From 6844bd2e63490870bab3c469eec6030354ef2865 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@sun.com>
Date: Wed, 9 Jan 2008 19:52:00 -0800
Subject: [PATCH 01/33] More Xv extension byte swapping fixes

---
 Xext/xvdisp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
index 17ff1d788..237ad51c0 100644
--- a/Xext/xvdisp.c
+++ b/Xext/xvdisp.c
@@ -1532,6 +1532,7 @@ SProcXvShmPutImage(ClientPtr client)
   swapl(&stuff->gc, n);
   swapl(&stuff->shmseg, n);
   swapl(&stuff->id, n);
+  swapl(&stuff->offset, n);
   swaps(&stuff->src_x, n);
   swaps(&stuff->src_y, n);
   swaps(&stuff->src_w, n);
@@ -1540,7 +1541,6 @@ SProcXvShmPutImage(ClientPtr client)
   swaps(&stuff->drw_y, n);
   swaps(&stuff->drw_w, n);
   swaps(&stuff->drw_h, n);
-  swaps(&stuff->offset, n);
   swaps(&stuff->width, n);
   swaps(&stuff->height, n);
   return XvProcVector[xv_ShmPutImage](client);
@@ -1632,9 +1632,10 @@ SProcXvQueryImageAttributes(ClientPtr client)
   char n;
   REQUEST(xvQueryImageAttributesReq);
   swaps(&stuff->length, n);
+  swapl(&stuff->port, n);
   swapl(&stuff->id, n);
   swaps(&stuff->width, n);
-  swaps(&stuff->width, n);
+  swaps(&stuff->height, n);
   return XvProcVector[xv_QueryImageAttributes](client);
 }
 

From ec24a6b5aa732ec6999a27889d9a33cf80123886 Mon Sep 17 00:00:00 2001
From: Jeremy Huddleston <jeremy@yuffie.local>
Date: Sun, 6 Jan 2008 18:29:54 -0800
Subject: [PATCH 02/33] XQuartz: Fixed switching into XQuartz via expose.
 (cherry picked from commit 627ed60ce5d7499761028edf379ebd95250d3e04)

---
 hw/xquartz/X11Application.m | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/xquartz/X11Application.m b/hw/xquartz/X11Application.m
index 72537bb65..f68898582 100644
--- a/hw/xquartz/X11Application.m
+++ b/hw/xquartz/X11Application.m
@@ -164,7 +164,7 @@ static void message_kit_thread (SEL selector, NSObject *arg) {
 	 have it activated while X is active (unless using the old
 	 keymapping files) */
     static TSMDocumentID x11_document;
-	
+	DEBUG_LOG("state=%d, _x_active=%d, \n", state, _x_active)
     if (state) {
       QuartzMessageServerThread (kXDarwinActivate, 0);
       
@@ -314,6 +314,7 @@ static void message_kit_thread (SEL selector, NSObject *arg) {
 }
 
 - (void) set_front_process:unused {
+//    [self activateX:YES];
     QuartzMessageServerThread(kXDarwinBringAllToFront, 0);
 }
 
@@ -710,6 +711,10 @@ void X11ApplicationSetWindowMenuCheck (int idx) {
 
 void X11ApplicationSetFrontProcess (void) {
     message_kit_thread (@selector (set_front_process:), nil);
+
+    /* Hackery needed due to argv[0] hackery */
+    ProcessSerialNumber psn = { 0, kCurrentProcess };
+    SetFrontProcess(&psn);
 }
 
 void X11ApplicationSetCanQuit (int state) {

From f72255639c065d795f7767683e851b1b5b2d9480 Mon Sep 17 00:00:00 2001
From: Jeremy Huddleston <jeremy@yuffie.local>
Date: Sat, 12 Jan 2008 11:35:48 -0800
Subject: [PATCH 03/33] XQuartz: added 'login_shell' option to defaults so the
 user can choose something other than /bin/sh (cherry picked from commit
 b549cf18cebd3435d70f62855239484974c455a1)

---
 hw/xquartz/X11Application.h     | 1 +
 hw/xquartz/X11Controller.m      | 2 +-
 hw/xquartz/bundle/Makefile.am   | 2 --
 hw/xquartz/bundle/bundle-main.c | 3 ++-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/xquartz/X11Application.h b/hw/xquartz/X11Application.h
index a1be7514a..af5aea2ce 100644
--- a/hw/xquartz/X11Application.h
+++ b/hw/xquartz/X11Application.h
@@ -97,5 +97,6 @@ extern int quartzHasRoot, quartzEnableRootless;
 #define PREFS_SWAP_ALT_META         "swap_alt_meta"
 #define PREFS_XP_OPTIONS            "xp_options"
 #define PREFS_ENABLE_STEREO         "enable_stereo"
+#define PREFS_LOGIN_SHELL           "login_shell"
 
 #endif /* X11APPLICATION_H */
diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m
index 6b7c35141..e13edc15d 100644
--- a/hw/xquartz/X11Controller.m
+++ b/hw/xquartz/X11Controller.m
@@ -302,7 +302,7 @@
   argv[0] = "/usr/bin/login";
   argv[1] = "-fp";
   argv[2] = getlogin();
-  argv[3] = "/bin/sh";
+  argv[3] = [X11App prefs_get_string:@PREFS_FAKE_BUTTON2 default:"/bin/sh"];
   argv[4] = "-c";
   argv[5] = command;
   argv[6] = NULL;
diff --git a/hw/xquartz/bundle/Makefile.am b/hw/xquartz/bundle/Makefile.am
index 951167002..00d540fee 100644
--- a/hw/xquartz/bundle/Makefile.am
+++ b/hw/xquartz/bundle/Makefile.am
@@ -18,8 +18,6 @@ EXTRA_DIST = \
 	Info.plist \
 	X11.icns \
 	bundle-main.c \
-	launcher-main.c \
-	server-main.c \
 	English.lproj/InfoPlist.strings \
 	English.lproj/Localizable.strings \
 	English.lproj/main.nib/classes.nib \
diff --git a/hw/xquartz/bundle/bundle-main.c b/hw/xquartz/bundle/bundle-main.c
index df78d7fb8..54d01368d 100644
--- a/hw/xquartz/bundle/bundle-main.c
+++ b/hw/xquartz/bundle/bundle-main.c
@@ -38,6 +38,7 @@
 
 #define DEFAULT_CLIENT "/usr/X11/bin/xterm"
 #define DEFAULT_STARTX "/usr/X11/bin/startx"
+#define DEFAULT_SHELL  "/bin/sh"
 
 static int execute(const char *command);
 static char *command_from_prefs(const char *key, const char *default_value);
@@ -82,7 +83,7 @@ static int execute(const char *command) {
     newargv[0] = "/usr/bin/login";
     newargv[1] = "-fp";
     newargv[2] = getlogin();
-    newargv[3] = "/bin/sh";
+    newargv[3] = command_from_prefs("login_shell", DEFAULT_SHELL);
     newargv[4] = "-c";
     newargv[5] = command;
     newargv[6] = NULL;

From 6fd4a5e2e4d0be0ba0773df831687e11e1262c72 Mon Sep 17 00:00:00 2001
From: Jeremy Huddleston <jeremy@yuffie.local>
Date: Sat, 12 Jan 2008 11:56:00 -0800
Subject: [PATCH 04/33] XQuartz: Corrected copyright X.org Project -> X.org
 Foundation (cherry picked from commit
 f21631444816fc12b8a534c2cf79e6ac6c2af7c9)

---
 hw/xquartz/bundle/Info.plist | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/xquartz/bundle/Info.plist b/hw/xquartz/bundle/Info.plist
index 5babdfe6e..6ba02dda2 100644
--- a/hw/xquartz/bundle/Info.plist
+++ b/hw/xquartz/bundle/Info.plist
@@ -27,7 +27,7 @@
 	<key>NSHumanReadableCopyright</key>
 		<string>Copyright © 2003-2008, Apple Inc.
 Copyright © 2003, XFree86 Project, Inc.
-Copyright © 2003-2008, X.org Project, Inc.
+Copyright © 2003-2008, X.org Foundation, Inc.
 </string>
 	<key>NSMainNibFile</key>
 		<string>main</string>

From 180a5aba4de3104fed8bc4e7d42a1e3a51575318 Mon Sep 17 00:00:00 2001
From: Jeremy Huddleston <jeremy@yuffie.local>
Date: Sat, 12 Jan 2008 21:24:34 -0800
Subject: [PATCH 05/33] XQuartz: Fixed copy-paste error with login_shell commit
 (cherry picked from commit 6deec3acc6f8010b5b53a1e55a0a2c4080ba69d2)

---
 hw/xquartz/X11Controller.m | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/xquartz/X11Controller.m b/hw/xquartz/X11Controller.m
index e13edc15d..d3f83656c 100644
--- a/hw/xquartz/X11Controller.m
+++ b/hw/xquartz/X11Controller.m
@@ -302,7 +302,7 @@
   argv[0] = "/usr/bin/login";
   argv[1] = "-fp";
   argv[2] = getlogin();
-  argv[3] = [X11App prefs_get_string:@PREFS_FAKE_BUTTON2 default:"/bin/sh"];
+  argv[3] = [X11App prefs_get_string:@PREFS_LOGIN_SHELL default:"/bin/sh"];
   argv[4] = "-c";
   argv[5] = command;
   argv[6] = NULL;

From e6ea3147bfb686798dac381eb8900f9f18beb88e Mon Sep 17 00:00:00 2001
From: Bernardo Innocenti <bernie@codewiz.org>
Date: Sun, 13 Jan 2008 19:50:37 -0500
Subject: [PATCH 06/33] exa: make the prototype for exaGetPixmapFirstPixel()
 public

This fixes a warning in amd_drv which is using it.

Signed-off-by: Bernardo Innocenti <bernie@codewiz.org>
---
 exa/exa.h      | 3 +++
 exa/exa_priv.h | 3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/exa/exa.h b/exa/exa.h
index 1ff0518e4..0774a700a 100644
--- a/exa/exa.h
+++ b/exa/exa.h
@@ -790,6 +790,9 @@ exaMoveOutPixmap (PixmapPtr pPixmap);
 void *
 exaGetPixmapDriverPrivate(PixmapPtr p);
 
+CARD32
+exaGetPixmapFirstPixel (PixmapPtr pPixmap);
+
 /**
  * Returns TRUE if the given planemask covers all the significant bits in the
  * pixel values for pDrawable.
diff --git a/exa/exa_priv.h b/exa/exa_priv.h
index de8b2f541..89f47184f 100644
--- a/exa/exa_priv.h
+++ b/exa/exa_priv.h
@@ -291,9 +291,6 @@ ExaCheckGetSpans (DrawablePtr pDrawable,
 		 int nspans,
 		 char *pdstStart);
 
-CARD32
-exaGetPixmapFirstPixel (PixmapPtr pPixmap); 
-
 /* exa_accel.c */
 
 static _X_INLINE Bool

From 1f83f40525acd3aff8f50b3c519bc1f307ff1e19 Mon Sep 17 00:00:00 2001
From: Dave Airlie <airlied@linux.ie>
Date: Tue, 15 Jan 2008 10:20:50 +1000
Subject: [PATCH 07/33] xf86Cursors: fix memset for non-square cursors

---
 hw/xfree86/modes/xf86Cursors.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/xfree86/modes/xf86Cursors.c b/hw/xfree86/modes/xf86Cursors.c
index acf34c1d1..5a4d0f6fa 100644
--- a/hw/xfree86/modes/xf86Cursors.c
+++ b/hw/xfree86/modes/xf86Cursors.c
@@ -400,7 +400,7 @@ xf86_crtc_load_cursor_image (xf86CrtcPtr crtc, CARD8 *src)
 	int flags = cursor_info->Flags;
 	
 	cursor_image = xf86_config->cursor_image;
-	memset(cursor_image, 0, cursor_info->MaxWidth * stride);
+	memset(cursor_image, 0, cursor_info->MaxHeight * stride);
 	
         for (y = 0; y < cursor_info->MaxHeight; y++)
 	    for (x = 0; x < cursor_info->MaxWidth; x++) 

From 315d6a2b1d2a3de308e98d548afe780c59a784fc Mon Sep 17 00:00:00 2001
From: Tiago Vignatti <vignatti@c3sl.ufpr.br>
Date: Tue, 15 Jan 2008 02:59:56 -0200
Subject: [PATCH 08/33] Fix Xephyr compilation without GLX.

