Commit Graph

64 Commits

Author SHA1 Message Date
Alan Coopersmith 23e83724df Fix spelling/wording issues
Most (but not all) of these were found by using
  codespell --builtin clear,rare,usage,informal,code,names
but not everything reported by that was fixed.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2020-07-05 13:07:33 -07:00
Nathan Kidd 4ca68b878e dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
v2: Protect against integer overflow (Alan Coopersmith)

Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
2017-10-10 23:33:44 +02:00
Adam Jackson dc7ceda90f dispatch: Mark swapped dispatch as _X_COLD
This touches everything that ends up in the Xorg binary; the big missing
part is GLX since that's all generated code. Cuts about 14k from the
binary on amd64.

Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
2017-03-01 10:16:20 -05:00
Alan Coopersmith 1c56ac63c0 Convert top level extensions to new *allocarray functions
v2: remove now useless parentheses

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matt Turner <mattst88@gmail.com>
2015-04-21 16:57:08 -07:00
Keith Packard b20912c3d4 dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2]
When the local types used to walk the DBE request were changed, this
changed the type of the parameter passed to the DDX SwapBuffers API,
but there wasn't a matching change in the API definition.

At this point, with the API frozen, I just stuck a new variable in
with the correct type. Because we've already bounds-checked nStuff to
be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
fit in a signed int without overflow.

Signed-off-by: Keith Packard <keithp@keithp.com
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-12-09 11:26:58 -08:00
Alan Coopersmith 2ef42519c4 dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
from a buffer. The length is never validated, which can lead to out of
bound reads, and possibly returning the data read from out of bounds to
the misbehaving client via an X Error packet.

SProcDbeSwapBuffers() swaps data (for correct endianness) before
handing it off to the real proc.  While doing the swapping, the
length field is not validated, which can cause memory corruption.

v2: reorder checks to avoid compilers optimizing out checks for overflow
that happen after we'd already have done the overflowing multiplications.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2014-12-08 18:09:48 -08:00
Peter Hutterer 732fd7e571 Drop trailing whitespaces
sed -i "s/[ ]\+$//g" **/*.(c|h)

happy reviewing...
git diff -w is an empty diff.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2014-11-12 10:25:00 +10:00
Keith Packard 60014a4a98 Replace 'pointer' type with 'void *'
This lets us stop using the 'pointer' typedef in Xdefs.h as 'pointer'
is used throughout the X server for other things, and having duplicate
names generates compiler warnings.

Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
2014-01-12 10:24:11 -08:00
Adam Jackson dbe10ef0e3 dbe: Fold the window private private into the window private
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
2013-09-10 13:28:24 -04:00
Adam Jackson 1489637d56 dbe: Fold midbe reset into dix
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
2013-09-10 13:28:24 -04:00
Adam Jackson 44d7707500 dbe: Drop the unused idiom support
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
2013-09-10 13:28:23 -04:00
Daniel Stone a1d41e311c Move extension initialisation prototypes into extinit.h
Create extinit.h (and xf86Extensions.h, for Xorg-specific extensions) to
hold all our extension initialisation prototypes, rather than
duplicating them everywhere.

Signed-off-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
2012-07-09 23:06:41 -07:00
Alan Coopersmith cc5f09c86f Use C99 designated initializers in various extension Replies
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Tested-by: Daniel Stone <daniel@fooishbar.org>
2012-07-09 19:58:30 -07:00
Alan Coopersmith 789d64e19a Remove unneccesary casts from WriteToClient calls
Casting return to (void) was used to tell lint that you intended
to ignore the return value, so it didn't warn you about it.

Casting the third argument to (char *) was used as the most generic
pointer type in the days before compilers supported C89 (void *)
(except for a couple places it's used for byte-sized pointer math).

