this patch, any negative valuator value is wrong when returned
from XQueryDeviceState(). This is a regression from at least xserver
1.4.
Valuator data is set in dix/getevents.c:set_valuators() by copying
signed int values into an unsigned int field
DeviceEvent.valuators.data.
That data is converted into a double with an implicit cast by
assignment to axisVal[i] in Xi/exevents.c:UpdateDeviceState().
That double is converted back to a signed int in
queryst.c:ProcXQueryDeviceState(). If the original value in
set_valuators() is negative, the double value will be > 2^31 and the
conversion back to a signed int is undefined. (Although I
consistently see the value -2^31.)
Fix this by changing the definition of DeviceEvent.valuators.data from
uint32_t to int32_t.
Signed-off-by: Joe Shaw <joeshaw@litl.com>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit e354ccac36)
These have the same default, but if you specify something different with
-s on the command line, only the screensaver time is changed. As DPMS
is usually what's desired, change it to match.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 2a763c9023)
If a client sends a big request that's too big (i.e. bigger than
maxBigRequestSize << 2 bytes), the server just disconnects it. This makes the
client receive SIGPIPE the next time it tries to send something.
The X Test Suite sends requests that are too big when the test specifies the
TOO_LONG test type. When the client receives SIGPIPE, XTS marks it as
UNRESOLVED, which counts as a failure.
Instead, remember how long the request is supposed to be and then return that
size. Dispatch() checks the length and sends BadLength to the client. Then,
whenever oci->ignoreBytes is nonzero, ignore the data read instead of trying to
process it as a request.
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit cf88363db0)
Because some EnterVT code needs to remove it self from the
call chain, we need to fix all of the wrappers to correctly
unwrap/rewrap during the call chain. This is a follow-on to the fix
for bug 27114 in commit 68a9ee8370.
Signed-off-by: Keith Packard <keithp@keithp.com>
Tested-by: Jesse Barnes <jesse.barnes@intel.com>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Tiago Vignatti <tiago.vignatti@nokia.com>
(cherry picked from commit d75e8146c4, and
conflict from b618705 fixed up)
Signed-off-by: Julien Cristau <jcristau@debian.org>
When resetting the server, pScrn->EnterVT must be unwrapped or the
next server generation will end up wrapping the wrapper and causing an
infinite recursion on EnterVT.
Signed-off-by: Keith Packard <keithp@keithp.com>
Tested-by: Michael Stapelberg <michael+freedesktop@stapelberg.de>
(cherry picked from commit 68a9ee8370)
- Note that -br is now default.
- Move -bs after -br for alphabetical ordering.
- Remove -config option that's been hidden in "ignore" section,
since ajax removed the -config code a couple years back.
- Add -nocursor option.
- Add xinput & xrandr to list of runtime server control programs
- Replace XDarwin with Xquartz in list of Xservers
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 7b09335a46)
ProcDRI2Dispatch uses LocalClient to determine if it's safe to respond
to a client that has made DRI2 requests which aren't sensible for
remote clients (anything but version). When the client has disappeared
mid-request stream (e.g. as a result of a kill -9, or a client-side
bug), LocalClient causes the X server to follow suit, as
((OsCommPtr)client->osPrivate)->trans_conn is NULL at this point.
The simple and obvious fix is to just return "not local" when
trans_conn is NULL, which fixes the crash I was seeing; however Keith
Packard pointed out that just checking trans_conn isn't enough;
quoting Keith:
"This looks almost right to me -- I reviewed the os code to see when
_XSERVTransClose is called (which is what frees the trans_conn data) and
found that every place which called that immediately set trans_conn to
NULL, except for the call in CloseDownFileDescriptor which is only
called from CloseDownConnection and which is immediately followed by
freeing the OsCommRec and setting client->osPrivate to NULL. So, I'd
suggest checking client->osPrivate in addition to the above check."
Signed-off-by: Simon Farnsworth <simon.farnsworth@onelan.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 660f6ab549)
OpenSolaris recently added support for the getifaddrs() API.
Building with that uncovered two compiler issues (one warning, one error)
in the code that was now being built for the first time in our builds:
"access.c", line 768: warning: argument #1 is incompatible with prototype:
prototype: pointer to struct sockaddr {unsigned short sa_family, array[14] of char sa_data} : "access.c", line 213
argument : pointer to struct sockaddr_storage {unsigned short ss_family, array[6] of char _ss_pad1, double _ss_align, array[240] of char _ss_pad2}
"access.c", line 838: assignment type mismatch:
struct sockaddr {unsigned short sa_family, array[14] of char sa_data} "=" struct sockaddr_storage {unsigned short ss_family, array[6] of char _ss_pad1, double _ss_align, array[240] of char _ss_pad2}
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
(cherry picked from commit e42a29d269)
When the parser sees the "keyboard" driver, it automatically (and
silently) replaces it with the constant string "kbd".