---
 configure.ac            | 2 +-
 hw/kdrive/ephyr/ephyr.c | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 0742040c9..566ddcbd0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1901,7 +1901,7 @@ if test "$KDRIVE" = yes; then
         XEPHYR=$xephyr
     fi
     XEPHYR_DRI=no
-    if test x$XEPHYR = xyes -a x$DRI = xyes; then
+    if test x$XEPHYR = xyes -a x$DRI = xyes && test "x$GLX" = xyes; then
         XEPHYR_DRI=yes
         XEPHYR_DRI_LIBS=-lGL
         AC_SUBST(XEPHYR_DRI_LIBS)
diff --git a/hw/kdrive/ephyr/ephyr.c b/hw/kdrive/ephyr/ephyr.c
index 2a762a2a9..c5c8a5640 100644
--- a/hw/kdrive/ephyr/ephyr.c
+++ b/hw/kdrive/ephyr/ephyr.c
@@ -635,7 +635,9 @@ ephyrInitScreen (ScreenPtr pScreen)
   if (!ephyrNoDRI && !hostx_has_dri ()) {
       EPHYR_LOG ("host x does not support DRI. Disabling DRI forwarding\n") ;
       ephyrNoDRI = TRUE ;
+#ifdef GLXEXT
       noGlxVisualInit = FALSE ;
+#endif
   }
   if (!ephyrNoDRI) {
     ephyrDRIExtensionInit (pScreen) ;

From 7a0d16ef0a103bcb25fa8a20322685f017aaf5a3 Mon Sep 17 00:00:00 2001
From: Tiago Vignatti <vignatti@c3sl.ufpr.br>
Date: Tue, 15 Jan 2008 03:27:16 -0200
Subject: [PATCH 09/33] Removed some warnings.

---
 hw/kdrive/ephyr/ephyrdriext.c |  2 +-
 hw/kdrive/ephyr/ephyrlog.h    |  4 ++--
 hw/kdrive/ephyr/hostx.c       | 20 ++++++++++----------
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/hw/kdrive/ephyr/ephyrdriext.c b/hw/kdrive/ephyr/ephyrdriext.c
index b6be47f5e..1b9dce5c8 100644
--- a/hw/kdrive/ephyr/ephyrdriext.c
+++ b/hw/kdrive/ephyr/ephyrdriext.c
@@ -206,7 +206,7 @@ ephyrDRIScreenInit (ScreenPtr a_screen)
     a_screen->ClipNotify = ephyrDRIClipNotify ;
 
     is_ok = TRUE ;
-out:
+
     return is_ok ;
 }
 
diff --git a/hw/kdrive/ephyr/ephyrlog.h b/hw/kdrive/ephyr/ephyrlog.h
index 4c6435edd..71f797777 100644
--- a/hw/kdrive/ephyr/ephyrlog.h
+++ b/hw/kdrive/ephyr/ephyrlog.h
@@ -33,8 +33,8 @@
 
 #ifdef NDEBUG
 /*we are not in debug mode*/
-#define EPHYR_LOG
-#define EPHYR_LOG_ERROR
+#define EPHYR_LOG(...)
+#define EPHYR_LOG_ERROR(...)
 #endif /*NDEBUG*/
 
 #define ERROR_LOG_LEVEL 3
diff --git a/hw/kdrive/ephyr/hostx.c b/hw/kdrive/ephyr/hostx.c
index b5ffdd075..a5413b876 100644
--- a/hw/kdrive/ephyr/hostx.c
+++ b/hw/kdrive/ephyr/hostx.c
@@ -1078,16 +1078,6 @@ out:
 
 }
 
-typedef struct {
-    int is_valid ;
-    int local_id ;
-    int remote_id ;
-} ResourcePair ;
-
-#define RESOURCE_PEERS_SIZE 1024*10
-static ResourcePair resource_peers[RESOURCE_PEERS_SIZE] ;
-
-
 int
 hostx_create_window (int a_screen_number,
                      EphyrBox *a_geometry,
@@ -1259,6 +1249,16 @@ hostx_has_xshape (void)
 }
 
 #ifdef XEPHYR_DRI
+typedef struct {
+    int is_valid ;
+    int local_id ;
+    int remote_id ;
+} ResourcePair ;
+
+#define RESOURCE_PEERS_SIZE 1024*10
+static ResourcePair resource_peers[RESOURCE_PEERS_SIZE] ;
+
+
 int
 hostx_allocate_resource_id_peer (int a_local_resource_id,
                                  int *a_remote_resource_id)

From e46f6ddeccd082b2d507a1e8b57ea30e6b0a2c83 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel@tungstengraphics.com>
Date: Wed, 16 Jan 2008 14:24:22 +0100
Subject: [PATCH 10/33] Yet another Xv extension byte swapping fix.

---
 Xext/xvdisp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
index 237ad51c0..de0128e14 100644
--- a/Xext/xvdisp.c
+++ b/Xext/xvdisp.c
@@ -1588,6 +1588,7 @@ SProcXvSetPortAttribute(ClientPtr client)
   swaps(&stuff->length, n);
   swapl(&stuff->port, n);
   swapl(&stuff->attribute, n);
+  swapl(&stuff->value, n);
   return XvProcVector[xv_SetPortAttribute](client);
 }
 

From a6a7fadbb03ee99312dfb15ac478ab3c414c1c0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kristian=20H=C3=B8gsberg?= <krh@redhat.com>
Date: Wed, 16 Jan 2008 20:24:11 -0500
Subject: [PATCH 11/33] Don't break grab and focus state for a window when
 redirecting it.

Composite uses an unmap/map cycle to trigger backing pixmap allocation
and cliprect recomputation when a window is redirected or unredirected.
To avoid protocol visible side effects, map and unmap events are
disabled temporarily.  However, when a window is unmapped it is also
removed from grabs and loses focus, but these state changes are not
disabled.

This change supresses the unmap side effects during the composite
unmap/map cycle and fixes this bug:

  http://bugzilla.gnome.org/show_bug.cgi?id=488264

where compiz would cause gnome-screensaver to lose its grab when
compiz unredirects the fullscreen lock window.
---
 dix/window.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dix/window.c b/dix/window.c
index 33cf76b59..1ccf12603 100644
--- a/dix/window.c
+++ b/dix/window.c
@@ -2993,7 +2993,8 @@ UnrealizeTree(
 	    } 
 #endif
 	    (* Unrealize)(pChild);
-	    DeleteWindowFromAnyEvents(pChild, FALSE);
+	    if (MapUnmapEventsEnabled(pWin))
+		DeleteWindowFromAnyEvents(pChild, FALSE);
 	    if (pChild->viewable)
 	    {
 #ifdef DO_SAVE_UNDERS

From b99a43dfe97c1813e1c61f298b1c83c5d5ca88a2 Mon Sep 17 00:00:00 2001
From: Daniel Stone <daniel@fooishbar.org>
Date: Sat, 5 Jan 2008 10:38:16 +0200
Subject: [PATCH 12/33] OS: IO: Zero out client buffers

For alignment reasons, we can write out uninitialised bytes, so allocate
the whole thing with xcalloc.
---
 os/io.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/os/io.c b/os/io.c
index 968f40a54..be89021e5 100644
--- a/os/io.c
+++ b/os/io.c
@@ -1196,7 +1196,7 @@ AllocateOutputBuffer(void)
     oco = (ConnectionOutputPtr)xalloc(sizeof(ConnectionOutput));
     if (!oco)
 	return (ConnectionOutputPtr)NULL;
-    oco->buf = (unsigned char *) xalloc(BUFSIZE);
+    oco->buf = (unsigned char *) xcalloc(1, BUFSIZE);
     if (!oco->buf)
     {
 	xfree(oco);

From 0137b0394a248f694448a7d97c9a1a3efcf24e81 Mon Sep 17 00:00:00 2001
From: Daniel Stone <daniel@fooishbar.org>
Date: Sat, 5 Jan 2008 10:43:53 +0200
Subject: [PATCH 13/33] XKB: XkbCopyKeymap: Don't leak all the sections

Previously, we'd just keep num_sections at 0, which would break the
geometry and lead us to leak sections.  Don't do that.
---
 xkb/xkbUtils.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c
index 31c1a9fa9..1fb47ed56 100644
--- a/xkb/xkbUtils.c
+++ b/xkb/xkbUtils.c
@@ -1793,6 +1793,7 @@ XkbCopyKeymap(XkbDescPtr src, XkbDescPtr dst, Bool sendNotifies)
             if (!tmp)
                 return FALSE;
             dst->geom->sections = tmp;
+            dst->geom->num_sections = src->geom->num_sections;
 
             for (i = 0,
                   ssection = src->geom->sections,

From e85130c85f727466fc27be1cfa46c88b257499fb Mon Sep 17 00:00:00 2001
From: Daniel Stone <daniel@fooishbar.org>
Date: Sat, 5 Jan 2008 10:47:39 +0200
Subject: [PATCH 14/33] Xephyr: One-time keyboard leak fix

Don't leak the originally-allocated keysym map.
---
 hw/kdrive/ephyr/ephyr.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/kdrive/ephyr/ephyr.c b/hw/kdrive/ephyr/ephyr.c
index c5c8a5640..6ec95d631 100644
--- a/hw/kdrive/ephyr/ephyr.c
+++ b/hw/kdrive/ephyr/ephyr.c
@@ -1031,6 +1031,7 @@ EphyrKeyboardInit (KdKeyboardInfo *ki)
   ki->minScanCode = ki->keySyms.minKeyCode;
   ki->maxScanCode = ki->keySyms.maxKeyCode;
   ki->keySyms.mapWidth = ephyrKeySyms.mapWidth;
+  xfree(ki->keySyms.map);
   ki->keySyms.map = ephyrKeySyms.map;
   ki->name = KdSaveString("Xephyr virtual keyboard");
   ephyrKbd = ki;

From bbde5b62a137ba726a747b838d81e92d72c1b42b Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@bluenote.herrb.com>
Date: Thu, 17 Jan 2008 15:26:41 +0100
Subject: [PATCH 15/33] Fix for CVE-2007-5760 - XFree86 Misc extension out of
 bounds array index

---
 hw/xfree86/common/xf86MiscExt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/xfree86/common/xf86MiscExt.c b/hw/xfree86/common/xf86MiscExt.c
index c1b9c60fc..40c196a3e 100644
--- a/hw/xfree86/common/xf86MiscExt.c
+++ b/hw/xfree86/common/xf86MiscExt.c
@@ -548,6 +548,10 @@ MiscExtPassMessage(int scrnIndex, const char *msgtype, const char *msgval,
 {
     ScrnInfoPtr pScr = xf86Screens[scrnIndex];
 
+    /* should check this in the protocol, but xf86NumScreens isn't exported */
+    if (scrnIndex >= xf86NumScreens)
+	return BadValue;
+
     if (*pScr->HandleMessage == NULL)
 	    return BadImplementation;
     return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr);

From dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@bluenote.herrb.com>
Date: Thu, 17 Jan 2008 15:27:34 +0100
Subject: [PATCH 16/33] Fix for CVE-2007-6427 - Xinput extension memory
 corruption.

---
 Xi/chgfctl.c  |  7 +------
 Xi/chgkmap.c  | 14 +++++++-------
 Xi/chgprop.c  | 10 +++-------
 Xi/grabdev.c  | 12 +++++-------
 Xi/grabdevb.c | 10 +++-------
 Xi/grabdevk.c |  9 ++-------
 Xi/selectev.c | 11 ++++-------
 Xi/sendexev.c | 14 ++++++++------
 8 files changed, 33 insertions(+), 54 deletions(-)

diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c
index 8fc24d5ff..696b74a16 100644
--- a/Xi/chgfctl.c
+++ b/Xi/chgfctl.c
@@ -302,18 +302,13 @@ ChangeStringFeedback(ClientPtr client, DeviceIntPtr dev,
 		     xStringFeedbackCtl * f)
 {
     char n;
-    long *p;
     int i, j;
     KeySym *syms, *sup_syms;
 
     syms = (KeySym *) (f + 1);
     if (client->swapped) {
 	swaps(&f->length, n);	/* swapped num_keysyms in calling proc */
-	p = (long *)(syms);
-	for (i = 0; i < f->num_keysyms; i++) {
-	    swapl(p, n);
-	    p++;
-	}
+	SwapLongs((CARD32 *) syms, f->num_keysyms);
     }
 
     if (f->num_keysyms > s->ctrl.max_symbols)
diff --git a/Xi/chgkmap.c b/Xi/chgkmap.c
index 3361e9801..df334c11c 100644
--- a/Xi/chgkmap.c
+++ b/Xi/chgkmap.c
@@ -75,18 +75,14 @@ int
 SProcXChangeDeviceKeyMapping(ClientPtr client)
 {
     char n;
-    long *p;
-    int i, count;
+    unsigned int count;
 
     REQUEST(xChangeDeviceKeyMappingReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
-    p = (long *)&stuff[1];
     count = stuff->keyCodes * stuff->keySymsPerKeyCode;
-    for (i = 0; i < count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), count);
     return (ProcXChangeDeviceKeyMapping(client));
 }
 
@@ -102,10 +98,14 @@ ProcXChangeDeviceKeyMapping(ClientPtr client)
     int ret;
     unsigned len;
     DeviceIntPtr dev;
+    unsigned int count;
 
     REQUEST(xChangeDeviceKeyMappingReq);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceKeyMappingReq);
 
