summaryrefslogtreecommitdiff
path: root/extra/xorg-server/git-fixes.patch
diff options
context:
space:
mode:
Diffstat (limited to 'extra/xorg-server/git-fixes.patch')
-rw-r--r--extra/xorg-server/git-fixes.patch288
1 files changed, 288 insertions, 0 deletions
diff --git a/extra/xorg-server/git-fixes.patch b/extra/xorg-server/git-fixes.patch
new file mode 100644
index 000000000..3c59c27c9
--- /dev/null
+++ b/extra/xorg-server/git-fixes.patch
@@ -0,0 +1,288 @@
+From bd6ea85209e5ab80375d4ec9994d10a89fd1374a Mon Sep 17 00:00:00 2001
+From: Jamey Sharp <jamey@minilop.net>
+Date: Wed, 15 Sep 2010 01:35:21 +0000
+Subject: Fix pixmap double-frees on error paths.
+
+If AddResource fails, it will automatically free the object that was
+passed to it by calling the appropriate deleteFunc; and of course
+FreeResource also calls the deleteFunc. In both cases it's wrong to call
+the destroy hook manually.
+
+Commit by Jamey Sharp and Josh Triplett.
+
+Signed-off-by: Jamey Sharp <jamey@minilop.net>
+Signed-off-by: Josh Triplett <josh@joshtriplett.org>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
+(cherry picked from commit 0f380a5005f800572773cd4667ce43c7459cc467)
+---
+diff --git a/Xext/shm.c b/Xext/shm.c
+index b08af82..4141a8f 100644
+--- a/Xext/shm.c
++++ b/Xext/shm.c
+@@ -991,7 +991,6 @@ CreatePmap:
+ pMap->drawable.serialNumber = NEXT_SERIAL_NUMBER;
+ pMap->drawable.id = newPix->info[j].id;
+ if (!AddResource(newPix->info[j].id, RT_PIXMAP, (pointer)pMap)) {
+- (*pScreen->DestroyPixmap)(pMap);
+ result = BadAlloc;
+ break;
+ }
+@@ -1002,10 +1001,8 @@ CreatePmap:
+ }
+
+ if(result == BadAlloc) {
+- while(j--) {
+- (*pScreen->DestroyPixmap)(pMap);
++ while(j--)
+ FreeResource(newPix->info[j].id, RT_NONE);
+- }
+ free(newPix);
+ } else
+ AddResource(stuff->pid, XRT_PIXMAP, newPix);
+@@ -1110,7 +1107,6 @@ CreatePmap:
+ {
+ return Success;
+ }
+- pDraw->pScreen->DestroyPixmap(pMap);
+ }
+ return BadAlloc;
+ }
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 192c8c3..f8200b1 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -1419,7 +1419,6 @@ CreatePmap:
+ }
+ if (AddResource(stuff->pid, RT_PIXMAP, (pointer)pMap))
+ return Success;
+- (*pDraw->pScreen->DestroyPixmap)(pMap);
+ }
+ return BadAlloc;
+ }
+--
+cgit v0.9.0.2-2-gbebe
+From 347f5610ca023fb31485aa19c20607af8bf9c834 Mon Sep 17 00:00:00 2001
+From: Carlos Garnacho <carlosg@gnome.org>
+Date: Tue, 30 Aug 2011 22:46:52 +0000
+Subject: Xi: Fix passive XI2 ungrabs on XIAll[Master]Devices
+
+The corresponding DeviceIntPtr wasn't being gotten properly,
+resulting in BadDevice from dixLookupDevice().
