1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
|
From bd6ea85209e5ab80375d4ec9994d10a89fd1374a Mon Sep 17 00:00:00 2001
From: Jamey Sharp <jamey@minilop.net>
Date: Wed, 15 Sep 2010 01:35:21 +0000
Subject: Fix pixmap double-frees on error paths.
If AddResource fails, it will automatically free the object that was
passed to it by calling the appropriate deleteFunc; and of course
FreeResource also calls the deleteFunc. In both cases it's wrong to call
the destroy hook manually.
Commit by Jamey Sharp and Josh Triplett.
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Signed-off-by: Josh Triplett <josh@joshtriplett.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
(cherry picked from commit 0f380a5005f800572773cd4667ce43c7459cc467)
---
diff --git a/Xext/shm.c b/Xext/shm.c
index b08af82..4141a8f 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -991,7 +991,6 @@ CreatePmap:
pMap->drawable.serialNumber = NEXT_SERIAL_NUMBER;
pMap->drawable.id = newPix->info[j].id;
if (!AddResource(newPix->info[j].id, RT_PIXMAP, (pointer)pMap)) {
- (*pScreen->DestroyPixmap)(pMap);
result = BadAlloc;
break;
}
@@ -1002,10 +1001,8 @@ CreatePmap:
}
if(result == BadAlloc) {
- while(j--) {
- (*pScreen->DestroyPixmap)(pMap);
+ while(j--)
FreeResource(newPix->info[j].id, RT_NONE);
- }
free(newPix);
} else
AddResource(stuff->pid, XRT_PIXMAP, newPix);
@@ -1110,7 +1107,6 @@ CreatePmap:
{
return Success;
}
- pDraw->pScreen->DestroyPixmap(pMap);
}
return BadAlloc;
}
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 192c8c3..f8200b1 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -1419,7 +1419,6 @@ CreatePmap:
}
if (AddResource(stuff->pid, RT_PIXMAP, (pointer)pMap))
return Success;
- (*pDraw->pScreen->DestroyPixmap)(pMap);
}
return BadAlloc;
}
--
cgit v0.9.0.2-2-gbebe
From 347f5610ca023fb31485aa19c20607af8bf9c834 Mon Sep 17 00:00:00 2001
From: Carlos Garnacho <carlosg@gnome.org>
Date: Tue, 30 Aug 2011 22:46:52 +0000
Subject: Xi: Fix passive XI2 ungrabs on XIAll[Master]Devices
The corresponding DeviceIntPtr wasn't being gotten properly,
resulting in BadDevice from dixLookupDevice().
Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit f52d5cd374563544dafe29587411f345e31bbdf8)
---
diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
index ae43433..5cdd8ac 100644
--- a/Xi/xipassivegrab.c
+++ b/Xi/xipassivegrab.c
@@ -261,9 +261,16 @@ ProcXIPassiveUngrabDevice(ClientPtr client)
REQUEST(xXIPassiveUngrabDeviceReq);
REQUEST_AT_LEAST_SIZE(xXIPassiveUngrabDeviceReq);
- rc = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
- if (rc != Success)
- return rc;
+ if (stuff->deviceid == XIAllDevices)
+ dev = inputInfo.all_devices;
+ else if (stuff->deviceid == XIAllMasterDevices)
+ dev = inputInfo.all_master_devices;
+ else
+ {
+ rc = dixLookupDevice(&dev, stuff->deviceid, client, DixGrabAccess);
+ if (rc != Success)
+ return rc;
+ }
if (stuff->grab_type != XIGrabtypeButton &&
stuff->grab_type != XIGrabtypeKeycode &&
--
cgit v0.9.0.2-2-gbebe
From e9ae33316012ffe9acfeeb7303ab3392c2ca2a2b Mon Sep 17 00:00:00 2001
From: Sam Spilsbury <sam.spilsbury@canonical.com>
Date: Wed, 14 Sep 2011 01:58:34 +0000
Subject: Remove the SendEvent bit (0x80) before doing range checks on event type.
Some extension libraries may set this bit before converting the event to
wire protocol and as such range checking the event will cause an invalid
BadValue error to result. As the documentation suggests the the bit
should be "forced on", remove it before doing range checks and continue
to force it on in the server.
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 2d2dce558d24eeea0eb011ec9ebaa6c5c2273c39)
---
diff --git a/dix/events.c b/dix/events.c
index 8a4c6b9..9e58edb 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -5224,6 +5224,8 @@ CloseDownEvents(void)
InputEventList = NULL;
}
+#define SEND_EVENT_BIT 0x80
+
/**
* Server-side protocol handling for SendEvent request.
*
@@ -5241,6 +5243,16 @@ ProcSendEvent(ClientPtr client)
REQUEST_SIZE_MATCH(xSendEventReq);
+ /* libXext and other extension libraries may set the bit indicating
+ * that this event came from a SendEvent request so remove it
+ * since otherwise the event type may fail the range checks
+ * and cause an invalid BadValue error to be returned.