+    count = stuff->keyCodes * stuff->keySymsPerKeyCode;
+    REQUEST_FIXED_SIZE(xChangeDeviceKeyMappingReq, count * sizeof(CARD32));
+
     ret = dixLookupDevice(&dev, stuff->deviceid, client, DixSetAttrAccess);
     if (ret != Success)
 	return ret;
diff --git a/Xi/chgprop.c b/Xi/chgprop.c
index 58db88620..3fb33e129 100644
--- a/Xi/chgprop.c
+++ b/Xi/chgprop.c
@@ -77,19 +77,15 @@ int
 SProcXChangeDeviceDontPropagateList(ClientPtr client)
 {
     char n;
-    long *p;
-    int i;
 
     REQUEST(xChangeDeviceDontPropagateListReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xChangeDeviceDontPropagateListReq);
     swapl(&stuff->window, n);
     swaps(&stuff->count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xChangeDeviceDontPropagateListReq,
+                      stuff->count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
     return (ProcXChangeDeviceDontPropagateList(client));
 }
 
diff --git a/Xi/grabdev.c b/Xi/grabdev.c
index 110fc6b5f..0671e0ea7 100644
--- a/Xi/grabdev.c
+++ b/Xi/grabdev.c
@@ -78,8 +78,6 @@ int
 SProcXGrabDevice(ClientPtr client)
 {
     char n;
-    long *p;
-    int i;
 
     REQUEST(xGrabDeviceReq);
     swaps(&stuff->length, n);
@@ -87,11 +85,11 @@ SProcXGrabDevice(ClientPtr client)
     swapl(&stuff->grabWindow, n);
     swapl(&stuff->time, n);
     swaps(&stuff->event_count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->event_count; i++) {
-	swapl(p, n);
-	p++;
-    }
+
+    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
+       return BadLength;
+    
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
 
     return (ProcXGrabDevice(client));
 }
diff --git a/Xi/grabdevb.c b/Xi/grabdevb.c
index c2661e85b..ce0dcc5f9 100644
--- a/Xi/grabdevb.c
+++ b/Xi/grabdevb.c
@@ -77,8 +77,6 @@ int
 SProcXGrabDeviceButton(ClientPtr client)
 {
     char n;
-    long *p;
-    int i;
 
     REQUEST(xGrabDeviceButtonReq);
     swaps(&stuff->length, n);
@@ -86,11 +84,9 @@ SProcXGrabDeviceButton(ClientPtr client)
     swapl(&stuff->grabWindow, n);
     swaps(&stuff->modifiers, n);
     swaps(&stuff->event_count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->event_count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xGrabDeviceButtonReq,
+                      stuff->event_count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
 
     return (ProcXGrabDeviceButton(client));
 }
diff --git a/Xi/grabdevk.c b/Xi/grabdevk.c
index 43b19280d..d4b7fe815 100644
--- a/Xi/grabdevk.c
+++ b/Xi/grabdevk.c
@@ -77,8 +77,6 @@ int
 SProcXGrabDeviceKey(ClientPtr client)
 {
     char n;
-    long *p;
-    int i;
 
     REQUEST(xGrabDeviceKeyReq);
     swaps(&stuff->length, n);
@@ -86,11 +84,8 @@ SProcXGrabDeviceKey(ClientPtr client)
     swapl(&stuff->grabWindow, n);
     swaps(&stuff->modifiers, n);
     swaps(&stuff->event_count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->event_count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xGrabDeviceKeyReq, stuff->event_count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
     return (ProcXGrabDeviceKey(client));
 }
 
diff --git a/Xi/selectev.c b/Xi/selectev.c
index b93618ace..d3670ab1b 100644
--- a/Xi/selectev.c
+++ b/Xi/selectev.c
@@ -127,19 +127,16 @@ int
 SProcXSelectExtensionEvent(ClientPtr client)
 {
     char n;
-    long *p;
-    int i;
 
     REQUEST(xSelectExtensionEventReq);
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSelectExtensionEventReq);
     swapl(&stuff->window, n);
     swaps(&stuff->count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    REQUEST_FIXED_SIZE(xSelectExtensionEventReq,
+                      stuff->count * sizeof(CARD32));
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->count);
+
     return (ProcXSelectExtensionEvent(client));
 }
 
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index e4e38d790..588c91023 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -80,7 +80,7 @@ int
 SProcXSendExtensionEvent(ClientPtr client)
 {
     char n;
-    long *p;
+    CARD32 *p;
     int i;
     xEvent eventT;
     xEvent *eventP;
@@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client)
     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
     swapl(&stuff->destination, n);
     swaps(&stuff->count, n);
+
+    if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
+       (stuff->num_events * (sizeof(xEvent) >> 2)))
+       return BadLength;
+
     eventP = (xEvent *) & stuff[1];
     for (i = 0; i < stuff->num_events; i++, eventP++) {
 	proc = EventSwapVector[eventP->u.u.type & 0177];
@@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client)
 	*eventP = eventT;
     }
 
-    p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
-    for (i = 0; i < stuff->count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
+    SwapLongs(p, stuff->count);
     return (ProcXSendExtensionEvent(client));
 }
 

From 7dc1717ff0f96b99271a912b8948dfce5164d5ad Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@bluenote.herrb.com>
Date: Thu, 17 Jan 2008 15:28:03 +0100
Subject: [PATCH 17/33] Fix for CVE-2007-6428 - TOG-cup extension memory
 corruption.

---
 Xext/cup.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Xext/cup.c b/Xext/cup.c
index d0e820c41..fd1409e33 100644
--- a/Xext/cup.c
+++ b/Xext/cup.c
@@ -176,6 +176,9 @@ int ProcGetReservedColormapEntries(
 
     REQUEST_SIZE_MATCH (xXcupGetReservedColormapEntriesReq);
 
+    if (stuff->screen >= screenInfo.numScreens)
+	return BadValue;
+
 #ifndef HAVE_SPECIAL_DESKTOP_COLORS
     citems[CUP_BLACK_PIXEL].pixel = 
 	screenInfo.screens[stuff->screen]->blackPixel;

From 6de61f82728df22ea01f9659df6581b87f33f11d Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@bluenote.herrb.com>
Date: Thu, 17 Jan 2008 15:28:42 +0100
Subject: [PATCH 18/33] Fix for CVE-2007-6429 - MIT-SHM and EVI extensions
 integer overflows.

---
 Xext/EVI.c       | 15 ++++++++++++++-
 Xext/sampleEVI.c | 29 ++++++++++++++++++++++++-----
 Xext/shm.c       | 46 ++++++++++++++++++++++++++++++++++++++--------
 3 files changed, 76 insertions(+), 14 deletions(-)

diff --git a/Xext/EVI.c b/Xext/EVI.c
index 4bd050ca7..a637bae5d 100644
--- a/Xext/EVI.c
+++ b/Xext/EVI.c
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #include <X11/extensions/XEVIstr.h>
 #include "EVIstruct.h"
 #include "modinit.h"
+#include "scrnintstr.h"
 
 static EviPrivPtr eviPriv;
 
@@ -84,10 +85,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
 {
     REQUEST(xEVIGetVisualInfoReq);
     xEVIGetVisualInfoReply rep;
-    int n, n_conflict, n_info, sz_info, sz_conflict;
+    int i, n, n_conflict, n_info, sz_info, sz_conflict;
     VisualID32 *conflict;
+    unsigned int total_visuals = 0;
     xExtendedVisualInfo *eviInfo;
     int status;
+
+    /*
+     * do this first, otherwise REQUEST_FIXED_SIZE can overflow.  we assume
+     * here that you don't have more than 2^32 visuals over all your screens;
+     * this seems like a safe assumption.
+     */
+    for (i = 0; i < screenInfo.numScreens; i++)
+	total_visuals += screenInfo.screens[i]->numVisuals;
+    if (stuff->n_visual > total_visuals)
+	return BadValue;
+
     REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
 		&eviInfo, &n_info, &conflict, &n_conflict);
diff --git a/Xext/sampleEVI.c b/Xext/sampleEVI.c
index 7508aa773..b871bfd74 100644
--- a/Xext/sampleEVI.c
+++ b/Xext/sampleEVI.c
@@ -34,6 +34,13 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #include <X11/extensions/XEVIstr.h>
 #include "EVIstruct.h"
 #include "scrnintstr.h"
+
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 static int sampleGetVisualInfo(
     VisualID32 *visual,
     int n_visual,
@@ -42,24 +49,36 @@ static int sampleGetVisualInfo(
     VisualID32 **conflict_rn,
     int *n_conflict_rn)
 {
-    int max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
+    unsigned int max_sz_evi;
     VisualID32 *temp_conflict;
     xExtendedVisualInfo *evi;
-    int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
+    unsigned int max_visuals = 0, max_sz_conflict, sz_conflict = 0;
     register int visualI, scrI, sz_evi = 0, conflictI, n_conflict;
-    *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
-    if (!*evi_rn)
-         return BadAlloc;
+
+    if (n_visual > UINT32_MAX/(sz_xExtendedVisualInfo * screenInfo.numScreens))
+	return BadAlloc;
+    max_sz_evi = n_visual * sz_xExtendedVisualInfo * screenInfo.numScreens;
+    
     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
         if (screenInfo.screens[scrI]->numVisuals > max_visuals)
             max_visuals = screenInfo.screens[scrI]->numVisuals;
     }
+
+    if (n_visual > UINT32_MAX/(sz_VisualID32 * screenInfo.numScreens 
+			       * max_visuals)) 
+	return BadAlloc;
     max_sz_conflict = n_visual * sz_VisualID32 * screenInfo.numScreens * max_visuals;
+
+    *evi_rn = evi = (xExtendedVisualInfo *)xalloc(max_sz_evi);
+    if (!*evi_rn)
+         return BadAlloc;
+
     temp_conflict = (VisualID32 *)xalloc(max_sz_conflict);
     if (!temp_conflict) {
         xfree(*evi_rn);
         return BadAlloc;
     }
+
     for (scrI = 0; scrI < screenInfo.numScreens; scrI++) {
         for (visualI = 0; visualI < n_visual; visualI++) {
 	    evi[sz_evi].core_visual_id = visual[visualI];
diff --git a/Xext/shm.c b/Xext/shm.c
index e3d7a23ff..c545e4919 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -757,6 +757,8 @@ ProcPanoramiXShmCreatePixmap(
     int i, j, result, rc;
     ShmDescPtr shmdesc;
     REQUEST(xShmCreatePixmapReq);
+    unsigned int width, height, depth;
+    unsigned long size;
     PanoramiXRes *newPix;
 
     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
@@ -770,11 +772,26 @@ ProcPanoramiXShmCreatePixmap(
 	return rc;
 
     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
-    if (!stuff->width || !stuff->height)
+
+    width = stuff->width;
+    height = stuff->height;
+    depth = stuff->depth;
+    if (!width || !height || !depth)
     {
 	client->errorValue = 0;
         return BadValue;
     }
+    if (width > 32767 || height > 32767)
+        return BadAlloc;
+    size = PixmapBytePad(width, depth) * height;
+    if (sizeof(size) == 4) {
+        if (size < width * height)
+            return BadAlloc;
+        /* thankfully, offset is unsigned */
+        if (stuff->offset + size < size)
+            return BadAlloc;
+    }
+
     if (stuff->depth != 1)
     {
         pDepth = pDraw->pScreen->allowedDepths;
@@ -785,9 +802,7 @@ ProcPanoramiXShmCreatePixmap(
         return BadValue;
     }
 CreatePmap:
-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
-		   client);
+    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
 
     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
 	return BadAlloc;
@@ -1086,6 +1101,8 @@ ProcShmCreatePixmap(client)
     register int i, rc;
     ShmDescPtr shmdesc;
     REQUEST(xShmCreatePixmapReq);
+    unsigned int width, height, depth;
+    unsigned long size;
 
     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
     client->errorValue = stuff->pid;
@@ -1098,11 +1115,26 @@ ProcShmCreatePixmap(client)
 	return rc;
 
     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
-    if (!stuff->width || !stuff->height)
+    
+    width = stuff->width;
+    height = stuff->height;
+    depth = stuff->depth;
+    if (!width || !height || !depth)
     {
 	client->errorValue = 0;
         return BadValue;
     }
+    if (width > 32767 || height > 32767)
+	return BadAlloc;
+    size = PixmapBytePad(width, depth) * height;
+    if (sizeof(size) == 4) {
+	if (size < width * height)
+	    return BadAlloc;
+	/* thankfully, offset is unsigned */
+	if (stuff->offset + size < size)
+	    return BadAlloc;
+    }
+
     if (stuff->depth != 1)
     {
         pDepth = pDraw->pScreen->allowedDepths;
@@ -1113,9 +1145,7 @@ ProcShmCreatePixmap(client)
         return BadValue;
     }
 CreatePmap:
-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
-		   client);
+    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
 			    pDraw->pScreen, stuff->width,
 			    stuff->height, stuff->depth,

From 8e133d96740d010a4fd969a8188e6e71fb2cafe2 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu@bluenote.herrb.com>
Date: Thu, 17 Jan 2008 15:29:06 +0100
Subject: [PATCH 19/33] Fix for CVE-2008-0006 - PCF Font parser buffer
 overflow.

