xorg-server: Changes to 'ubuntu'
debian/changelog | 19 +++
debian/patches/210_pixman_null_ptr_check.patch | 25 ++++
debian/patches/211_glx_fix_bindtextimageext_length_check.patch | 56 ++++++++++
debian/patches/212_fix_request_length_check_for_createglxpbuffersgix.patch | 26 ++++
debian/patches/series | 3
5 files changed, 127 insertions(+), 2 deletions(-)
New commits:
commit ec2ca4e565e0b1385fdd03586f5dcc2aedf23a9f
Author: Bryce Harrington <bryce@canonical.com>
Date: Mon Feb 14 12:19:18 2011 -0800
* Add 211_glx_fix_bindtextimageext_length_check.patch,
212_fix_request_length_check_for_createglxpbuffersgix.patch:
- Correct wrong request size match for xGLXCreateGLXPbufferSGIXReq.
This can result in some invalid BadLength errors.
(LP: #714280)
diff --git a/debian/changelog b/debian/changelog
index 7d23055..09158b6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu4) natty; urgency=low
+
+ * Add 211_glx_fix_bindtextimageext_length_check.patch,
+ 212_fix_request_length_check_for_createglxpbuffersgix.patch:
+ - Correct wrong request size match for xGLXCreateGLXPbufferSGIXReq.
+ This can result in some invalid BadLength errors.
+ (LP: #714280)
+
+ -- Bryce Harrington <bryce@ubuntu.com> Mon, 14 Feb 2011 12:07:45 -0800
+
xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu3) natty; urgency=low
* Restore 208_switch_on_release.diff - the patch does not appear to be
@@ -7,7 +17,7 @@ xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu3) natty; urgency=low
return NULL under a variety of circumstances, thus needs checked
before dereferencing it in the pixman_image_set_has_client_clip()
call.
- (LP: #705078)
+ (LP: #705078, deb: 596155, fdo: 28882)
-- Bryce Harrington <bryce@ubuntu.com> Thu, 03 Feb 2011 22:42:52 -0800
diff --git a/debian/patches/211_glx_fix_bindtextimageext_length_check.patch b/debian/patches/211_glx_fix_bindtextimageext_length_check.patch
new file mode 100644
index 0000000..114c0f7
--- /dev/null
+++ b/debian/patches/211_glx_fix_bindtextimageext_length_check.patch
@@ -0,0 +1,56 @@
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index 0b375c3..5d633df 100644
+--- a/glx/glxcmds.c
++++ b/glx/glxcmds.c
+@@ -1697,13 +1697,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
+ GLXDrawable drawId;
+ int buffer;
+ int error;
++ CARD32 num_attribs;
+
+- REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
++ if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
++ return BadLength;
+
+ pc += __GLX_VENDPRIV_HDR_SIZE;
+
+ drawId = *((CARD32 *) (pc));
+ buffer = *((INT32 *) (pc + 4));
++ num_attribs = *((CARD32 *) (pc + 8));
++ if (num_attribs > (UINT32_MAX >> 3)) {
++ client->errorValue = num_attribs;
++ return BadValue;
++ }
++ REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
+
+ if (buffer != GLX_FRONT_LEFT_EXT)
+ return __glXError(GLXBadPixmap);
+diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
+index 9d96c9d..d58de62 100644
+--- a/glx/glxcmdsswap.c
++++ b/glx/glxcmdsswap.c
+@@ -648,19 +648,23 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, GLbyte *pc)
+ xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
+ GLXDrawable *drawId;
+ int *buffer;
++ CARD32 *num_attribs;
+ __GLX_DECLARE_SWAP_VARIABLES;
+
+- REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
++ if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
++ return BadLength;
+
+ pc += __GLX_VENDPRIV_HDR_SIZE;
+
+ drawId = ((GLXDrawable *) (pc));
+ buffer = ((int *) (pc + 4));
++ num_attribs = ((CARD32 *) (pc + 8));
+
+ __GLX_SWAP_SHORT(&req->length);
+ __GLX_SWAP_INT(&req->contextTag);
+ __GLX_SWAP_INT(drawId);
+ __GLX_SWAP_INT(buffer);
++ __GLX_SWAP_INT(num_attribs);
+
+ return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc);
+ }
diff --git a/debian/patches/212_fix_request_length_check_for_createglxpbuffersgix.patch b/debian/patches/212_fix_request_length_check_for_createglxpbuffersgix.patch
new file mode 100644
index 0000000..a8833d9
--- /dev/null
+++ b/debian/patches/212_fix_request_length_check_for_createglxpbuffersgix.patch
@@ -0,0 +1,26 @@