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Tested-by: Daniel Stone <daniel@fooishbar.org>
2012-07-09 19:12:56 -07:00
Daniel Stone ab3a815a75 Indentation: Change '& stuff' to '&stuff'
If the typedef wasn't perfect, indent would get confused and change:
    foo = (SomePointlessTypedef *) &stuff[1];
to:
    foo = (SomePointlessTypedef *) & stuff[1];

Fix this up with a really naïve sed script, plus some hand-editing to
change some false positives in XKB back.

Signed-off-by: Daniel Stone <daniel@fooishbar.org>
2012-03-21 14:02:30 -07:00
Keith Packard 9838b7032e Introduce a consistent coding style
This is strictly the application of the script 'x-indent-all.sh'
from util/modular. Compared to the patch that Daniel posted in
January, I've added a few indent flags:

	-bap
	-psl
	-T PrivatePtr
	-T pmWait
	-T _XFUNCPROTOBEGIN
	-T _XFUNCPROTOEND
	-T _X_EXPORT

The typedefs were needed to make the output of sdksyms.sh match the
previous output, otherwise, the code is formatted badly enough that
sdksyms.sh generates incorrect output.

The generated code was compared with the previous version and found to
be essentially identical -- "assert" line numbers and BUILD_TIME were
the only differences found.

The comparison was done with this script:

dir1=$1
dir2=$2

for dir in $dir1 $dir2; do
	(cd $dir && find . -name '*.o' | while read file; do
		dir=`dirname $file`
		base=`basename $file .o`
		dump=$dir/$base.dump
		objdump -d $file > $dump
	done)
done

find $dir1 -name '*.dump' | while read dump; do
	otherdump=`echo $dump | sed "s;$dir1;$dir2;"`
	diff -u $dump $otherdump
done

Signed-off-by: Keith Packard <keithp@keithp.com>
Acked-by: Daniel Stone <daniel@fooishbar.org>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2012-03-21 13:54:42 -07:00
Alan Coopersmith 3d41939d03 Unconditionally #include <stdint.h>
The more recent inclusions of this file haven't been checking for
HAVE_STDINT_H, so might as well make the older ones consistent.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
2011-09-23 16:46:23 -07:00
Matt Turner 2c7c520cfe Use internal temp variable for swap macros
Also, fix whitespace, mainly around
	swaps(&rep.sequenceNumber)

Reviewed-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
2011-09-21 17:12:04 -04:00
Alan Coopersmith 043c175865 Clean up memory better when GetVisualInfo fails in ProcDbeGetVisualInfo
Use calloc to initialize pScrVisInfo array so we don't have to check
which ones were already initialized when freeing them all.

On failure, set rc if necessary, and jump to code at end that already
frees all the necessary allocations and return rc.

Fixes parfait reported error:
Error: Memory leak (CWE 401)
   Memory leak of pointer 'pScrVisInfo' allocated with malloc((count * 16))
        at line 724 of dbe/dbe.c in function 'ProcDbeGetVisualInfo'.
          'pScrVisInfo' allocated at line 693 with malloc((count * 16)).
          pScrVisInfo leaks when rc != 0 at line 710
              and j >= i at line 716.

[ This bug was found by the Parfait 0.3.7 bug checking tool.
  For more information see http://labs.oracle.com/projects/parfait/ ]

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
2011-05-02 20:38:16 -07:00
Mikhail Gusarov 7287ef9e6c Remove unnecessary parentheses around return values in functions
This patch was generated by the following Perl code:

perl -i -pe 's/([^_])return\s*\(\s*([^(]+?)\s*\)s*;(\s+(\n))?/$1return $2;$4/g;'

Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
2010-06-10 06:42:42 -07:00
Mikhail Gusarov 0a4d8cbdcd Remove more superfluous if(p) checks around free(p)
This patch has been generated by the following Coccinelle semantic patch:

@@
expression E;
@@

-if(E) { free(E); }
+free(E);

Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Fernando Carrijo <fcarrijo@yahoo.com.br>
Reviewed-by: Matt Turner <mattst88@gmail.com>
2010-06-06 20:27:18 +07:00
Keith Packard faeebead7b Change the devPrivates API to require dixRegisterPrivateKey
This patch only changes the API, not the implementation of the
devPrivates infrastructure. This will permit a new devPrivates
implementation to be layed into the server without requiring
simultaneous changes in every devPrivates user.

