xorg-server: Changes to 'debian-unstable'
ChangeLog | 198 +++++++++++++++++++++++++++++++++++++++++++
Xext/saver.c | 3
Xext/xvdisp.c | 4
Xi/extinit.c | 4
config/hal.c | 1
configure.ac | 4
debian/changelog | 6 +
hw/kdrive/src/kinput.c | 6 -
hw/vfb/InitOutput.c | 4
hw/xfree86/fbdevhw/fbdevhw.c | 18 ++-
hw/xfree86/loader/loadmod.c | 2
hw/xfree86/xaa/xaaGC.c | 1
randr/rrcrtc.c | 29 ++----
13 files changed, 237 insertions(+), 43 deletions(-)
New commits:
commit ba71b91eb3a8f116e39950299d136bb16a814fa5
Author: Julien Cristau <jcristau@debian.org>
Date: Sat Dec 10 16:44:06 2011 +0100
Bump changelogs
diff --git a/ChangeLog b/ChangeLog
index bf744e1..e5a0887 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,201 @@
+commit 0ca8869e4537412f25bfd5610aba5e604952608c
+Author: Jeremy Huddleston <jeremyhu@apple.com>
+Date: Fri Dec 9 12:58:30 2011 -0800
+
+ configure.ac: 1.11.2.902 (1.11.3 RC2)
+
+ Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
+
+commit e76c397eb90291b048e0b2102111008e3d2e469e
+Author: Dave Airlie <airlied@redhat.com>
+Date: Mon Nov 28 16:37:59 2011 +0000
+
+ kdrive: drop screen crossing code.
+
+ The only kdrive server we probably care about anymore is Xephyr,
+ and this screen enable/disable code totally breaks it in multi-screen mode.
+
+ When you are in one screen the other stops updating.
+
+ Fixes https://bugzilla.redhat.com/show_bug.cgi?id=757457
+
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+ (cherry picked from commit 98c4a888a4428789386c7c47cecc81933b5999ba)
+
+commit db418ff7501d960c8de813a37b8bb37b1ba22175
+Author: Dave Airlie <airlied@redhat.com>
+Date: Thu Oct 20 10:48:26 2011 +0100
+
+ hal: free tmp_val in one missing case
+
+ Pointed out by coverity scan.
+
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+ Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+ (cherry picked from commit 8d3731a811e33e263920dd7c8ec63d02968cb56e)
+
+commit 6b11b18ab683e1f38e5b27066b35947b96956e5f
+Author: Dave Airlie <airlied@redhat.com>
+Date: Thu Oct 20 11:00:43 2011 +0100
+
+ xv: test correct number of requests. (v2)
+
+ Pointed out by coverity.
+
+ v2: fix swapped as well, as pointed out by Alan
+
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+ Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ (cherry picked from commit 41229392b790f30a0f0ef1f4ed95647c5bca4001)
+
+commit df16b789aaf5fe7025e5661117477a5f6f9129ee
+Author: Dave Airlie <airlied@redhat.com>
+Date: Wed Oct 19 16:57:13 2011 +0100
+
+ xaa: avoid possible freed pointer reuse in epilogue
+
+ If the pGCPriv->flags == 2, then we try to assign the freed pGCPriv->XAAOps
+ avoid this by clearing the flags in to be destroyed pGCPriv.
+
+ Reported by coverity.
+
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+ Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
+ (cherry picked from commit 1049139499d9132a20cd6d4d156fe9da9cddb6c2)
+
+commit befa8a3b836e8b5781491aff4e659ae856beb494
+Author: Dave Airlie <airlied@redhat.com>
+Date: Wed Oct 19 16:22:31 2011 +0100
+
+ Xi: avoid overrun of callback array.
+
+ This code had an off-by-one and would allow writing one past the end of
+ the callbacks array.
+
+ Pointed out by coverity.
+
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+ Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
+ (cherry picked from commit 682c09a2cedd234b005334cc01247d859dd7f26a)
+
+commit b22783f483d440a005ff76d5c7894e2cf2a95dcb
+Author: Dave Airlie <airlied@redhat.com>
+Date: Wed Oct 19 16:21:26 2011 +0100
+
+ xext: don't free uninitialised pointer when malloc fails. (v2)
+
+ Initialise the pAttr->values to values so if the values allocation
+ fails it just ends up as free(NULL).