Everybody else uses malloc'd memory for the driver name, so input
device closure assumes it can use free.
Free val.str, so this crash doesn't turn into a memory leak. Whew.
Signed-off-by: Jesse Adkins <jesserayadkins@gmail.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit bce12f2956)
A window with either dimension > 32767 can be positioned such that
coordinates > 32767 are visible on the screen. Attempts to draw to
those pixels will generate coordinates wrapped around to negative
values.
The optimized clipping macro, 'isClipped', in fbbits.h, computes
clipping in window space rather than screen space using int16 values,
and so it too has coordinates wrapped around to negative values and
hence ends up accepting the wrapped drawing coordinates.
Two possible fixes for this problem
1) Detect wrapped region coordinates and clip those to 32767.
2) Detect negative incoming coordinates and reject those
This patch takes the second approach as it is much shorter, simply
detecting when either X or Y incoming coordinate is negative, which
can never be 'within' any drawable.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 3e56efcfb6)
A simple hack to accommodate various EDID who have detailed modes that
exceed the EDID's max pixel clock. The pixel clock is only defined in
units of 10MHz and often appears as the maximum pixel code of the
detailed modes, rounded to the nearest 10MHz. Adjusting the max_clock to
include an extra 5MHz prevents the parser from rejecting the detailed
modes.
The kernel uses the same fuzz and by including it in X we can use the
same modes in X as for the console.
Fixes:
Bug 23833 - X uses different refresh rate to that set by kernel module
https://bugs.freedesktop.org/show_bug.cgi?id=23833
In the future, we will want to try harder to keep the KMS modes but at
the same time we need to apply the restrictions as specified by the
user's configuration, and need to fill in modes for fullscreen games on
fixed-mode panels.
Reported-and-tested-by: Fabio Pedretti <fabio.ped@libero.it>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 951605b466)
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 5725849a1b)
The callback data passed by reference to the hook was allocated on stack
within the scope of the case statement. The compiler is free to reuse
any of that stack space whilst making the function call so we may end up
passing garbage into the callback.
References:
Bug 18451 - Xorg server 1.5.2 SEGV during XFixesGetCursorImage()
https://bugs.freedesktop.org/show_bug.cgi?id=18451
v2: Drop the unrelated hunk that snuck in when ammending the commit
message.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 6dae7f3792)
Classic strlen/strcpy mistake of
foo = malloc(strlen(bar));
strcpy(foo, bar);
Testcase: valgrind Xephyr :1
==8591== Invalid write of size 1
==8591== at 0x4A0638F: strcpy (mc_replace_strmem.c:311)
==8591== by 0x605593: _XkbCopyGeom (xkbUtils.c:1994)
==8591== by 0x605973: XkbCopyKeymap (xkbUtils.c:2118)
==8591== by 0x6122B3: InitKeyboardDeviceStruct (xkbInit.c:560)
==8591== by 0x4472E2: CoreKeyboardProc (devices.c:577)
==8591== by 0x447162: ActivateDevice (devices.c:530)
==8591== by 0x4475D6: InitCoreDevices (devices.c:672)
==8591== by 0x4449EE: main (main.c:254)
==8591== Address 0x6f96505 is 0 bytes after a block of size 53 alloc'd
==8591== at 0x4A0515D: malloc (vg_replace_malloc.c:195)
==8591== by 0x6054B7: _XkbCopyGeom (xkbUtils.c:1980)
==8591== by 0x605973: XkbCopyKeymap (xkbUtils.c:2118)
==8591== by 0x6122B3: InitKeyboardDeviceStruct (xkbInit.c:560)
==8591== by 0x4472E2: CoreKeyboardProc (devices.c:577)
==8591== by 0x447162: ActivateDevice (devices.c:530)
==8591== by 0x4475D6: InitCoreDevices (devices.c:672)
==8591== by 0x4449EE: main (main.c:254)
Reported-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by-and-apologised-for: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 7f19a7a6e9)
Conflicts:
xkb/xkbUtils.c
(cherry picked from commit f85552aa45)
Signed-off-by: Julien Cristau <jcristau@debian.org>