---
 dix/dixfonts.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index 2979c6424..04f1f1b30 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -326,6 +326,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
 	err = BadFontName;
 	goto bail;
     }
+    /* check values for firstCol, lastCol, firstRow, and lastRow */
+    if (pfont->info.firstCol > pfont->info.lastCol ||
+       pfont->info.firstRow > pfont->info.lastRow ||
+       pfont->info.lastCol - pfont->info.firstCol > 255) {
+       err = AllocError;
+       goto bail;
+    }
     if (!pfont->fpe)
 	pfont->fpe = fpe;
     pfont->refcnt++;

From 23f3f0e27dc90b7b3a375f2a5dd094e6f53552b5 Mon Sep 17 00:00:00 2001
From: Jeremy Huddleston <jeremy@yuffie.local>
Date: Sun, 13 Jan 2008 14:00:25 -0800
Subject: [PATCH 20/33] XQuartz: Moved SetFrontProcess haco to
 set_front_process So it is done by the other thread... (cherry picked from
 commit 7429379eb1001ee3dc769daa8fe6b3aef1b9cc8a)

---
 hw/xquartz/X11Application.m | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/hw/xquartz/X11Application.m b/hw/xquartz/X11Application.m
index f68898582..be5511d30 100644
--- a/hw/xquartz/X11Application.m
+++ b/hw/xquartz/X11Application.m
@@ -314,7 +314,11 @@ static void message_kit_thread (SEL selector, NSObject *arg) {
 }
 
 - (void) set_front_process:unused {
-//    [self activateX:YES];
+    /* Hackery needed due to argv[0] hackery */
+    //    [self activateX:YES];
+    ProcessSerialNumber psn = { 0, kCurrentProcess };
+    SetFrontProcess(&psn);
+
     QuartzMessageServerThread(kXDarwinBringAllToFront, 0);
 }
 
@@ -711,10 +715,6 @@ void X11ApplicationSetWindowMenuCheck (int idx) {
 
 void X11ApplicationSetFrontProcess (void) {
     message_kit_thread (@selector (set_front_process:), nil);
-
-    /* Hackery needed due to argv[0] hackery */
-    ProcessSerialNumber psn = { 0, kCurrentProcess };
-    SetFrontProcess(&psn);
 }
 
 void X11ApplicationSetCanQuit (int state) {

From e9fa7c1c88a8130a48f772c92b186b8b777986b5 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Fri, 18 Jan 2008 14:41:20 -0500
Subject: [PATCH 21/33] CVE-2007-6429: Don't spuriously reject <8bpp shm
 pixmaps.

Move size validation after depth validation, and only validate size if
the bpp of the pixmap format is > 8.  If bpp < 8 then we're already
protected from overflow by the width and height checks.
---
 Xext/shm.c | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/Xext/shm.c b/Xext/shm.c
index c545e4919..e46f6fcde 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -783,14 +783,6 @@ ProcPanoramiXShmCreatePixmap(
     }
     if (width > 32767 || height > 32767)
         return BadAlloc;
-    size = PixmapBytePad(width, depth) * height;
-    if (sizeof(size) == 4) {
-        if (size < width * height)
-            return BadAlloc;
-        /* thankfully, offset is unsigned */
-        if (stuff->offset + size < size)
-            return BadAlloc;
-    }
 
     if (stuff->depth != 1)
     {
@@ -801,7 +793,17 @@ ProcPanoramiXShmCreatePixmap(
 	client->errorValue = stuff->depth;
         return BadValue;
     }
+
 CreatePmap:
+    size = PixmapBytePad(width, depth) * height;
+    if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+        if (size < width * height)
+            return BadAlloc;
+        /* thankfully, offset is unsigned */
+        if (stuff->offset + size < size)
+            return BadAlloc;
+    }
+
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
 
     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
@@ -1126,14 +1128,6 @@ ProcShmCreatePixmap(client)
     }
     if (width > 32767 || height > 32767)
 	return BadAlloc;
-    size = PixmapBytePad(width, depth) * height;
-    if (sizeof(size) == 4) {
-	if (size < width * height)
-	    return BadAlloc;
-	/* thankfully, offset is unsigned */
-	if (stuff->offset + size < size)
-	    return BadAlloc;
-    }
 
     if (stuff->depth != 1)
     {
@@ -1144,7 +1138,17 @@ ProcShmCreatePixmap(client)
 	client->errorValue = stuff->depth;
         return BadValue;
     }
+
 CreatePmap:
+    size = PixmapBytePad(width, depth) * height;
+    if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+	if (size < width * height)
+	    return BadAlloc;
+	/* thankfully, offset is unsigned */
+	if (stuff->offset + size < size)
+	    return BadAlloc;
+    }
+
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
 			    pDraw->pScreen, stuff->width,

From 94a21d757ce58254accbd5dd3a86810aadeec9f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel@tungstengraphics.com>
Date: Sat, 19 Jan 2008 13:17:45 +0100
Subject: [PATCH 22/33] AIGLX: Fix GLX_EXT_texture_from_pixmap fallback with
 EXA.

Use pScreen->GetImage to obtain the pixmap contents instead of dereferencing
pPixmap->devPrivate.ptr directly.
---
 GL/glx/glxdri.c | 80 ++++++++++++++++++++++++++++++++-----------------
 1 file changed, 53 insertions(+), 27 deletions(-)

diff --git a/GL/glx/glxdri.c b/GL/glx/glxdri.c
index c0da07b68..6c1a199f7 100644
--- a/GL/glx/glxdri.c
+++ b/GL/glx/glxdri.c
@@ -47,6 +47,8 @@
 #include <xf86.h>
 #include <dri.h>
 
+#include "servermd.h"
+
 #define DRI_NEW_INTERFACE_ONLY
 #include "glxserver.h"
 #include "glxutil.h"
@@ -308,18 +310,20 @@ __glXDRIcontextForceCurrent(__GLXcontext *baseContext)
 }
 
 static void
-glxFillAlphaChannel (PixmapPtr pixmap, int x, int y, int width, int height)
+glxFillAlphaChannel (CARD32 *pixels, CARD32 rowstride, int width, int height)
 {
     int i;
-    CARD32 *p, *end, *pixels = (CARD32 *)pixmap->devPrivate.ptr;
-    CARD32 rowstride = pixmap->devKind / 4;
+    CARD32 *p, *end;
+
+    rowstride /= 4;
     
-    for (i = y; i < y + height; i++)
+    for (i = 0; i < height; i++)
     {
-	p = &pixels[i * rowstride + x];
+	p = pixels;
 	end = p + width;
 	while (p < end)
 	  *p++ |= 0xFF000000;
+	pixels += rowstride;
     }
 }
 
@@ -430,22 +434,31 @@ nooverride:
 	type = GL_UNSIGNED_SHORT_5_6_5;
     }
 
-    CALL_PixelStorei( GET_DISPATCH(), (GL_UNPACK_ROW_LENGTH,
-				       pixmap->devKind / bpp) );
-
     if (pRegion == NULL)
     {
-	if (!override && pixmap->drawable.depth == 24)
-	    glxFillAlphaChannel(pixmap,
-				pixmap->drawable.x,
-				pixmap->drawable.y,
-				pixmap->drawable.width,
-				pixmap->drawable.height);
+	void *data = NULL;
 
-        CALL_PixelStorei( GET_DISPATCH(), (GL_UNPACK_SKIP_PIXELS,
-					   pixmap->drawable.x) );
-	CALL_PixelStorei( GET_DISPATCH(), (GL_UNPACK_SKIP_ROWS,
-					   pixmap->drawable.y) );
+	if (!override) {
+	    unsigned pitch = PixmapBytePad(pixmap->drawable.width,
+					   pixmap->drawable.depth); 
+
+	    data = xalloc(pitch * pixmap->drawable.height);
+
+	    pScreen->GetImage(&pixmap->drawable, 0 /*pixmap->drawable.x*/,
+			      0 /*pixmap->drawable.y*/, pixmap->drawable.width,
+			      pixmap->drawable.height, ZPixmap, ~0, data);
+
+	    if (pixmap->drawable.depth == 24)
+		glxFillAlphaChannel(data,
+				    pitch,
+				    pixmap->drawable.width,
+				    pixmap->drawable.height);
+
+	    CALL_PixelStorei( GET_DISPATCH(), (GL_UNPACK_ROW_LENGTH,
+					       pitch / bpp) );
+	    CALL_PixelStorei( GET_DISPATCH(), (GL_UNPACK_SKIP_PIXELS, 0) );
+	    CALL_PixelStorei( GET_DISPATCH(), (GL_UNPACK_SKIP_ROWS, 0) );
+	}
 
 	CALL_TexImage2D( GET_DISPATCH(),
 			 (glxPixmap->target,
@@ -456,26 +469,37 @@ nooverride:
 			  0,
 			  format,
 			  type,
-			  override ? NULL : pixmap->devPrivate.ptr) );
+			  data) );
+
+	xfree(data);
     } else if (!override) {
         int i, numRects;
 	BoxPtr p;
 
 	numRects = REGION_NUM_RECTS (pRegion);
 	p = REGION_RECTS (pRegion);
+
+	CALL_PixelStorei( GET_DISPATCH(), (GL_UNPACK_SKIP_PIXELS, 0) );
+	CALL_PixelStorei( GET_DISPATCH(), (GL_UNPACK_SKIP_ROWS, 0) );
+
 	for (i = 0; i < numRects; i++)
 	{
+	    unsigned pitch = PixmapBytePad(p[i].x2 - p[i].x1,
+					   pixmap->drawable.depth);
+	    void *data = xalloc(pitch * (p[i].y2 - p[i].y1));
+
+	    pScreen->GetImage(&pixmap->drawable, /*pixmap->drawable.x +*/ p[i].x1,
+			      /*pixmap->drawable.y*/ + p[i].y1, p[i].x2 - p[i].x1,
+			      p[i].y2 - p[i].y1, ZPixmap, ~0, data);
+
 	    if (pixmap->drawable.depth == 24)
-		glxFillAlphaChannel(pixmap,
-				    pixmap->drawable.x + p[i].x1,
-				    pixmap->drawable.y + p[i].y1,
+		glxFillAlphaChannel(data,
+				    pitch,
 				    p[i].x2 - p[i].x1,
 				    p[i].y2 - p[i].y1);
 
-	    CALL_PixelStorei( GET_DISPATCH(), (GL_UNPACK_SKIP_PIXELS,
-					       pixmap->drawable.x + p[i].x1) );
-	    CALL_PixelStorei( GET_DISPATCH(), (GL_UNPACK_SKIP_ROWS,
-					       pixmap->drawable.y + p[i].y1) );
+	    CALL_PixelStorei( GET_DISPATCH(), (GL_UNPACK_ROW_LENGTH,
+					       pitch / bpp) );
 
 	    CALL_TexSubImage2D( GET_DISPATCH(),
 				(glxPixmap->target,
@@ -484,7 +508,9 @@ nooverride:
 				 p[i].x2 - p[i].x1, p[i].y2 - p[i].y1,
 				 format,
 				 type,
-				 pixmap->devPrivate.ptr) );
+				 data) );
+
+	    xfree(data);
 	}
     }
 

From be6c17fcf9efebc0bbcc3d9a25f8c5a2450c2161 Mon Sep 17 00:00:00 2001
From: Matthias Hopf <mhopf@suse.de>
Date: Mon, 21 Jan 2008 16:13:21 +0100
Subject: [PATCH 23/33] CVE-2007-6429: Always test for size+offset wrapping.

---
 Xext/shm.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Xext/shm.c b/Xext/shm.c
index e46f6fcde..a7a1ecf75 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -799,10 +799,10 @@ CreatePmap:
     if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
         if (size < width * height)
             return BadAlloc;
-        /* thankfully, offset is unsigned */
-        if (stuff->offset + size < size)
-            return BadAlloc;
     }
+    /* thankfully, offset is unsigned */
+    if (stuff->offset + size < size)
+	return BadAlloc;
 
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
 
@@ -1144,10 +1144,10 @@ CreatePmap:
     if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
 	if (size < width * height)
 	    return BadAlloc;
-	/* thankfully, offset is unsigned */
-	if (stuff->offset + size < size)
-	    return BadAlloc;
     }
+    /* thankfully, offset is unsigned */
+    if (stuff->offset + size < size)
+	return BadAlloc;
 
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(

From cc22b05ea06e08568d0f0abdaccf67bd32662e94 Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Tue, 22 Jan 2008 18:57:11 -0500
Subject: [PATCH 24/33] There is no such thing as /dev/cpu/mtrr.