Signed-off-by: Keith Packard <keithp@keithp.com>
Tested-by: Tiago Vignatti <tiago.vignatti@nokia.com>
2010-06-05 19:23:03 -07:00
Keith Packard 431781a921 Remove dixRegisterPrivateOffset; hard-code devPrivates offsets instead
For predefined resource types, the offset of the devPrivates field was
already kept in a constant table. The only non-predefined type needing
this treatment was dbeDrawableResType, which is just a magic alias for
RT_PIXMAP.

This patch special-cases looking up RC_DRAWABLE offsets and uses the
table directly for everything else.

Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
2010-06-05 19:11:32 -07:00
Jamey Sharp c38552d115 Add typed resource-lookup errors for non-core resource types.
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Adam Jackson <ajax@redhat.com>
2010-05-19 12:32:48 -07:00
Keith Packard 345eb17126 Remove dbe screen private privates.
Each DBE Screen private structure could have nested privates. Oddly,
no code ever used them.

Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
2010-05-15 19:57:48 -07:00
Jamey Sharp 92ed75ac59 Eliminate boilerplate around client->noClientException.
Just let Dispatch() check for a noClientException, rather than making
every single dispatch procedure take care of it.

Signed-off-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
2010-05-13 17:14:07 -07:00
Jamey Sharp 6a84cd9434 Replace dixChangeGC with calls directly to the right variant.
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
2010-05-13 17:14:07 -07:00
Jamey Sharp 65cedf3905 Kill DoChangeGC in favor of dixChangeGC.
This doesn't change any behavior, but it isn't clear whether NullClient
is correct in all cases. As ajax says,

> For most of these changes, I think it's correct to use NullClient,
> since they are server-initiated changes and should not fail for (eg)
> xace reasons. ... At any rate, you're certainly not changing any
> semantics by leaving them all as NullClient, so this patch can't be
> more wrong than before.

Signed-off-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
2010-05-12 18:09:55 -07:00
Mikhail Gusarov 3f3ff971ec Replace X-allocation functions with their C89 counterparts
The only remaining X-functions used in server are XNF*, the rest is converted to
plain alloc/calloc/realloc/free/strdup.

X* functions are still exported from server and x* macros are still defined in
header file, so both ABI and API are not affected by this change.

Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2010-05-13 00:22:37 +07:00
Alan Coopersmith 895f40792a Add type name argument to CreateNewResourceType
Convert all calls of CreateNewResourceType to pass name argument

Breaks DIX ABI.

ABI versions bumped:

Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
2009-12-18 17:44:12 -08:00
Alan Coopersmith a11c58fa0c Ensure all resource types created have names registered
Calls RegisterResourceName to record the type name for
use by X-Resource, XACE/SELinux/XTsol, and DTrace.

Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
2009-12-18 16:51:45 -08:00
Alan Coopersmith eb750f8b5e Check for failures from CreateNewResourceType
Make sure to check return value before setting bitmask flags.
For most calls, just fails to init the extension.   Since Xinput
already calls FatalError() on initialization failure, so does
failure to allocate Xinput's resource type.

Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
2009-12-18 16:51:45 -08:00
Peter Hutterer e2226f3cd7 dbe: switch to byte counting functions
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2009-07-14 10:14:02 +10:00
Eamon Walsh 57aff88c7d Fix most remaining deprecated resource lookups.
Callsites updated to use dixLookupResourceBy{Type,Class}.
TODO: Audit access modes to make sure they reflect the usage.
2009-04-29 01:04:37 -04:00
Peter Hutterer cb95642dc8 Remove #define NEED_EVENTS and NEED_REPLIES
A grep on xorg/* revealed there's no consumer of this define.

Quote Alan Coopersmith:
"The consumer was in past versions of the headers now located
in proto/x11proto - for instance, in X11R6.0's xc/include/Xproto.h,
all the event definitions were only available if NEED_EVENTS were
defined, and all the reply definitions required NEED_REPLIES.

