Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.
(cherry picked from commit 95d162c438)
An integer overflow in the validation of the parameters of the
ShmPutImage() request makes it possible to trigger the copy of
arbitrary server memory to a pixmap that can subsequently be read by
the client, to read arbitrary parts of the X server memory space.
(cherry picked from commit 063f18ef6d)
This allows using PanoramiXTranslateVisualID to test whether a given visual made
it through PanoramiXVisualConsolidate.
(cherry picked from commit 8b3d26f5b6)
Create a new exported global variable, XineramaVisualsEqualPtr. Use this
pointer to decide whether two visuals are equal during visual consolidation.
This pointer can be wrapped, which allows drivers and extensions to control
which visuals are consolidated. A wrapper can reject the visuals without
calling down, but must call down and return that result if it deems the visuals
equal. This ensures that all layers agree that the visuals are equal.
Pass the screen of the other visual into the VisualsEqual callchain.
Don't free PanoramiXVisuals since we need it for PanoramiXTranslateVisualID.
Don't skip the first visual on the other screen in PanoramiXMaybeAddVisual.
Skip the loop in PanoramiXTranslateVisualID if screen is 0.
(cherry picked from commit c50b5d9789)
Patch by Joe Nall.
The option goes in the "extmod" subsection.
TODO: Make it easier for extension modules to handle their own options.
(cherry picked from commit b5f98fcea2)
Makes it easier to figure out what you're seeing in the stack trace
instead of wondering where in the server "ProcSend" is.
(cherry picked from commit 060a99444e)
Formerly the code claimed it could only handle up to 256 visuals, which
was true. Also true, but not explicitly stated, was that it could only
handle visuals with VID < 256. If you have enough screens, and subsystems
that add lots of visuals, you can easily run off the end. (Made worse
because we allocate visual IDs from the same pool as XIDs.) If your app
then chooses a visual > 256, then the Xinerama code would throw BadMatch
on CreateColormap and your app wouldn't start.
With this change, PanoramiXVisualTable is gone. Other subsystems that
were using it as a translation table between each screen's visuals now
use a PanoramiXTranslateVisual() helper.
To recap: the original XC-SECURITY extension disallowed background "None" if
the window was untrusted. XACE 1.0 preserved this check as a hook function.
XACE pre-2.0 removed the hook and first abolished background "None entirely,
then restored it as a global on/off switch in response to Bug #13683.
Now it's back to being per-window, via a flag instead of a hook function.
Move size validation after depth validation, and only validate size if
the bpp of the pixmap format is > 8. If bpp < 8 then we're already
protected from overflow by the width and height checks.