---
 hw/xfree86/os-support/linux/lnx_video.c | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/hw/xfree86/os-support/linux/lnx_video.c b/hw/xfree86/os-support/linux/lnx_video.c
index ad2b66f74..1bd2d575f 100644
--- a/hw/xfree86/os-support/linux/lnx_video.c
+++ b/hw/xfree86/os-support/linux/lnx_video.c
@@ -142,17 +142,8 @@ mtrr_open(int verbosity)
 	/* Only report absence of /proc/mtrr once. */
 	static Bool warned = FALSE;
 
-	char **fn;
-	static char *mtrr_files[] = {
-		"/dev/cpu/mtrr",	/* Possible future name */
-		"/proc/mtrr",		/* Current name */
-		NULL
-	};
-
 	if (mtrr_fd == MTRR_FD_UNOPENED) { 
-		/* So open it. */
-		for (fn = mtrr_files; mtrr_fd < 0 && *fn; fn++)
-			mtrr_fd = open(*fn, O_WRONLY);
+		mtrr_fd = open("/proc/mtrr", O_WRONLY);
 
 		if (mtrr_fd < 0)
 			mtrr_fd = MTRR_FD_PROBLEM;

From 734e115871ce98badb8800383c423493802ae3d3 Mon Sep 17 00:00:00 2001
From: Hong Liu <hong.liu@intel.com>
Date: Wed, 23 Jan 2008 21:04:32 +0800
Subject: [PATCH 25/33] Bug #12439: add a quirk to use +hsync +vsync for the
 probed detailed mode.

Samsung 205BW quirk is somehow reworked.
---
 hw/xfree86/modes/xf86EdidModes.c | 35 ++++++++++++++++++++++++--------
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/hw/xfree86/modes/xf86EdidModes.c b/hw/xfree86/modes/xf86EdidModes.c
index 87a812765..b865727ef 100644
--- a/hw/xfree86/modes/xf86EdidModes.c
+++ b/hw/xfree86/modes/xf86EdidModes.c
@@ -66,6 +66,8 @@ typedef enum {
     DDC_QUIRK_DETAILED_USE_MAXIMUM_SIZE = 1 << 5,
     /* Monitor forgot to set the first detailed is preferred bit. */
     DDC_QUIRK_FIRST_DETAILED_PREFERRED = 1 << 6,
+    /* use +hsync +vsync for detailed mode */
+    DDC_QUIRK_DETAILED_SYNC_PP = 1 << 7,
 } ddc_quirk_t;
 
 static Bool quirk_prefer_large_60 (int scrnIndex, xf86MonPtr DDC)
@@ -160,6 +162,15 @@ static Bool quirk_first_detailed_preferred (int scrnIndex, xf86MonPtr DDC)
     return FALSE;
 }
 
+static Bool quirk_detailed_sync_pp(int scrnIndex, xf86MonPtr DDC)
+{
+    /* Bug #12439: Samsung SyncMaster 205BW */
+    if (memcmp (DDC->vendor.name, "SAM", 4) == 0 &&
+	DDC->vendor.prod_id == 541)
+	return TRUE;
+    return FALSE;
+}
+
 typedef struct {
     Bool	(*detect) (int scrnIndex, xf86MonPtr DDC);
     ddc_quirk_t	quirk;
@@ -195,6 +206,10 @@ static const ddc_quirk_map_t ddc_quirks[] = {
 	quirk_first_detailed_preferred, DDC_QUIRK_FIRST_DETAILED_PREFERRED,
 	"First detailed timing was not marked as preferred."
     },
+    {
+	quirk_detailed_sync_pp, DDC_QUIRK_DETAILED_SYNC_PP,
+	"Use +hsync +vsync for detailed timing."
+    },
     { 
 	NULL,		DDC_QUIRK_NONE,
 	"No known quirks"
@@ -341,15 +356,19 @@ DDCModeFromDetailedTiming(int scrnIndex, struct detailed_timings *timing,
     if (timing->interlaced)
         Mode->Flags |= V_INTERLACE;
 
-    if (timing->misc & 0x02)
-	Mode->Flags |= V_PVSYNC;
-    else
-	Mode->Flags |= V_NVSYNC;
+    if (quirks & DDC_QUIRK_DETAILED_SYNC_PP)
+	Mode->Flags |= V_PVSYNC | V_PHSYNC;
+    else {
+	if (timing->misc & 0x02)
+	    Mode->Flags |= V_PVSYNC;
+	else
+	    Mode->Flags |= V_NVSYNC;
 
-    if (timing->misc & 0x01)
-	Mode->Flags |= V_PHSYNC;
-    else
-	Mode->Flags |= V_NHSYNC;
+	if (timing->misc & 0x01)
+	    Mode->Flags |= V_PHSYNC;
+	else
+	    Mode->Flags |= V_NHSYNC;
+    }
 
     return Mode;
 }

From f0bf9a5231d4f612ac916355118484d055715f32 Mon Sep 17 00:00:00 2001
From: Eamon Walsh <ewalsh@tycho.nsa.gov>
Date: Thu, 24 Jan 2008 19:02:35 -0500
Subject: [PATCH 26/33] xselinux: Whitespace fixups.

---
 Xext/xselinux.c | 66 ++++++++++++++++++++++++-------------------------
 1 file changed, 32 insertions(+), 34 deletions(-)

diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 4629e9027..ede0350d4 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -271,7 +271,7 @@ SELinuxTypeToClass(RESTYPE type)
 	    knownTypes[type] = SECCLASS_X_CURSOR;
 	if (fulltype == RT_COLORMAP)
 	    knownTypes[type] = SECCLASS_X_COLORMAP;
-	
+
 	/* Need to do a string lookup */
 	str = LookupResourceName(fulltype);
 	if (!strcmp(str, "PICTURE"))
@@ -890,8 +890,7 @@ SELinuxResourceState(CallbackListPtr *pcbl, pointer unused, pointer calldata)
 	if (rc != Success)
 	    FatalError("SELinux: Failed to set label property on window!\n");
 	freecon(ctx);
-    }
-    else
+    } else
 	FatalError("SELinux: Unexpected unlabeled client found\n");
 
     state = dixLookupPrivate(&pWin->devPrivates, stateKey);
@@ -907,8 +906,7 @@ SELinuxResourceState(CallbackListPtr *pcbl, pointer unused, pointer calldata)
 	if (rc != Success)
 	    FatalError("SELinux: Failed to set label property on window!\n");
 	freecon(ctx);
-    }
-    else
+    } else
 	FatalError("SELinux: Unexpected unlabeled window found\n");
 }
 
@@ -1181,9 +1179,9 @@ SProcSELinuxQueryVersion(ClientPtr client)
     REQUEST(SELinuxQueryVersionReq);
     int n;
 
-    REQUEST_SIZE_MATCH (SELinuxQueryVersionReq);
-    swaps(&stuff->client_major,n);
-    swaps(&stuff->client_minor,n);
+    REQUEST_SIZE_MATCH(SELinuxQueryVersionReq);
+    swaps(&stuff->client_major, n);
+    swaps(&stuff->client_minor, n);
     return ProcSELinuxQueryVersion(client);
 }
 
@@ -1193,8 +1191,8 @@ SProcSELinuxSetSelectionManager(ClientPtr client)
     REQUEST(SELinuxSetSelectionManagerReq);
     int n;
 
-    REQUEST_SIZE_MATCH (SELinuxSetSelectionManagerReq);
-    swapl(&stuff->window,n);
+    REQUEST_SIZE_MATCH(SELinuxSetSelectionManagerReq);
+    swapl(&stuff->window, n);
     return ProcSELinuxSetSelectionManager(client);
 }
 
@@ -1205,7 +1203,7 @@ SProcSELinuxSetDeviceCreateContext(ClientPtr client)
     int n;
 
     REQUEST_AT_LEAST_SIZE(SELinuxSetCreateContextReq);
-    swaps(&stuff->context_len,n);
+    swaps(&stuff->context_len, n);
     return ProcSELinuxSetDeviceCreateContext(client);
 }
 
@@ -1216,8 +1214,8 @@ SProcSELinuxSetDeviceContext(ClientPtr client)
     int n;
 
     REQUEST_AT_LEAST_SIZE(SELinuxSetContextReq);
-    swapl(&stuff->id,n);
-    swaps(&stuff->context_len,n);
+    swapl(&stuff->id, n);
+    swaps(&stuff->context_len, n);
     return ProcSELinuxSetDeviceContext(client);
 }
 
@@ -1228,7 +1226,7 @@ SProcSELinuxGetDeviceContext(ClientPtr client)
     int n;
 
     REQUEST_SIZE_MATCH(SELinuxGetContextReq);
-    swapl(&stuff->id,n);
+    swapl(&stuff->id, n);
     return ProcSELinuxGetDeviceContext(client);
 }
 
@@ -1239,7 +1237,7 @@ SProcSELinuxSetPropertyCreateContext(ClientPtr client)
     int n;
 
     REQUEST_AT_LEAST_SIZE(SELinuxSetCreateContextReq);
-    swaps(&stuff->context_len,n);
+    swaps(&stuff->context_len, n);
     return ProcSELinuxSetPropertyCreateContext(client);
 }
 
@@ -1250,8 +1248,8 @@ SProcSELinuxGetPropertyContext(ClientPtr client)
     int n;
 
     REQUEST_SIZE_MATCH(SELinuxGetPropertyContextReq);
-    swapl(&stuff->window,n);
-    swapl(&stuff->property,n);
+    swapl(&stuff->window, n);
+    swapl(&stuff->property, n);
     return ProcSELinuxGetPropertyContext(client);
 }
 
@@ -1262,7 +1260,7 @@ SProcSELinuxSetWindowCreateContext(ClientPtr client)
     int n;
 
     REQUEST_AT_LEAST_SIZE(SELinuxSetCreateContextReq);
-    swaps(&stuff->context_len,n);
+    swaps(&stuff->context_len, n);
     return ProcSELinuxSetWindowCreateContext(client);
 }
 
@@ -1273,7 +1271,7 @@ SProcSELinuxGetWindowContext(ClientPtr client)
     int n;
 
     REQUEST_SIZE_MATCH(SELinuxGetContextReq);
-    swapl(&stuff->id,n);
+    swapl(&stuff->id, n);
     return ProcSELinuxGetWindowContext(client);
 }
 
@@ -1287,31 +1285,31 @@ SProcSELinuxDispatch(ClientPtr client)
 
     switch (stuff->data) {
     case X_SELinuxQueryVersion:
-        return SProcSELinuxQueryVersion(client);
+	return SProcSELinuxQueryVersion(client);
     case X_SELinuxSetSelectionManager:
 	return SProcSELinuxSetSelectionManager(client);
     case X_SELinuxGetSelectionManager:
-    	return ProcSELinuxGetSelectionManager(client);
+	return ProcSELinuxGetSelectionManager(client);
     case X_SELinuxSetDeviceCreateContext:
-    	return SProcSELinuxSetDeviceCreateContext(client);
+	return SProcSELinuxSetDeviceCreateContext(client);
     case X_SELinuxGetDeviceCreateContext:
-    	return ProcSELinuxGetDeviceCreateContext(client);
+	return ProcSELinuxGetDeviceCreateContext(client);
     case X_SELinuxSetDeviceContext:
-    	return SProcSELinuxSetDeviceContext(client);
+	return SProcSELinuxSetDeviceContext(client);
     case X_SELinuxGetDeviceContext:
-    	return SProcSELinuxGetDeviceContext(client);
+	return SProcSELinuxGetDeviceContext(client);
     case X_SELinuxSetPropertyCreateContext:
-    	return SProcSELinuxSetPropertyCreateContext(client);
+	return SProcSELinuxSetPropertyCreateContext(client);
     case X_SELinuxGetPropertyCreateContext:
-    	return ProcSELinuxGetPropertyCreateContext(client);
+	return ProcSELinuxGetPropertyCreateContext(client);
     case X_SELinuxGetPropertyContext:
-    	return SProcSELinuxGetPropertyContext(client);
+	return SProcSELinuxGetPropertyContext(client);
     case X_SELinuxSetWindowCreateContext:
-    	return SProcSELinuxSetWindowCreateContext(client);
+	return SProcSELinuxSetWindowCreateContext(client);
     case X_SELinuxGetWindowCreateContext:
-    	return ProcSELinuxGetWindowCreateContext(client);
+	return ProcSELinuxGetWindowCreateContext(client);
     case X_SELinuxGetWindowContext:
-    	return SProcSELinuxGetWindowContext(client);
+	return SProcSELinuxGetWindowContext(client);
     default:
 	return BadRequest;
     }
@@ -1376,8 +1374,8 @@ SELinuxExtensionInit(INITARGS)
 
     /* Setup SELinux stuff */
     if (!is_selinux_enabled()) {
-        ErrorF("SELinux: SELinux not enabled, disabling SELinux support.\n");
-        return;
+	ErrorF("SELinux: SELinux not enabled, disabling SELinux support.\n");
+	return;
     }
 
     selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback)SELinuxLog);
@@ -1408,7 +1406,7 @@ SELinuxExtensionInit(INITARGS)
     /* Prepare for auditing */
     audit_fd = audit_open();
     if (audit_fd < 0)
-        FatalError("SELinux: Failed to open the system audit log\n");
+	FatalError("SELinux: Failed to open the system audit log\n");
 
     /* Allocate private storage */
     if (!dixRequestPrivate(stateKey, sizeof(SELinuxStateRec)))

From 7ba8e97cbabfef4d614a6a38314830ec0f925471 Mon Sep 17 00:00:00 2001
From: Eamon Walsh <ewalsh@tycho.nsa.gov>
Date: Thu, 24 Jan 2008 19:09:58 -0500
Subject: [PATCH 27/33] xselinux: Implement "get context" protocol requests.