Looks like Xproto.h dropped them by X11R6.3, which didn't have
the #ifdef's anymore, so these are truly ancient now."

Signed-off-by: Peter Hutterer <peter.hutterer@redhat.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
2008-12-12 11:43:32 +10:00
Paulo Cesar Pereira de Andrade 49f77fff14 Rework symbol visibility for easier maintenance
Save in a few special cases, _X_EXPORT should not be used in C source
files. Instead, it should be used in headers, and the proper C source
include that header. Some special cases are symbols that need to be
shared between modules, but not expected to be used by external drivers,
and symbols that are accessible via LoaderSymbol/dlopen.

  This patch also adds conditionally some new sdk header files, depending
on extensions enabled. These files were added to match pattern for
other extensions/modules, that is, have the headers "deciding" symbol
visibility in the sdk. These headers are:
o Xext/panoramiXsrv.h, Xext/panoramiX.h
o fbpict.h (unconditionally)
o vidmodeproc.h
o mioverlay.h (unconditionally, used only by xaa)
o xfixes.h (unconditionally, symbols required by dri2)

  LoaderSymbol and similar functions now don't have different prototypes,
in loaderProcs.h and xf86Module.h, so that both headers can be included,
without the need of defining IN_LOADER.

  xf86NewInputDevice() device prototype readded to xf86Xinput.h, but
not exported (and with a comment about it).
2008-12-03 05:43:34 -02:00
Paulo Cesar Pereira de Andrade d6cbd4511e Export symbols defined in the sdk.
This is the biggest "visibility" patch. Instead of doing a "export"
symbol on demand, export everything in the sdk, so that if some module
fails due to an unresolved symbol, it is because it is using a symbol
not in the sdk.

  Most exported symbols shouldn't really be made visible, neither
advertised in the sdk, as they are only used by a single shared object.

  Symbols in the sdk (or referenced in sdk macros), but not defined
anywhere include:
XkbBuildCoreState()
XkbInitialMap
XkbXIUnsupported
XkbCheckActionVMods()
XkbSendCompatNotify()
XkbDDXFakePointerButton()
XkbDDXApplyConfig()
_XkbStrCaseCmp()
_XkbErrMessages[]
_XkbErrCode
_XkbErrLocation
_XkbErrData
XkbAccessXDetailText()
XkbNKNDetailMaskText()
XkbLookupGroupAndLevel()
XkbInitAtoms()
XkbGetOrderedDrawables()
XkbFreeOrderedDrawables()
XkbConvertXkbComponents()
XkbWriteXKBSemantics()
XkbWriteXKBLayout()
XkbWriteXKBKeymap()
XkbWriteXKBFile()
XkbWriteCFile()
XkbWriteXKMFile()
XkbWriteToServer()
XkbMergeFile()
XkmFindTOCEntry()
XkmReadFileSection()
XkmReadFileSectionName()
InitExtInput()
xf86CheckButton()
xf86SwitchCoreDevice()
RamDacSetGamma()
RamDacRestoreDACValues()
xf86Bpp
xf86ConfigPix24
xf86MouseCflags[]
xf86SupportedMouseTypes[]
xf86NumMouseTypes
xf86ChangeBusIndex()
xf86EntityEnter()
xf86EntityLeave()
xf86WrapperInit()
xf86RingBell()
xf86findOptionBoolean()
xf86debugListOptions()
LoadSubModuleLocal()
LoaderSymbolLocal()
getInt10Rec()
xf86CurrentScreen
xf86ReallocatePciResources()
xf86NewSerialNumber()
xf86RandRSetInitialMode()
fbCompositeSolidMask_nx1xn
fbCompositeSolidMask_nx8888x0565C
fbCompositeSolidMask_nx8888x8888C
fbCompositeSolidMask_nx8x0565
fbCompositeSolidMask_nx8x0888
fbCompositeSolidMask_nx8x8888
fbCompositeSrc_0565x0565
fbCompositeSrc_8888x0565
fbCompositeSrc_8888x0888
fbCompositeSrc_8888x8888
fbCompositeSrcAdd_1000x1000
fbCompositeSrcAdd_8000x8000
fbCompositeSrcAdd_8888x8888
fbGeneration
fbIn
fbOver
fbOver24
fbOverlayGeneration
fbRasterizeEdges
fbRestoreAreas
fbSaveAreas
composeFunctions
VBEBuildVbeModeList()
VBECalcVbeModeIndex()
TIramdac3030CalculateMNPForClock()
shadowBufPtr
shadowFindBuf()
miRRGetScreenInfo()
RRSetScreenConfig()
RRModePruneUnused()
PixmanImageFromPicture()
extern int miPointerGetMotionEvents()
miClipPicture()
miRasterizeTriangle()
fbPush1toN()
fbInitializeBackingStore()
ddxBeforeReset()
SetupSprite()
InitSprite()
DGADeliverEvent()

