Integer overflows can occur in the code validating the parameters for
the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient
and SProcRenderCreateConicalGradient functions, leading to memory
corruption by swapping bytes outside of the intended request
parameters.
An integer overflow may occur in the computation of the
size of the glyph to be allocated by the ProcRenderCreateCursor()
function which will cause less memory to be allocated than expected,
leading later to dereferencing un-mapped memory, causing a crash of
the X server.
An integer overflow may occur in the computation of the size of the
glyph to be allocated by the AllocateGlyph() function which will cause
less memory to be allocated than expected, leading to later heap
overflow.
On systems where the X SIGSEGV handler includes a stack trace, more
malloc()-type functions are called, which may lead to other
exploitable issues.
* Port fix for bug 7685 from pixman. Patch by Carl Worth
* Add projective version of radial gradient code.
* Make sure that all Pict*Gradient types have PictGradient as prefix,
since code in various places relies on that.
Get rid of almost all uses of these definitions. They're still defined for
delinquent out-of-tree drivers, and also for the Mesa build. As well as
for miinitext.c. But largely gone.
Now, we only check for filter commonality if we're operating on a source
picture, and we compare the id (screen-independent index of the filter name)
rather than the pointer to the filter (per-screen state).
Now, filters may only be set on source pictures when the filter is common to
all screens. Also, like SetPictureTransform, ChangePictureFilter is now not
called on source pictures.
A screen's ChangePictureTransform now isn't called when changing the transform,
as source pictures aren't associated with screens. Also, attempting to set
an AlphaMap to a source picture will fail with BadMatch just like a Window
would, preventing another crash.
Instead, stick the NULL return default case afterwards, so that the compiler can
warn us when we've got unimplemented cases. Removes some unimplemented and
unused 8bpp, depth 4 picture format names.
PICT_a8r8g8b8. Fixes a failure in the gradients test of rendercheck. In
the long term we could do better by setting the format to something
without alpha whenever the gradient doesn't contain colors with alpha.
This triggers a reduction of the over operation to a pure source
operation.