+ *
+ * This is safe to do since we later add the SendEvent bit (0x80)
+ * back in once we send the event to the client */
+
+ stuff->event.u.u.type &= ~(SEND_EVENT_BIT);
+
/* The client's event type must be a core event type or one defined by an
extension. */
@@ -5298,7 +5310,7 @@ ProcSendEvent(ClientPtr client)
client->errorValue = stuff->propagate;
return BadValue;
}
- stuff->event.u.u.type |= 0x80;
+ stuff->event.u.u.type |= SEND_EVENT_BIT;
if (stuff->propagate)
{
for (;pWin; pWin = pWin->parent)
--
cgit v0.9.0.2-2-gbebe
From b45e22675364915c32560c26404cf30d77ab68aa Mon Sep 17 00:00:00 2001
From: Alan Hourihane <alanh@vmware.com>
Date: Wed, 05 Oct 2011 02:42:46 +0000
Subject: dixfonts: Don't overwrite local c variable until new_closure is safely initialized.
Signed-off-by: Alan Hourihane <alanh@vmware.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
(cherry picked from commit 7a33c5b934382b5554f41ab1502514e91c9bc52e)
---
diff --git a/dix/dixfonts.c b/dix/dixfonts.c
index fbac124..d2bcb84 100644
--- a/dix/dixfonts.c
+++ b/dix/dixfonts.c
@@ -1302,31 +1302,30 @@ doPolyText(ClientPtr client, PTclosurePtr c)
goto bail;
}
*new_closure = *c;
- c = new_closure;
- len = c->endReq - c->pElt;
- c->data = malloc(len);
- if (!c->data)
+ len = new_closure->endReq - new_closure->pElt;
+ new_closure->data = malloc(len);
+ if (!new_closure->data)
{
- free(c);
+ free(new_closure);
err = BadAlloc;
goto bail;
}
- memmove(c->data, c->pElt, len);
- c->pElt = c->data;
- c->endReq = c->pElt + len;
+ memmove(new_closure->data, new_closure->pElt, len);
+ new_closure->pElt = new_closure->data;
+ new_closure->endReq = new_closure->pElt + len;
/* Step 2 */
- pGC = GetScratchGC(c->pGC->depth, c->pGC->pScreen);
+ pGC = GetScratchGC(new_closure->pGC->depth, new_closure->pGC->pScreen);
if (!pGC)
{
- free(c->data);
- free(c);
+ free(new_closure->data);
+ free(new_closure);
err = BadAlloc;
goto bail;
}
- if ((err = CopyGC(c->pGC, pGC, GCFunction |
+ if ((err = CopyGC(new_closure->pGC, pGC, GCFunction |
GCPlaneMask | GCForeground |
GCBackground | GCFillStyle |
GCTile | GCStipple |
@@ -1337,15 +1336,16 @@ doPolyText(ClientPtr client, PTclosurePtr c)
Success)
{
FreeScratchGC(pGC);
- free(c->data);
- free(c);
+ free(new_closure->data);
+ free(new_closure);
err = BadAlloc;
goto bail;
}
+ c = new_closure;
origGC = c->pGC;
c->pGC = pGC;
ValidateGC(c->pDraw, c->pGC);
-
+
ClientSleep(client, (ClientSleepProcPtr)doPolyText, c);
/* Set up to perform steps 3 and 4 */
--
cgit v0.9.0.2-2-gbebe
From bec15eb73a17fb47963ff6b747ea504f7dc05deb Mon Sep 17 00:00:00 2001
From: Kirill Elagin <kirelagin@gmail.com>
Date: Tue, 04 Oct 2011 19:02:20 +0000
Subject: Fix server crash due to invalid images
See https://bugs.freedesktop.org/show_bug.cgi?id=39383
Signed-off-by: Kirill Elagin <kirelagin@gmail.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
(cherry picked from commit 53611213396479abfdce0f7752681572e0d26d78)
---
diff --git a/fb/fbpict.c b/fb/fbpict.c
index d1fd0cb..57c93fd 100644
--- a/fb/fbpict.c
+++ b/fb/fbpict.c
@@ -163,7 +163,9 @@ create_bits_picture (PicturePtr pict,
(pixman_format_code_t)pict->format,
pixmap->drawable.width, pixmap->drawable.height,
(uint32_t *)bits, stride * sizeof (FbStride));
-
+
+ if (!image)
+ return NULL;
#ifdef FB_ACCESS_WRAPPER
#if FB_SHIFT==5
--
cgit v0.9.0.2-2-gbebe
From 65469f5ea98074ab27ce0a2d482157b9d5c2cbc7 Mon Sep 17 00:00:00 2001
From: vdb@picaros.org <vdb@picaros.org>
Date: Sat, 17 Sep 2011 16:55:47 +0000
Subject: Fix a rare memory leak
Signed-off-by: Servaas Vandenberghe <vdb@picaros.org>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
(cherry picked from commit e4cddf509e1729e8ff40354275b65455111ad2bd)
---
diff --git a/hw/xfree86/modes/xf86Crtc.c b/hw/xfree86/modes/xf86Crtc.c
index c2814d4..3fae039 100644
--- a/hw/xfree86/modes/xf86Crtc.c
+++ b/hw/xfree86/modes/xf86Crtc.c
@@ -133,6 +133,7 @@ xf86CrtcCreate (ScrnInfoPtr scrn,
crtcs = malloc((xf86_config->num_crtc + 1) * sizeof (xf86CrtcPtr));
if (!crtcs)
{
+ free(crtc->gamma_red);
free(crtc);
return NULL;
}
--
cgit v0.9.0.2-2-gbebe
|