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index 3ef567d..0b375c3 100644
+--- a/glx/glxcmds.c
++++ b/glx/glxcmds.c
+@@ -1436,7 +1436,7 @@ int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
+ ClientPtr client = cl->client;
+ xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
+
+- REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
++ REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
+
+ return DoCreatePbuffer(cl->client, req->screen, req->fbconfig,
+ req->width, req->height, req->pbuffer);
+diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
+index 3bb4cad..9d96c9d 100644
+--- a/glx/glxcmdsswap.c
++++ b/glx/glxcmdsswap.c
+@@ -421,7 +421,7 @@ int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState *cl, GLbyte *pc)
+ xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
+ __GLX_DECLARE_SWAP_VARIABLES;
+
+- REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
++ REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
+
+ __GLX_SWAP_INT(&req->screen);
+ __GLX_SWAP_INT(&req->fbconfig);
diff --git a/debian/patches/series b/debian/patches/series
index 760d1a7..ba03507 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -30,3 +30,5 @@
208_switch_on_release.diff
209_add_legacy_bgnone_option.patch
210_pixman_null_ptr_check.patch
+211_glx_fix_bindtextimageext_length_check.patch
+212_fix_request_length_check_for_createglxpbuffersgix.patch
commit 8243aa67ddddd1f5840247a87d9b758708af691e
Author: Bryce Harrington <bryce@canonical.com>
Date: Thu Feb 3 22:48:40 2011 -0800
Add 210_pixman_null_ptr_check.patch: pixman_image_create_bits() can return NULL under a variety of circumstances, thus needs checked before dereferencing it in the pixman_image_set_has_client_clip() call. (LP: #705078)
diff --git a/debian/changelog b/debian/changelog
index 77d1b6d..7d23055 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,15 @@
-xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu2) UNRELEASED; urgency=low
+xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu3) natty; urgency=low
* Restore 208_switch_on_release.diff - the patch does not appear to be
upstream actually. Users confirm the fix regressed without it.
(LP: #711842)
+ * Add 210_pixman_null_ptr_check.patch: pixman_image_create_bits() can
+ return NULL under a variety of circumstances, thus needs checked
+ before dereferencing it in the pixman_image_set_has_client_clip()
+ call.
+ (LP: #705078)
- -- Bryce Harrington <bryce@ubuntu.com> Wed, 02 Feb 2011 09:39:54 -0800
+ -- Bryce Harrington <bryce@ubuntu.com> Thu, 03 Feb 2011 22:42:52 -0800
xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu1) natty; urgency=low
diff --git a/debian/patches/210_pixman_null_ptr_check.patch b/debian/patches/210_pixman_null_ptr_check.patch
new file mode 100644
index 0000000..9123bc7
--- /dev/null
+++ b/debian/patches/210_pixman_null_ptr_check.patch
@@ -0,0 +1,25 @@
+diff --git a/fb/fbpict.c b/fb/fbpict.c
+index 7636040..2798e24 100644
+--- a/fb/fbpict.c
++++ b/fb/fbpict.c
+@@ -163,7 +163,19 @@ create_bits_picture (PicturePtr pict,
+ pict->format,
+ pixmap->drawable.width, pixmap->drawable.height,
+ (uint32_t *)bits, stride * sizeof (FbStride));
+-
++
++ /* pixman_image_create_bits() can return NULL under a variety of circumstances:
++ - bits is NULL
++ - stride * sizeof (FbStride) is not a whole number of uint32_t's
++ - pict->format has BPP greater than its DEPTH
++ - function could not instantiate bits (via the create_bits() routine)
++ - the image could not be allocated
++ This seems a rather wide range of circumstances! Checking for NULL here
++ before pixman_image_set_accessors() seems extremely sensible. How has
++ this not been crashing more frequently?
++ */
++ if (!image)
++ return NULL;
+
+ #ifdef FB_ACCESS_WRAPPER
+ #if FB_SHIFT==5
diff --git a/debian/patches/series b/debian/patches/series
index f37494e..760d1a7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -29,3 +29,4 @@
206_intel_8xx_default_to_fbdev.patch
208_switch_on_release.diff
209_add_legacy_bgnone_option.patch
+210_pixman_null_ptr_check.patch
Reply to: