Error: Write outside array bounds at Xext/geext.c:406
in function 'GEWindowSetMask' [Symbolic analysis]
In array dereference of cli->nextSib[extension] with index 'extension'
Array size is 128 elements (of 4 bytes each), index <= 128
Error: Buffer overflow at dix/events.c:592
in function 'SetMaskForEvent' [Symbolic analysis]
In array dereference of filters[deviceid] with index 'deviceid'
Array size is 20 elements (of 512 bytes each), index >= 0 and index <= 20
Error: Read buffer overflow at hw/xfree86/loader/loader.c:226
in function 'LoaderOpen' [Symbolic analysis]
In array dereference of refCount[new_handle] with index 'new_handle'
Array size is 256 elements (of 4 bytes each), index >= 1 and index <= 256
These bugs were found using the Parfait source code analysis tool.
For more information see http://research.sun.com/projects/parfait
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
This wrong check may cause BadLength to be returned to the client even if the
length is correct.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
We only put internal events into the queue now, so let's check for ET_Motion
rather than the MotionNotify.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
newer gcc's warn against how this cast is done (though it eludes me why),
and lrintf() is also faster especially on insane processors like the P4
(http://www.mega-nerd.com/FPcast).
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This wrong check may cause BadLength to be returned to the client even if the
length is correct.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
We only put internal events into the queue now, so let's check for ET_Motion
rather than the MotionNotify.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This is a shorthand for disabling acceleration, while retaining the
possiblity to use constant deceleration. If constant deceleration is
also unused, it will optimize motion processing.
Other possiblities to deactivate acceleration were quite hidden,
and didn't always work as expected. E.g. xset m 1 1 would retain
adaptive deceleration, while xset m 1 0 would not (in the default
profile).
Also removes the 'reserved' profile; it was unused and it's trivial
to add new ones anyway.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
newer gcc's warn against how this cast is done (though it eludes me why),
and lrintf() is also faster especially on insane processors like the P4
(http://www.mega-nerd.com/FPcast).
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Key events may change the modifier state, so we need to get the prev_state for
those (i.e. without the changes by the event already applied).
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
I really don't know what the purpose of this variable is or was, aside from
potentially clobbering up our key state since there's a path where it may be
used uninitialised.
Also, this means that xkbi->prev_state is now accessible from the DIX with
meaningful data.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
With the Xtest virtual slave devices we have 4 devices for each MD
pointer/keyboard pair, plus the AllDevices and AllMasterDevices reserved
deviceids. It's quite easy to hit the current limit.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
BadDevice is an XI error, but this cannot happen for core XTest fake input
anyway since the device will be the matching virtual XTest slave device.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
A driver with this hook will take care of preparing the outputs & crtcs,
so calling the prepare functions will just cause unnecessary flicker.
Fixes bug #21077
BadDevice is an XI error, but this cannot happen for core XTest fake input
anyway since the device will be the matching virtual XTest slave device.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
With the Xtest virtual slave devices we have 4 devices for each MD
pointer/keyboard pair, plus the AllDevices and AllMasterDevices reserved
deviceids. It's quite easy to hit the current limit.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
When ProcXkbSetNamedIndicator is called on a core device, and we
walk the slaves to set the LED's on each of them, ignore any slaves
that do not have either a KbdFeedbackCtrl or LedCtrl structure.
(This is much more critical in xserver-1.5-branch, where we walk
*all* devices, not just the slaves of the specified master, and
thus return failure when setting an LED on the Core Keyboard and
hit a xf86-input-mouse device with no LED's to set.)
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
For redirected rendering we end up with pixmaps (which the app thinks are
windows) that are double buffered.
Signed-off-by: Ian Romanick <ian.d.romanick@intel.com>
Tested-by: Pierre Willenbrock <pierre@pirsoft.de>
We only have one root window and writing the rules used to the same property
for each device is quite pointless if you don't have the same RMLVO on all
devices. So let's be sensible and write the same property to the device too,
so at least we know which device got loaded with which RMLVO.
Zapping is triggered by xkb these days, so note in the man page that it's the
Terminate_Server action. Since it's XKB, personal preferences towards or
against zapping should be achieved through xkb rulesets.
If Terminate_Server is not in the xkb actions, then we can't zap anyway and we
don't need a default of DontZap "on".
This patch restores the old meaning of DontZap - disallow zapping altogether,
regardless of XKB's current keymap.
Ideally, this patch should be accompanied by b0f64bdab00db652e in
xkeyboard-config.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>