---
 Xext/xselinux.c | 119 ++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 116 insertions(+), 3 deletions(-)

diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index ede0350d4..1432916de 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -1098,7 +1098,40 @@ ProcSELinuxSetDeviceContext(ClientPtr client)
 static int
 ProcSELinuxGetDeviceContext(ClientPtr client)
 {
-    return Success;
+    char *ctx;
+    DeviceIntPtr dev;
+    SELinuxStateRec *state;
+    SELinuxGetContextReply rep;
+    int rc;
+
+    REQUEST(SELinuxGetContextReq);
+    REQUEST_SIZE_MATCH(SELinuxGetContextReq);
+
+    rc = dixLookupDevice(&dev, stuff->id, client, DixGetAttrAccess);
+    if (rc != Success)
+	return rc;
+
+    state = dixLookupPrivate(&dev->devPrivates, stateKey);
+    rc = avc_sid_to_context(state->sid, &ctx);
+    if (rc != Success)
+	return BadValue;
+
+    rep.type = X_Reply;
+    rep.length = (strlen(ctx) + 4) >> 2;
+    rep.sequenceNumber = client->sequence;
+    rep.context_len = strlen(ctx) + 1;
+
+    if (client->swapped) {
+	int n;
+	swapl(&rep.length, n);
+	swaps(&rep.sequenceNumber, n);
+	swaps(&rep.context_len, n);
+    }
+
+    WriteToClient(client, sizeof(SELinuxGetContextReply), (char *)&rep);
+    WriteToClient(client, rep.context_len, ctx);
+    free(ctx);
+    return client->noClientException;
 }
 
 static int
@@ -1116,7 +1149,54 @@ ProcSELinuxGetPropertyCreateContext(ClientPtr client)
 static int
 ProcSELinuxGetPropertyContext(ClientPtr client)
 {
-    return Success;
+    char *ctx;
+    WindowPtr pWin;
+    PropertyPtr pProp;
+    SELinuxStateRec *state;
+    SELinuxGetContextReply rep;
+    int rc;
+
+    REQUEST(SELinuxGetPropertyContextReq);
+    REQUEST_SIZE_MATCH(SELinuxGetPropertyContextReq);
+
+    rc = dixLookupWindow(&pWin, stuff->window, client, DixGetPropAccess);
+    if (rc != Success)
+	return rc;
+
+    pProp = wUserProps(pWin);
+    while (pProp) {
+	if (pProp->propertyName == stuff->property)
+	    break;
+	pProp = pProp->next;
+    }
+    if (!pProp)
+	return BadValue;
+
+    rc = XaceHook(XACE_PROPERTY_ACCESS, client, pWin, pProp, DixGetAttrAccess);
+    if (rc != Success)
+	return rc;
+
+    state = dixLookupPrivate(&pProp->devPrivates, stateKey);
+    rc = avc_sid_to_context(state->sid, &ctx);
+    if (rc != Success)
+	return BadValue;
+
+    rep.type = X_Reply;
+    rep.length = (strlen(ctx) + 4) >> 2;
+    rep.sequenceNumber = client->sequence;
+    rep.context_len = strlen(ctx) + 1;
+
+    if (client->swapped) {
+	int n;
+	swapl(&rep.length, n);
+	swaps(&rep.sequenceNumber, n);
+	swaps(&rep.context_len, n);
+    }
+
+    WriteToClient(client, sizeof(SELinuxGetContextReply), (char *)&rep);
+    WriteToClient(client, rep.context_len, ctx);
+    free(ctx);
+    return client->noClientException;
 }
 
 static int
@@ -1134,7 +1214,40 @@ ProcSELinuxGetWindowCreateContext(ClientPtr client)
 static int
 ProcSELinuxGetWindowContext(ClientPtr client)
 {
-    return Success;
+    char *ctx;
+    WindowPtr pWin;
+    SELinuxStateRec *state;
+    SELinuxGetContextReply rep;
+    int rc;
+
+    REQUEST(SELinuxGetContextReq);
+    REQUEST_SIZE_MATCH(SELinuxGetContextReq);
+
+    rc = dixLookupWindow(&pWin, stuff->id, client, DixGetAttrAccess);
+    if (rc != Success)
+	return rc;
+
+    state = dixLookupPrivate(&pWin->devPrivates, stateKey);
+    rc = avc_sid_to_context(state->sid, &ctx);
+    if (rc != Success)
+	return BadValue;
+
+    rep.type = X_Reply;
+    rep.length = (strlen(ctx) + 4) >> 2;
+    rep.sequenceNumber = client->sequence;
+    rep.context_len = strlen(ctx) + 1;
+
+    if (client->swapped) {
+	int n;
+	swapl(&rep.length, n);
+	swaps(&rep.sequenceNumber, n);
+	swaps(&rep.context_len, n);
+    }
+
+    WriteToClient(client, sizeof(SELinuxGetContextReply), (char *)&rep);
+    WriteToClient(client, rep.context_len, ctx);
+    free(ctx);
+    return client->noClientException;
 }
 
 static int

From 6ffeecabb7f3f3173864e0f0af21a99bdc5b5044 Mon Sep 17 00:00:00 2001
From: Eamon Walsh <ewalsh@tycho.nsa.gov>
Date: Thu, 24 Jan 2008 18:11:49 -0500
Subject: [PATCH 28/33] xselinux: Use a privileged bit in the state instead of
 passing an index to the permission checking function.

---
 Xext/xselinux.c | 60 ++++++++++++++++++++++---------------------------
 1 file changed, 27 insertions(+), 33 deletions(-)

diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 1432916de..53ea6c114 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -63,6 +63,7 @@ typedef struct {
     security_id_t sid;
     struct avc_entry_ref aeref;
     char *command;
+    int privileged;
 } SELinuxStateRec;
 
 /* selection manager */
@@ -287,11 +288,11 @@ SELinuxTypeToClass(RESTYPE type)
  * Performs an SELinux permission check.
  */
 static int
-SELinuxDoCheck(int clientIndex, SELinuxStateRec *subj, SELinuxStateRec *obj,
+SELinuxDoCheck(SELinuxStateRec *subj, SELinuxStateRec *obj,
 	       security_class_t class, Mask mode, SELinuxAuditRec *auditdata)
 {
     /* serverClient requests OK */
-    if (clientIndex == 0)
+    if (subj->privileged)
 	return Success;
 
     auditdata->command = subj->command;
@@ -383,6 +384,7 @@ SELinuxLabelInitial(void)
 
     /* Do the serverClient */
     state = dixLookupPrivate(&serverClient->devPrivates, stateKey);
+    state->privileged = 1;
     sidput(state->sid);
 
     /* Use the context of the X server process for the serverClient */
@@ -496,8 +498,8 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
 	obj->sid = subj->sid;
     }
 
-    rc = SELinuxDoCheck(rec->client->index, subj, obj, SECCLASS_X_DEVICE,
-			rec->access_mode, &auditdata);
+    rc = SELinuxDoCheck(subj, obj, SECCLASS_X_DEVICE, rec->access_mode,
+			&auditdata);
     if (rc != Success)
 	rec->status = rc;
 }
@@ -509,21 +511,18 @@ SELinuxSend(CallbackListPtr *pcbl, pointer unused, pointer calldata)
     SELinuxStateRec *subj, *obj, ev_sid;
     SELinuxAuditRec auditdata = { .client = rec->client };
     security_class_t class;
-    int rc, i, type, clientIndex;
+    int rc, i, type;
 
-    if (rec->dev) {
+    if (rec->dev)
 	subj = dixLookupPrivate(&rec->dev->devPrivates, stateKey);
-	clientIndex = -1; /* some nonzero value */
-    } else {
+    else
 	subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
-	clientIndex = rec->client->index;
-    }
 
     obj = dixLookupPrivate(&rec->pWin->devPrivates, stateKey);
 
     /* Check send permission on window */
-    rc = SELinuxDoCheck(clientIndex, subj, obj, SECCLASS_X_DRAWABLE,
-			DixSendAccess, &auditdata);
+    rc = SELinuxDoCheck(subj, obj, SECCLASS_X_DRAWABLE, DixSendAccess,
+			&auditdata);
     if (rc != Success)
 	goto err;
 
@@ -537,8 +536,7 @@ SELinuxSend(CallbackListPtr *pcbl, pointer unused, pointer calldata)
 	    goto err;
 
 	auditdata.event = type;
-	rc = SELinuxDoCheck(clientIndex, subj, &ev_sid, class,
-			    DixSendAccess, &auditdata);
+	rc = SELinuxDoCheck(subj, &ev_sid, class, DixSendAccess, &auditdata);
 	if (rc != Success)
 	    goto err;
     }
@@ -560,8 +558,8 @@ SELinuxReceive(CallbackListPtr *pcbl, pointer unused, pointer calldata)
     obj = dixLookupPrivate(&rec->pWin->devPrivates, stateKey);
 
     /* Check receive permission on window */
-    rc = SELinuxDoCheck(rec->client->index, subj, obj, SECCLASS_X_DRAWABLE,
-			DixReceiveAccess, &auditdata);
+    rc = SELinuxDoCheck(subj, obj, SECCLASS_X_DRAWABLE, DixReceiveAccess,
+			&auditdata);
     if (rc != Success)
 	goto err;
 
@@ -575,8 +573,7 @@ SELinuxReceive(CallbackListPtr *pcbl, pointer unused, pointer calldata)
 	    goto err;
 
 	auditdata.event = type;
-	rc = SELinuxDoCheck(rec->client->index, subj, &ev_sid, class,
-			    DixReceiveAccess, &auditdata);
+	rc = SELinuxDoCheck(subj, &ev_sid, class, DixReceiveAccess, &auditdata);
 	if (rc != Success)
 	    goto err;
     }
@@ -633,8 +630,8 @@ SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata)
 
     /* Perform the security check */
     auditdata.extension = rec->ext->name;
-    rc = SELinuxDoCheck(rec->client->index, subj, obj, SECCLASS_X_EXTENSION,
-			rec->access_mode, &auditdata);
+    rc = SELinuxDoCheck(subj, obj, SECCLASS_X_EXTENSION, rec->access_mode,
+			&auditdata);
     if (rc != Success)
 	rec->status = rc;
 }
@@ -680,13 +677,12 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
 	    return;
 	}
 	freecon(con);
-	avc_entry_ref_init(&obj->aeref);
     }
 
     /* Perform the security check */
     auditdata.property = rec->pProp->propertyName;
-    rc = SELinuxDoCheck(rec->client->index, subj, obj, SECCLASS_X_PROPERTY,
-			rec->access_mode, &auditdata);
+    rc = SELinuxDoCheck(subj, obj, SECCLASS_X_PROPERTY, rec->access_mode,
+			&auditdata);
     if (rc != Success)
 	rec->status = rc;
 }
@@ -741,8 +737,7 @@ SELinuxResource(CallbackListPtr *pcbl, pointer unused, pointer calldata)
     /* Perform the security check */
     auditdata.restype = rec->rtype;
     auditdata.id = rec->id;
-    rc = SELinuxDoCheck(rec->client->index, subj, obj, class,
-			rec->access_mode, &auditdata);
+    rc = SELinuxDoCheck(subj, obj, class, rec->access_mode, &auditdata);
     if (rc != Success)
 	rec->status = rc;
 }
@@ -775,8 +770,7 @@ SELinuxScreen(CallbackListPtr *pcbl, pointer is_saver, pointer calldata)
     if (is_saver)
 	access_mode <<= 2;
 
-    rc = SELinuxDoCheck(rec->client->index, subj, obj, SECCLASS_X_SCREEN,
-			access_mode, &auditdata);
+    rc = SELinuxDoCheck(subj, obj, SECCLASS_X_SCREEN, access_mode, &auditdata);
     if (rc != Success)
 	rec->status = rc;
 }
@@ -792,8 +786,8 @@ SELinuxClient(CallbackListPtr *pcbl, pointer unused, pointer calldata)
     subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
     obj = dixLookupPrivate(&rec->target->devPrivates, stateKey);
 
-    rc = SELinuxDoCheck(rec->client->index, subj, obj, SECCLASS_X_CLIENT,
-			rec->access_mode, &auditdata);
+    rc = SELinuxDoCheck(subj, obj, SECCLASS_X_CLIENT, rec->access_mode,
+			&auditdata);
     if (rc != Success)
 	rec->status = rc;
 }
@@ -809,8 +803,8 @@ SELinuxServer(CallbackListPtr *pcbl, pointer unused, pointer calldata)
     subj = dixLookupPrivate(&rec->client->devPrivates, stateKey);
     obj = dixLookupPrivate(&serverClient->devPrivates, stateKey);
 
-    rc = SELinuxDoCheck(rec->client->index, subj, obj, SECCLASS_X_SERVER,
-			rec->access_mode, &auditdata);
+    rc = SELinuxDoCheck(subj, obj, SECCLASS_X_SERVER, rec->access_mode,
+			&auditdata);
     if (rc != Success)
 	rec->status = rc;
 }
@@ -832,8 +826,8 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
     }
 
     auditdata.selection = rec->name;
-    rc = SELinuxDoCheck(rec->client->index, subj, &sel_sid,
-			SECCLASS_X_SELECTION, rec->access_mode, &auditdata);
+    rc = SELinuxDoCheck(subj, &sel_sid, SECCLASS_X_SELECTION, rec->access_mode,
+			&auditdata);
     if (rc != Success)
 	rec->status = rc;
 }

From 46794d0c9665f07913980830d038c88d00407612 Mon Sep 17 00:00:00 2001
From: Eamon Walsh <ewalsh@tycho.nsa.gov>
Date: Thu, 24 Jan 2008 19:49:13 -0500
Subject: [PATCH 29/33] xselinux: Rename SelectionManager to more generic
 SecurityManager.

---
 Xext/xselinux.c | 60 ++++++++++++++++++++++++-------------------------
 Xext/xselinux.h | 10 ++++-----
 2 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 53ea6c114..a6e27e695 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -72,8 +72,8 @@ typedef struct {
     security_id_t sid;
 } SELinuxSelectionRec;
 
-static ClientPtr selectionManager;
-static Window selectionWindow;
+static ClientPtr securityManager;
+static Window securityWindow;
 
 /* audit file descriptor */
 static int audit_fd;
@@ -849,9 +849,9 @@ SELinuxClientState(CallbackListPtr *pcbl, pointer unused, pointer calldata)
 
     case ClientStateRetained:
     case ClientStateGone:
-	if (pci->client == selectionManager) {
-	    selectionManager = NULL;
-	    selectionWindow = 0;
+	if (pci->client == securityManager) {
+	    securityManager = NULL;
+	    securityWindow = 0;
 	}
 	break;
 
@@ -935,9 +935,9 @@ SELinuxSelectionState(CallbackListPtr *pcbl, pointer unused, pointer calldata)
 
     case SelectionConvertSelection:
 	/* redirect the convert request if necessary */
-	if (selectionManager && selectionManager != rec->client) {
-	    rec->selection->client = selectionManager;
-	    rec->selection->window = selectionWindow;
+	if (securityManager && securityManager != rec->client) {
+	    rec->selection->client = securityManager;
+	    rec->selection->window = securityWindow;
 	} else {
 	    rec->selection->client = rec->selection->alt_client;
 	    rec->selection->window = rec->selection->alt_window;
@@ -1004,39 +1004,39 @@ ProcSELinuxQueryVersion(ClientPtr client)
 }
 
 static int
-ProcSELinuxSetSelectionManager(ClientPtr client)
+ProcSELinuxSetSecurityManager(ClientPtr client)
 {
     WindowPtr pWin;
     int rc;
 
-    REQUEST(SELinuxSetSelectionManagerReq);
-    REQUEST_SIZE_MATCH(SELinuxSetSelectionManagerReq);
+    REQUEST(SELinuxSetSecurityManagerReq);
+    REQUEST_SIZE_MATCH(SELinuxSetSecurityManagerReq);
 
     if (stuff->window == None) {
-	selectionManager = NULL;
-	selectionWindow = None;
+	securityManager = NULL;
+	securityWindow = None;
     } else {
 	rc = dixLookupResource((pointer *)&pWin, stuff->window, RT_WINDOW,
 			       client, DixGetAttrAccess);
 	if (rc != Success)
 	    return rc;
 
-	selectionManager = client;
-	selectionWindow = stuff->window;
+	securityManager = client;
+	securityWindow = stuff->window;
     }
 
     return Success;
 }
 
 static int
-ProcSELinuxGetSelectionManager(ClientPtr client)
+ProcSELinuxGetSecurityManager(ClientPtr client)
 {
-    SELinuxGetSelectionManagerReply rep;
+    SELinuxGetSecurityManagerReply rep;
 
     rep.type = X_Reply;
     rep.length = 0;
     rep.sequenceNumber = client->sequence;
-    rep.window = selectionWindow;
+    rep.window = securityWindow;
     if (client->swapped) {
 	int n;
 	swaps(&rep.sequenceNumber, n);
@@ -1251,10 +1251,10 @@ ProcSELinuxDispatch(ClientPtr client)
     switch (stuff->data) {
     case X_SELinuxQueryVersion:
 	return ProcSELinuxQueryVersion(client);
-    case X_SELinuxSetSelectionManager:
-	return ProcSELinuxSetSelectionManager(client);
-    case X_SELinuxGetSelectionManager:
-	return ProcSELinuxGetSelectionManager(client);
+    case X_SELinuxSetSecurityManager:
+	return ProcSELinuxSetSecurityManager(client);
+    case X_SELinuxGetSecurityManager:
+	return ProcSELinuxGetSecurityManager(client);
     case X_SELinuxSetDeviceCreateContext:
 	return ProcSELinuxSetDeviceCreateContext(client);
     case X_SELinuxGetDeviceCreateContext:
@@ -1293,14 +1293,14 @@ SProcSELinuxQueryVersion(ClientPtr client)
 }
 
 static int
-SProcSELinuxSetSelectionManager(ClientPtr client)
+SProcSELinuxSetSecurityManager(ClientPtr client)
 {
-    REQUEST(SELinuxSetSelectionManagerReq);
+    REQUEST(SELinuxSetSecurityManagerReq);
     int n;
 
-    REQUEST_SIZE_MATCH(SELinuxSetSelectionManagerReq);
+    REQUEST_SIZE_MATCH(SELinuxSetSecurityManagerReq);
     swapl(&stuff->window, n);
-    return ProcSELinuxSetSelectionManager(client);
+    return ProcSELinuxSetSecurityManager(client);
 }
 
 static int
@@ -1393,10 +1393,10 @@ SProcSELinuxDispatch(ClientPtr client)
     switch (stuff->data) {
     case X_SELinuxQueryVersion:
 	return SProcSELinuxQueryVersion(client);
-    case X_SELinuxSetSelectionManager:
-	return SProcSELinuxSetSelectionManager(client);
-    case X_SELinuxGetSelectionManager:
-	return ProcSELinuxGetSelectionManager(client);
+    case X_SELinuxSetSecurityManager:
+	return SProcSELinuxSetSecurityManager(client);
+    case X_SELinuxGetSecurityManager:
+	return ProcSELinuxGetSecurityManager(client);
     case X_SELinuxSetDeviceCreateContext:
 	return SProcSELinuxSetDeviceCreateContext(client);
     case X_SELinuxGetDeviceCreateContext:
diff --git a/Xext/xselinux.h b/Xext/xselinux.h
index ba1380b57..7eeea5046 100644
--- a/Xext/xselinux.h
+++ b/Xext/xselinux.h
@@ -31,8 +31,8 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 /* Extension protocol */
 #define X_SELinuxQueryVersion			0
-#define X_SELinuxSetSelectionManager		1
-#define X_SELinuxGetSelectionManager		2
+#define X_SELinuxSetSecurityManager		1
+#define X_SELinuxGetSecurityManager		2
 #define X_SELinuxSetDeviceCreateContext		3
 #define X_SELinuxGetDeviceCreateContext		4
 #define X_SELinuxSetDeviceContext		5
@@ -72,13 +72,13 @@ typedef struct {
     CARD8   SELinuxReqType;
     CARD16  length;
     CARD32  window;
-} SELinuxSetSelectionManagerReq;
+} SELinuxSetSecurityManagerReq;
 
 typedef struct {
     CARD8   reqType;
     CARD8   SELinuxReqType;
     CARD16  length;
-} SELinuxGetSelectionManagerReq;
+} SELinuxGetSecurityManagerReq;
 
 typedef struct {
     CARD8   type;
@@ -91,7 +91,7 @@ typedef struct {
     CARD32  pad4;
     CARD32  pad5;
     CARD32  pad6;
-} SELinuxGetSelectionManagerReply;
+} SELinuxGetSecurityManagerReply;
 
 typedef struct {
     CARD8   reqType;

From f82329b0811469ddae5c44dcfffa38185c11a67c Mon Sep 17 00:00:00 2001
From: Eamon Walsh <ewalsh@tycho.nsa.gov>
Date: Fri, 25 Jan 2008 16:20:46 -0500
Subject: [PATCH 30/33] XACE: Don't need to actually register a protocol
 extension.

---
 Xext/xace.c | 50 --------------------------------------------------
 Xext/xace.h |  3 ---
 2 files changed, 53 deletions(-)

diff --git a/Xext/xace.c b/Xext/xace.c
index e85a51714..632673548 100644
--- a/Xext/xace.c
+++ b/Xext/xace.c
@@ -221,51 +221,6 @@ int XaceHook(int hook, ...)
     return prv ? *prv : Success;
 }
 
-static int
-ProcXaceDispatch(ClientPtr client)
-{
-    REQUEST(xReq);
-
-    switch (stuff->data)
-    {
-	default:
-	    return BadRequest;
-    }
-} /* ProcXaceDispatch */
-
-static int
-SProcXaceDispatch(ClientPtr client)
-{
-    REQUEST(xReq);
-
-    switch (stuff->data)
-    {
-	default:
-	    return BadRequest;
-    }
-} /* SProcXaceDispatch */
-
-
-/* XaceResetProc
- *
- * Arguments:
- *	extEntry is the extension information for the XACE extension.
- *
- * Returns: nothing.
- *
- * Side Effects:
- *	Performs any cleanup needed by XACE at server shutdown time.
- */
-static void
-XaceResetProc(ExtensionEntry *extEntry)
-{
-    int i;
-
-    for (i=0; i<XACE_NUM_HOOKS; i++)
-	DeleteCallbackList(&XaceHooks[i]);
-} /* XaceResetProc */
-
-
 static int
 XaceCatchDispatchProc(ClientPtr client)
 {
@@ -365,11 +320,6 @@ void XaceExtensionInit(INITARGS)
     if (!AddCallback(&ClientStateCallback, XaceClientStateCallback, NULL))
 	return;
 
-    extEntry = AddExtension(XACE_EXTENSION_NAME,
-			    XaceNumberEvents, XaceNumberErrors,
-			    ProcXaceDispatch, SProcXaceDispatch,
-			    XaceResetProc, StandardMinorOpcode);
-
     /* initialize dispatching intercept functions */
     for (i = 0; i < 128; i++)
     {
diff --git a/Xext/xace.h b/Xext/xace.h
index 6f92290a0..fdf91d159 100644
--- a/Xext/xace.h
+++ b/Xext/xace.h
@@ -29,9 +29,6 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #include "pixmap.h"     /* for DrawablePtr */
 #include "regionstr.h"  /* for RegionPtr */
 
-#define XaceNumberEvents		0
-#define XaceNumberErrors		0
-
 /* Default window background */
 #define XaceBackgroundNoneState		None
 

From 7724c30a751c653ca3e2e8a6752af27bc37de3f0 Mon Sep 17 00:00:00 2001
From: Eamon Walsh <ewalsh@tycho.nsa.gov>
Date: Fri, 25 Jan 2008 17:28:17 -0500
Subject: [PATCH 31/33] XACE: Stop using fake requestVectors in favor of a
 simple hook call.

---
 Xext/xace.c    | 139 +++++++------------------------------------------
 Xext/xace.h    |   6 +--
 dix/dispatch.c |   5 +-
 3 files changed, 24 insertions(+), 126 deletions(-)

diff --git a/Xext/xace.c b/Xext/xace.c
index 632673548..0b3baf6b1 100644
--- a/Xext/xace.c
+++ b/Xext/xace.c
@@ -28,27 +28,28 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 CallbackListPtr XaceHooks[XACE_NUM_HOOKS] = {0};
 
-/* Proc vectors for untrusted clients, swapped and unswapped versions.
- * These are the same as the normal proc vectors except that extensions
- * that haven't declared themselves secure will have ProcBadRequest plugged
- * in for their major opcode dispatcher.  This prevents untrusted clients
- * from guessing extension major opcodes and using the extension even though
- * the extension can't be listed or queried.
- */
-static int (*UntrustedProcVector[256])(
-    ClientPtr /*client*/
-);
-static int (*SwappedUntrustedProcVector[256])(
-    ClientPtr /*client*/
-);
-
 /* Special-cased hook functions.  Called by Xserver.
  */
-void XaceHookAuditBegin(ClientPtr ptr)
+int XaceHookDispatch(ClientPtr client, int major)
 {
-    XaceAuditRec rec = { ptr, 0 };
-    /* call callbacks, there is no return value. */
+    /* Call the audit begin callback, there is no return value. */
+    XaceAuditRec rec = { client, 0 };
     CallCallbacks(&XaceHooks[XACE_AUDIT_BEGIN], &rec);
+
+    if (major < 128) {
+	/* Call the core dispatch hook */
+	XaceCoreDispatchRec rec = { client, Success /* default allow */ };
+	CallCallbacks(&XaceHooks[XACE_CORE_DISPATCH], &rec);
+	return rec.status;
+    } else {
+	/* Call the extension dispatch hook */
+	ExtensionEntry *ext = GetExtensionEntry(major);
+	XaceExtAccessRec rec = { client, ext, DixUseAccess, Success };
+	if (ext)
+	    CallCallbacks(&XaceHooks[XACE_EXT_DISPATCH], &rec);
+	/* On error, pretend extension doesn't exist */
+	return (rec.status == Success) ? Success : BadRequest;
+    }
 }
 
 void XaceHookAuditEnd(ClientPtr ptr, int result)
@@ -221,116 +222,12 @@ int XaceHook(int hook, ...)
     return prv ? *prv : Success;
 }
 