  SPECIAL CASES
o defined as _X_INTERNAL
	xf86NewInputDevice()
o defined as static
	fbGCPrivateKey
	fbOverlayScreenPrivateKey
	fbScreenPrivateKey
	fbWinPrivateKey
o defined in libXfont.so, but declared in xorg/dixfont.h
	GetGlyphs()
	QueryGlyphExtents()
	QueryTextExtents()
	ParseGlyphCachingMode()
	InitGlyphCaching()
	SetGlyphCachingMode()
2008-11-29 23:56:06 -02:00
Adam Jackson 88297558aa Dead code cleanup over DBE.
No DDXes have explicit DBE support anymore, so the init registration
table never got used.  Just nuke it all.
2008-11-25 15:05:20 -05:00
Adam Jackson 0b7b89fbac xalloc+bzero -> xcalloc 2008-10-06 14:19:30 -04:00
Tomas Carnecky ebea78cdba Prepare for array-index based devPrivates.
TODO: static indices can be made just an int; some indices
can be combined.
2008-08-28 18:05:40 -04:00
Dave Airlie 23e71ef71a dbe: fix DoS reported by iDefense.
This isn't a security problem just a user could DoS themselves for fun or profit.
2008-06-12 09:04:24 +10:00
Eamon Walsh c934e1af27 Revert "registry: Register DBE extension protocol names."
This reverts commit 2e1e5be1d9.

Moving all the names into dix/registry.c
2007-11-20 17:32:35 -05:00
Eamon Walsh 2e1e5be1d9 registry: Register DBE extension protocol names. 2007-10-15 18:18:57 -04:00
Eamon Walsh e93cff52fe xace: add hooks + new access codes: DOUBLE-BUFFER extension 2007-09-19 14:48:20 -04:00
Eamon Walsh 4017d31902 devPrivates rework: since API is already broken, switch everything
over to new system.

Need to update documentation and address some remaining vestiges of
old system such as CursorRec structure, fb "offman" structure, and
FontRec privates.
2007-08-28 09:28:25 -04:00
Eamon Walsh 9a183d7ba5 dix: remove caching of drawables and graphics contexts. The security checks
simply bypass the cached values so they are unused.
2007-08-14 11:39:26 -04:00
Eamon Walsh f7c5aa0dc0 Remove dead NEED_DBE_BUF_BITS code. 2007-03-26 10:21:44 -04:00
Matthieu Herrb e3aa6ad201 Multiple integer overflows in dbe and render extensions
CVE IDs: CVE-2006-6101 CVE-2006-6102 CVE-2006-6103
2007-01-09 14:14:19 +01:00
Eamon Walsh f11dafaafc Convert callers of SecurityLookupDrawable() to dixLookupDrawable(). 2006-12-15 16:51:58 -05:00
Eamon Walsh 25d5e0a629 Convert callers of SecurityLookupWindow() to dixLookupWindow(). 2006-12-15 15:50:46 -05:00