+
+Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit f52d5cd374563544dafe29587411f345e31bbdf8)
+---
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index ae43433..5cdd8ac 100644
+--- a/Xi/xipassivegrab.c
++++ b/Xi/xipassivegrab.c
+@@ -261,9 +261,16 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
+ REQUEST(xXIPassiveUngrabDeviceReq);
+ REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
+
+- rc = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
+- if (rc != Success)
+- return rc;
++ if (stuff->deviceid == XIAllDevices)
++ dev = inputInfo.all_devices;
++ else if (stuff->deviceid == XIAllMasterDevices)
++ dev = inputInfo.all_master_devices;
++ else
++ {
++ rc = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
++ if (rc != Success)
++ return rc;
++ }
+
+ if (stuff->grab_type != XIGrabtypeButton &&
+ stuff->grab_type != XIGrabtypeKeycode &&
+--
+cgit v0.9.0.2-2-gbebe
+From e9ae33316012ffe9acfeeb7303ab3392c2ca2a2b Mon Sep 17 00:00:00 2001
+From: Sam Spilsbury <sam.spilsbury@canonical.com>
+Date: Wed, 14 Sep 2011 01:58:34 +0000
+Subject: Remove the SendEvent bit (0x80) before doing range checks on event type.
+
+Some extension libraries may set this bit before converting the event to
+wire protocol and as such range checking the event will cause an invalid
+BadValue error to result. As the documentation suggests the the bit
+should be "forced on", remove it before doing range checks and continue
+to force it on in the server.
+
+Reviewed-by: Jamey Sharp <jamey@minilop.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 2d2dce558d24eeea0eb011ec9ebaa6c5c2273c39)
+---
+diff --git a/dix/events.c b/dix/events.c
+index 8a4c6b9..9e58edb 100644
+--- a/dix/events.c
++++ b/dix/events.c
+@@ -5224,6 +5224,8 @@ CloseDownEvents(void)
+ InputEventList = NULL;
+ }
+
++#define SEND_EVENT_BIT 0x80
++
+ /**
+ * Server-side protocol handling for SendEvent request.
+ *
+@@ -5241,6 +5243,16 @@ ProcSendEvent(ClientPtr client)
+
+ REQUEST_SIZE_MATCH(xSendEventReq);
+
++ /* libXext and other extension libraries may set the bit indicating
++ * that this event came from a SendEvent request so remove it
++ * since otherwise the event type may fail the range checks
++ * and cause an invalid BadValue error to be returned.
++ *
++ * This is safe to do since we later add the SendEvent bit (0x80)
++ * back in once we send the event to the client */
++
++ stuff->event.u.u.type &= ~(SEND_EVENT_BIT);
++
+ /* The client's event type must be a core event type or one defined by an
+ extension. */
+
+@@ -5298,7 +5310,7 @@ ProcSendEvent(ClientPtr client)
+ client->errorValue = stuff->propagate;
+ return BadValue;
+ }
+- stuff->event.u.u.type |= 0x80;
++ stuff->event.u.u.type |= SEND_EVENT_BIT;
+ if (stuff->propagate)
+ {
+ for (;pWin; pWin = pWin->parent)
+--
+cgit v0.9.0.2-2-gbebe
+From b45e22675364915c32560c26404cf30d77ab68aa Mon Sep 17 00:00:00 2001
+From: Alan Hourihane <alanh@vmware.com>
+Date: Wed, 05 Oct 2011 02:42:46 +0000
+Subject: dixfonts: Don't overwrite local c variable until new_closure is safely initialized.