-static int
-XaceCatchDispatchProc(ClientPtr client)
-{
-    REQUEST(xReq);
-    int major = stuff->reqType;
-    XaceCoreDispatchRec rec = { client, Success /* default allow */ };
-
-    if (!ProcVector[major])
-	return BadRequest;
-
-    /* call callbacks and return result, if any. */
-    CallCallbacks(&XaceHooks[XACE_CORE_DISPATCH], &rec);
-
-    if (rec.status != Success)
-	return rec.status;
-
-    return client->swapped ? 
-	(* SwappedProcVector[major])(client) :
-	(* ProcVector[major])(client);
-}
-
-static int
-XaceCatchExtProc(ClientPtr client)
-{
-    REQUEST(xReq);
-    int major = stuff->reqType;
-    ExtensionEntry *ext = GetExtensionEntry(major);
-    XaceExtAccessRec rec = { client, ext, DixUseAccess, Success };
-
-    if (!ext || !ProcVector[major])
-	return BadRequest;
-
-    /* call callbacks and return result, if any. */
-    CallCallbacks(&XaceHooks[XACE_EXT_DISPATCH], &rec);
-
-    if (rec.status != Success)
-	return BadRequest; /* pretend extension doesn't exist */
-
-    return client->swapped ?
-	(* SwappedProcVector[major])(client) :
-	(* ProcVector[major])(client);
-}
-
-	
-/* SecurityClientStateCallback
- *
- * Arguments:
- *	pcbl is &ClientStateCallback.
- *	nullata is NULL.
- *	calldata is a pointer to a NewClientInfoRec (include/dixstruct.h)
- *	which contains information about client state changes.
- *
- * Returns: nothing.
- *
- * Side Effects:
- * 
- * If a new client is connecting, its authorization ID is copied to
- * client->authID.  If this is a generated authorization, its reference
- * count is bumped, its timer is cancelled if it was running, and its
- * trustlevel is copied to TRUSTLEVEL(client).
- * 
- * If a client is disconnecting and the client was using a generated
- * authorization, the authorization's reference count is decremented, and
- * if it is now zero, the timer for this authorization is started.
- */
-
-static void
-XaceClientStateCallback(
-    CallbackListPtr *pcbl,
-    pointer nulldata,
-    pointer calldata)
-{
-    NewClientInfoRec *pci = (NewClientInfoRec *)calldata;
-    ClientPtr client = pci->client;
-
-    switch (client->clientState)
-    {
-	case ClientStateRunning:
-	{ 
-	    client->requestVector = client->swapped ?
-		SwappedUntrustedProcVector : UntrustedProcVector;
-	    break;
-	}
-	default: break; 
-    }
-} /* XaceClientStateCallback */
-
 /* XaceExtensionInit
  *
  * Initialize the XACE Extension
  */
 void XaceExtensionInit(INITARGS)
 {
-    ExtensionEntry	*extEntry;
-    int i;
-
-    if (!AddCallback(&ClientStateCallback, XaceClientStateCallback, NULL))
-	return;
-
-    /* initialize dispatching intercept functions */
-    for (i = 0; i < 128; i++)
-    {
-	UntrustedProcVector[i] = XaceCatchDispatchProc;
-	SwappedUntrustedProcVector[i] = XaceCatchDispatchProc;
-    }
-    for (i = 128; i < 256; i++)
-    {
-	UntrustedProcVector[i] = XaceCatchExtProc;
-	SwappedUntrustedProcVector[i] = XaceCatchExtProc;
-    }
 }
 
 /* XaceCensorImage
diff --git a/Xext/xace.h b/Xext/xace.h
index fdf91d159..a8fac98e2 100644
--- a/Xext/xace.h
+++ b/Xext/xace.h
@@ -65,8 +65,8 @@ extern int XaceHook(
 
 /* Special-cased hook functions
  */
+extern int XaceHookDispatch(ClientPtr ptr, int major);
 extern void XaceHookAuditEnd(ClientPtr ptr, int result);
-extern void XaceHookAuditBegin(ClientPtr ptr);
 
 /* Register a callback for a given hook.
  */
@@ -101,13 +101,13 @@ extern void XaceCensorImage(
 
 #ifdef __GNUC__
 #define XaceHook(args...) Success
+#define XaceHookDispatch(args...) Success
 #define XaceHookAuditEnd(args...) { ; }
-#define XaceHookAuditBegin(args...) { ; }
 #define XaceCensorImage(args...) { ; }
 #else
 #define XaceHook(...) Success
+#define XaceHookDispatch(...) Success
 #define XaceHookAuditEnd(...) { ; }
-#define XaceHookAuditBegin(...) { ; }
 #define XaceCensorImage(...) { ; }
 #endif
 
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 004509caa..663bf7dd5 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -463,8 +463,9 @@ Dispatch(void)
 		if (result > (maxBigRequestSize << 2))
 		    result = BadLength;
 		else {
-		    XaceHookAuditBegin(client);
-		    result = (* client->requestVector[MAJOROP])(client);
+		    result = XaceHookDispatch(client, MAJOROP);
+		    if (result == Success)
+			result = (* client->requestVector[MAJOROP])(client);
 		    XaceHookAuditEnd(client, result);
 		}
 #ifdef XSERVER_DTRACE

From f6a78ee143e3a3ad69538adf2b9675d724468ffa Mon Sep 17 00:00:00 2001
From: Eamon Walsh <ewalsh@tycho.nsa.gov>
Date: Fri, 25 Jan 2008 18:04:10 -0500
Subject: [PATCH 32/33] XACE: Remove the extension code entirely, XACE is
 completely static now.

---
 Xext/xace.c                         |  9 ---------
 Xext/xace.h                         |  1 -
 hw/xfree86/dixmods/extmod/modinit.h |  4 ----
 mi/miinitext.c                      | 12 ------------
 4 files changed, 26 deletions(-)

diff --git a/Xext/xace.c b/Xext/xace.c
index 0b3baf6b1..0470e44dd 100644
--- a/Xext/xace.c
+++ b/Xext/xace.c
@@ -24,7 +24,6 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #include <stdarg.h>
 #include "scrnintstr.h"
 #include "xacestr.h"
-#include "modinit.h"
 
 CallbackListPtr XaceHooks[XACE_NUM_HOOKS] = {0};
 
@@ -222,14 +221,6 @@ int XaceHook(int hook, ...)
     return prv ? *prv : Success;
 }
 
-/* XaceExtensionInit
- *
- * Initialize the XACE Extension
- */
-void XaceExtensionInit(INITARGS)
-{
-}
-
 /* XaceCensorImage
  *
  * Called after pScreen->GetImage to prevent pieces or trusted windows from
diff --git a/Xext/xace.h b/Xext/xace.h
index a8fac98e2..4100ba16e 100644
--- a/Xext/xace.h
+++ b/Xext/xace.h
@@ -22,7 +22,6 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 #ifdef XACE
 
-#define XACE_EXTENSION_NAME		"XAccessControlExtension"
 #define XACE_MAJOR_VERSION		2
 #define XACE_MINOR_VERSION		0
 
diff --git a/hw/xfree86/dixmods/extmod/modinit.h b/hw/xfree86/dixmods/extmod/modinit.h
index 99d714c4f..116cb2ef7 100644
--- a/hw/xfree86/dixmods/extmod/modinit.h
+++ b/hw/xfree86/dixmods/extmod/modinit.h
@@ -125,10 +125,6 @@ extern void ShmRegisterFuncs(
     ShmFuncsPtr funcs);
 #endif
 
-#ifdef XACE
-extern void XaceExtensionInit(INITARGS);
-#endif
-
 #ifdef XSELINUX
 extern void SELinuxExtensionInit(INITARGS);
 #endif
diff --git a/mi/miinitext.c b/mi/miinitext.c
index b14690756..30cbc7a25 100644
--- a/mi/miinitext.c
+++ b/mi/miinitext.c
@@ -244,9 +244,6 @@ typedef void (*InitExtension)(INITARGS);
 #define _XAG_SERVER_
 #include <X11/extensions/Xagstr.h>
 #endif
-#ifdef XACE
-#include "xace.h"
-#endif
 #ifdef XCSECURITY
 #include "securitysrv.h"
 #include <X11/extensions/securstr.h>
@@ -323,9 +320,6 @@ extern void DbeExtensionInit(INITARGS);
 #ifdef XAPPGROUP
 extern void XagExtensionInit(INITARGS);
 #endif
-#ifdef XACE
-extern void XaceExtensionInit(INITARGS);
-#endif
 #ifdef XCSECURITY
 extern void SecurityExtensionInit(INITARGS);
 #endif
@@ -599,9 +593,6 @@ InitExtensions(argc, argv)
 #ifdef XAPPGROUP
     if (!noXagExtension) XagExtensionInit();
 #endif
-#ifdef XACE
-    XaceExtensionInit();
-#endif
 #ifdef XCSECURITY
     if (!noSecurityExtension) SecurityExtensionInit();
 #endif
@@ -696,9 +687,6 @@ static ExtensionModule staticExtensions[] = {
 #ifdef XAPPGROUP
     { XagExtensionInit, XAGNAME, &noXagExtension, NULL, NULL },
 #endif
-#ifdef XACE
-    { XaceExtensionInit, XACE_EXTENSION_NAME, NULL, NULL, NULL },
-#endif
 #ifdef XCSECURITY
     { SecurityExtensionInit, SECURITY_EXTENSION_NAME, &noSecurityExtension, NULL, NULL },
 #endif

From e915a2639752bc0ea9e6e192e020cc2031c08063 Mon Sep 17 00:00:00 2001
From: Eamon Walsh <ewalsh@tycho.nsa.gov>
Date: Fri, 25 Jan 2008 19:22:19 -0500
Subject: [PATCH 33/33] xselinux: Move the extension to extmod instead of being
 built-in.

---
 Xext/Makefile.am                    | 2 +-
 hw/xfree86/dixmods/extmod/modinit.c | 9 +++++++++
 hw/xfree86/dixmods/extmod/modinit.h | 1 +
 mi/miinitext.c                      | 3 ---
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/Xext/Makefile.am b/Xext/Makefile.am
index f57e59910..648736d95 100644
--- a/Xext/Makefile.am
+++ b/Xext/Makefile.am
@@ -76,7 +76,7 @@ endif
 # requires X-ACE extension
 XSELINUX_SRCS = xselinux.c xselinux.h
 if XSELINUX
-BUILTIN_SRCS += $(XSELINUX_SRCS)
+MODULE_SRCS += $(XSELINUX_SRCS)
 endif
 
 # Security extension: multi-level security to protect clients from each other
diff --git a/hw/xfree86/dixmods/extmod/modinit.c b/hw/xfree86/dixmods/extmod/modinit.c
index acd700694..d0d892aaf 100644
--- a/hw/xfree86/dixmods/extmod/modinit.c
+++ b/hw/xfree86/dixmods/extmod/modinit.c
@@ -38,6 +38,15 @@ static MODULESETUPPROTO(extmodSetup);
  * Array describing extensions to be initialized
  */
 static ExtensionModule extensionModules[] = {
+#ifdef XSELINUX
+    {
+	SELinuxExtensionInit,
+	SELINUX_EXTENSION_NAME,
+	NULL,
+	NULL,
+	NULL
+    },
+#endif
 #ifdef SHAPE
     {
 	ShapeExtensionInit,
diff --git a/hw/xfree86/dixmods/extmod/modinit.h b/hw/xfree86/dixmods/extmod/modinit.h
index 116cb2ef7..3c2e2022a 100644
--- a/hw/xfree86/dixmods/extmod/modinit.h
+++ b/hw/xfree86/dixmods/extmod/modinit.h
@@ -127,6 +127,7 @@ extern void ShmRegisterFuncs(
 
 #ifdef XSELINUX
 extern void SELinuxExtensionInit(INITARGS);
+#include "xselinux.h"
 #endif
 
 #if 1
diff --git a/mi/miinitext.c b/mi/miinitext.c
index 30cbc7a25..261fac9fc 100644
--- a/mi/miinitext.c
+++ b/mi/miinitext.c
@@ -690,9 +690,6 @@ static ExtensionModule staticExtensions[] = {
 #ifdef XCSECURITY
     { SecurityExtensionInit, SECURITY_EXTENSION_NAME, &noSecurityExtension, NULL, NULL },
 #endif
-#ifdef XSELINUX
-    { SELinuxExtensionInit, SELINUX_EXTENSION_NAME, NULL, NULL, NULL },
-#endif
 #ifdef XPRINT
     { XpExtensionInit, XP_PRINTNAME, NULL, NULL, NULL },
 #endif