Save a pointer to the passed in closure structure before copying it
and overwriting the *c pointer to point to our copy instead of the
original. If we hit an error, once we free(c), reset c to point to
the original structure before jumping to the cleanup code that
references *c.
Since one of the errors being checked for is whether the server was
able to malloc(c->nChars * itemSize), the client can potentially pass
a number of characters chosen to cause the malloc to fail and the
error path to be taken, resulting in the read from freed memory.
Since the memory is accessed almost immediately afterwards, and the
X server is mostly single threaded, the odds of the free memory having
invalid contents are low with most malloc implementations when not using
memory debugging features, but some allocators will definitely overwrite
the memory there, leading to a likely crash.
Reported-by: Pedro Ribeiro <pedrib@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Two functions in the DMX glxproxy code loop over all the backend
screens, starting at the highest numbered and counting down to
the lowest.
Previously, for each screen, the code would allocate a buffer
large enough to read the reply from the backend, copy that reply
into the buffer, and then if it wasn't the final screen, free it.
Only the buffer from the final screen is used, to pass on to the
client in the reply.
This modifies it to just immediately discard the responses from
the screens as we loop through it, only doing the allocate & copy
work for the one buffer we pass back to the client.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Alex Deucher <aleander.deucher@amd.com>
Fixes parfait errors such as:
Null pointer dereference (CWE 476): Write to null pointer pDamage
at line 1833 of miext/damage/damage.c in function 'DamageRegister'.
Function DamageCreate may return constant 'NULL' at line 1775,
called at line 232 of exa/exa_migration_mixed.c
in function 'exaPrepareAccessReg_mixed'.
Constant 'NULL' passed into function DamageRegister,
argument pDamage, from call at line 237.
Null pointer introduced at line 1775 of miext/damage/damage.c
in function 'DamageCreate'.
Null pointer dereference (CWE 476): Write to null pointer pDamage
at line 1833 of miext/damage/damage.c in function 'DamageRegister'.
Function DamageCreate may return constant 'NULL' at line 1775,
called at line 104 of exa/exa_mixed.c
in function 'exaCreatePixmap_mixed'.
Constant 'NULL' passed into function DamageRegister,
argument pDamage, from call at line 109.
Null pointer introduced at line 1775 of miext/damage/damage.c
in function 'DamageCreate'.
Checks are similar to handling results of other calls to DamageCreate.
[ This bug was found by the Parfait 1.3.0 bug checking tool.
http://labs.oracle.com/pls/apex/f?p=labs:49:::::P49_PROJECT_ID:13 ]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Use the grabtype to determine which type of event to send - all other events
are pointless and may result in erroneous events being delivered.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
For an active grab, grab->eventMask can be either the core or the XI1 mask.
With the overlap of event filters, calling DeliverOneGrabbedEvent(XI1) for a
ProximityOut event will trigger if the client has selected for enter events -
the filter is the same for both.
Thus, we end up delivering a proximity event to a client not expecting one.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
If a client calls XAllowEvents(SyncPointer) it expects events as normal until
the next button press or release event - that freezes the device. An e.g.
proximity event must thus not freeze the pointer.
As per the spec, only button and key events may do so, so narrow it to these
cases.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=69388
Commit c100211034 (dix: only show the cursor
if a window defines one (#58398)) broke the default cursor behaviour in
Xephyr (unless run with -retro). Restore the default cursor visibility
so that '-retro' or '-host-cursor' are not needed to have a visible
cursor.
Signed-off-by: Michele Baldessari <michele@acksyn.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
as of ba387cf21f "ephyr: Use host (HW) cursors
by default." this only applies if -sw-cursor is given on the cmdline.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
When DEBUG is enabled Xephyr compilation fails:
ephyrdriext.c:343:133: error: 'is_ok' undeclared (first use in this
function)
EPHYR_LOG("leave. is_ok:%d\n", is_ok);
Just reemove bogus is_ok variable.