+
+Signed-off-by: Alan Hourihane <alanh@vmware.com>
+Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
+(cherry picked from commit 7a33c5b934382b5554f41ab1502514e91c9bc52e)
+---
+diff --git a/dix/dixfonts.c b/dix/dixfonts.c
+index fbac124..d2bcb84 100644
+--- a/dix/dixfonts.c
++++ b/dix/dixfonts.c
+@@ -1302,31 +1302,30 @@ doPolyText(ClientPtr client, PTclosurePtr c)
+ goto bail;
+ }
+ *new_closure = *c;
+- c = new_closure;
+
+- len = c->endReq - c->pElt;
+- c->data = malloc(len);
+- if (!c->data)
++ len = new_closure->endReq - new_closure->pElt;
++ new_closure->data = malloc(len);
++ if (!new_closure->data)
+ {
+- free(c);
++ free(new_closure);
+ err = BadAlloc;
+ goto bail;
+ }
+- memmove(c->data, c->pElt, len);
+- c->pElt = c->data;
+- c->endReq = c->pElt + len;
++ memmove(new_closure->data, new_closure->pElt, len);
++ new_closure->pElt = new_closure->data;
++ new_closure->endReq = new_closure->pElt + len;
+
+ /* Step 2 */
+
+- pGC = GetScratchGC(c->pGC->depth, c->pGC->pScreen);
++ pGC = GetScratchGC(new_closure->pGC->depth, new_closure->pGC->pScreen);
+ if (!pGC)
+ {
+- free(c->data);
+- free(c);
++ free(new_closure->data);
++ free(new_closure);
+ err = BadAlloc;
+ goto bail;
+ }
+- if ((err = CopyGC(c->pGC, pGC, GCFunction |
++ if ((err = CopyGC(new_closure->pGC, pGC, GCFunction |
+ GCPlaneMask | GCForeground |
+ GCBackground | GCFillStyle |
+ GCTile | GCStipple |
+@@ -1337,15 +1336,16 @@ doPolyText(ClientPtr client, PTclosurePtr c)
+ Success)
+ {
+ FreeScratchGC(pGC);
+- free(c->data);
+- free(c);
++ free(new_closure->data);
++ free(new_closure);
+ err = BadAlloc;
+ goto bail;
+ }
++ c = new_closure;
+ origGC = c->pGC;
+ c->pGC = pGC;
+ ValidateGC(c->pDraw, c->pGC);
+-
++
+ ClientSleep(client, (ClientSleepProcPtr)doPolyText, c);
+
+ /* Set up to perform steps 3 and 4 */
+--
+cgit v0.9.0.2-2-gbebe
+From bec15eb73a17fb47963ff6b747ea504f7dc05deb Mon Sep 17 00:00:00 2001
+From: Kirill Elagin <kirelagin@gmail.com>
+Date: Tue, 04 Oct 2011 19:02:20 +0000
+Subject: Fix server crash due to invalid images
+
+See https://bugs.freedesktop.org/show_bug.cgi?id=39383
+
+Signed-off-by: Kirill Elagin <kirelagin@gmail.com>
+Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
+(cherry picked from commit 53611213396479abfdce0f7752681572e0d26d78)
+---
+diff --git a/fb/fbpict.c b/fb/fbpict.c
+index d1fd0cb..57c93fd 100644
+--- a/fb/fbpict.c
++++ b/fb/fbpict.c
+@@ -163,7 +163,9 @@ create_bits_picture (PicturePtr pict,
+ (pixman_format_code_t)pict->format,
+ pixmap->drawable.width, pixmap->drawable.height,
+ (uint32_t *)bits, stride * sizeof (FbStride));
+-
++
++ if (!image)
++ return NULL;
+
+ #ifdef FB_ACCESS_WRAPPER
+ #if FB_SHIFT==5
+--
+cgit v0.9.0.2-2-gbebe
+From 65469f5ea98074ab27ce0a2d482157b9d5c2cbc7 Mon Sep 17 00:00:00 2001
+From: vdb@picaros.org <vdb@picaros.org>
+Date: Sat, 17 Sep 2011 16:55:47 +0000
+Subject: Fix a rare memory leak
+
+Signed-off-by: Servaas Vandenberghe <vdb@picaros.org>
+Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
+(cherry picked from commit e4cddf509e1729e8ff40354275b65455111ad2bd)
+---
+diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
+index c2814d4..3fae039 100644
+--- a/hw/xfree86/modes/xf86Crtc.c
++++ b/hw/xfree86/modes/xf86Crtc.c
+@@ -133,6 +133,7 @@ xf86CrtcCreate (ScrnInfoPtr scrn,
+ crtcs = malloc((xf86_config->num_crtc + 1) * sizeof (xf86CrtcPtr));
+ if (!crtcs)
+ {
++ free(crtc->gamma_red);
+ free(crtc);
+ return NULL;
+ }
+--
+cgit v0.9.0.2-2-gbebe
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 01:50:16 +0000