Signed-off-by: Michele Baldessari <michele@acksyn.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
There's no reason to do this as (nmasks + 2) callocs, and it's a
surprisingly hot path. Turns out you hit this ~once per passive grab,
and you do a few bajillion passive grab changes every time you enter or
leave the overview in gnome-shell. According to a callgrind of Xorg
with gnome-shell-perf-tool run against it:
Ir before: 721437275
Ir after: 454227086
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Fix compilation after commit c3c976f54c "glx:
Remove screen number from __GLXconfig"
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Commits a1d41e311c, 7d859bd878 & 3ed2c6e112 made extinit.h require
the XF86 Big Font, XRes & ScrnSaver proto headers, but failed to add them
to the SDK_REQUIRED_MODULES so pkg-config would find them for driver builds.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
It is needed in IPv6 configurations (for inet_pton) also when
SIOCGIFCONF is not defined.
Signed-off-by: Pino Toscano <toscano.pino@tiscali.it>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Without the logdir, the xserver will write the content of the log file on the
terminal stating that it cannot be written and will stop.
Refer to https://bugs.freedesktop.org/show_bug.cgi?id=3889
Reviewed-By: Matt Dew <marcoz@osource.org>
Signed-off-by: Gaetan Nadon <memsize@videotron.ca>
Signed-off-by: Keith Packard <keithp@keithp.com>
Still true that we should not use the lower case $(mkdir_p) version.
However, remove the 2005 comment as the MKDIR_P is widely used now.
Reviewed-By: Matt Dew <marcoz@osource.org>
Signed-off-by: Gaetan Nadon <memsize@videotron.ca>
Signed-off-by: Keith Packard <keithp@keithp.com>
It is our duty to uninstall any files and/or directories that we installed
through install-data-local and install-exec-hook.
Currently the X symbolic link to Xorg remains on disk after running
make uninstall.
Note the exception for logdir which is usually shared by other modules.
Reviewed-By: Matt Dew <marcoz@osource.org>
Signed-off-by: Gaetan Nadon <memsize@videotron.ca>
Signed-off-by: Keith Packard <keithp@keithp.com>
The former was explicitly designed to execute additional code after the binary
has been installed. The latter can be executed in any order, hence it's
current dependency on install-binPROGRAMS as a workaround.
The CYGWIN libXorg.exe.a target is an installation target rather than
a post-installation one, so it should not be done as a hook. It does not depend
on the Xorg executable being installed.
Automake:
"These hooks are run after all other install rules of the appropriate type,
exec or data, have completed. So, for instance, it is possible to perform
post-installation modifications using an install hook".
"With the -local targets, there is no particular guarantee of execution order;
typically, they are run early, but with parallel make, there is no way
to be sure of that".
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Gaetan Nadon <memsize@videotron.ca>
Signed-off-by: Keith Packard <keithp@keithp.com>
This is not a problem on UNIX platforms, but on CYGWIN it creates a broken
link to Xorg rather than a link to Xorg.exe.
From the CYGWIN log on tinderbox, we can see that the executable Xorg.exe is
installed correctly. We can see the command used to create the link:
(cd /jhbuild/install/[...]/install/bin && rm -f X && ln -s Xorg X)
Note that the "relink" makefile target correctly appends $(EXEEXT) to Xorg.
Reviewed-By: Matt Dew <marcoz@osource.org>
Signed-off-by: Gaetan Nadon <memsize@videotron.ca>
Signed-off-by: Keith Packard <keithp@keithp.com>
relmap/absmap is used as a evdev-axis-to-x-axis mapping. ABS_X maps to
axis 0, ABS_Y to 1, etc. skipping over non-existing axes so that the third bit
set in the ABS_* range is axis 2, and so on. This requires us to actually have
enough space to have all the ABS_*/REL_* range.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Damage is reported relative to the drawable origin, but the window
borderClip is absolute. Translate the region by the window position
before reporting damage to adjust.
Reported-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Not used. There's no real reason to match against this instead of
matching against fbconfig or visual ID anyway.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
This has never been filled in with anything meaningful afaict, and you
can't get to it from the client in any event.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Mesa doesn't implement these anymore, never really did outside of swrast
anyway.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
We happen not to sanitize the width/height we pass to CreatePixmap here,
oops. It's not exploitable, but it's certainly a crash, so let's just
throw BadAlloc instead.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
We back pixmaps with pbuffers so they're never actually clobbered. Say
so when asked.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
This doesn't have any effect yet, but is needed to properly build the
reply for pbuffers.
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