+
+ Pointed out by coverity.
+
+ v2: use Alan's suggestion.
+
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+ Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
+ (cherry picked from commit b62dc4fcbcffd10de16650bee284702c8608bb60)
+
+commit 083599c5597276289af9adaf8a8571cbe743c3fd
+Author: Adam Jackson <ajax@redhat.com>
+Date: Thu Apr 28 13:34:28 2011 +1000
+
+ fbdevhw: iterate over all modes that match a mode. (v3)
+
+ So on RHEL5 anaconda sets an xorg.conf with a fixed 800x600 mode in it,
+ we run radeonfb and fbdev since ati won't work in userspace due to domain
+ issues in the older codebase.
+
+ On certain pseries blades the built-in KVM can't accept an 800x600-43 mode,
+ it requires the 800x600-60 mode, so we have to have the kernel radeonfb
+ driver reject the 800x600-43 mode when it sees it. However then fbdev
+ doesn't try any of the other 800x600 modes in the modelist, and we end up
+ getting a default 640x480 mode we don't want.
+
+ This patch changes the mode validation loop to continue on with the other modes
+ that match to find one that works.
+
+ v2: move code around to avoid extra loop, after comment from Jamey.
+ v3: move loop setup back into loop as per Jeremy's review.
+
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+ Reviewed-by: Jamey Sharp <jamey@minilop.net>
+ Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
+ (cherry picked from commit 22605effd188436629a0dbc688666549473741e4)
+
+commit 05a890df0ade7c4958a2a13ed0c6471e4658a098
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu Dec 1 23:45:42 2011 -0800
+
+ LoaderOpen returns either a valid pointer or NULL, so don't check for < 0
+
+ Fixes Sun cc warning that was recently elevated to error by the
+ stricter default CFLAGS changes to xorg-macros:
+
+ "loadmod.c", line 914: improper pointer/integer combination: op "<"
+
+ Should have been changed when commit ab7f057ce9df4e905b12 changed the
+ LoaderOpen return type from int to void *.
+
+ Changes log message when file is found but dlopen() fails from:
+ (EE) LoadModule: Module dbe does not have a dbeModuleData data object.
+ (EE) Failed to load module "dbe" (invalid module, 0)
+ to:
+ (EE) Failed to load module "dbe" (loader failed, 7)
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Adam Jackson <ajax@redhat.com>
+ (cherry picked from commit e4dcf580f007d6adcf5b0c639865d7aaab1a319d)
+
+commit f4944108421d6ae4c728290baa43291f55ebaa67
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed Nov 23 00:30:02 2011 -0800
+
+ Limit the number of screens Xvfb will attempt to allocate memory for
+
+ Commit f9e3a2955d2ca7 removing the MAXSCREEN limit left the screen
+ number too unlimited, and allowed any positive int for a screen number:
+
+ Xvfb :1 -screen 2147483647 1024x1024x8
+
+ Fatal server error:
+ Not enough memory for screen 2147483647
+
+ Found by Parfait 0.3.7:
+ Error: Integer overflow (CWE 190)
+ Integer parameter of memory allocation function realloc() may overflow due to multiplication with constant value 1112
+ at line 293 of hw/vfb/InitOutput.c in function 'ddxProcessArgument'.
+
+ Since the X11 connection setup only has a CARD8 for number of SCREENS,
+ limit to 255 screens, which is also low enough to avoid overflow on the
+ sizeof(*vfbScreens) * (screenNum + 1) calculation for realloc.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Reviewed-by: Jamey Sharp <jamey@minilop.net>
+ (cherry picked from commit feebf6746374aa04b12e9e3e51313a3a82c03530)
+
+commit bed7d7f31ed48cbf0931ca77fdac135e514a2a44
+Author: Rui Matos <tiagomatos@gmail.com>
+Date: Tue Nov 1 21:32:36 2011 +0000
+
+ randr: Make the RRConstrainCursorHarder logic the same as miPointerSetPosition
+
+ The constraining logic in RRConstrainCursorHarder allows the cursor to reach
+ crtc positions of x = width and y = height while the constraining code in
+ miPointerSetPosition only allows it to reach x = width - 1 and y = height - 1
+ for the analogous screen case.
+
+ This patch makes the former's logic equivalent to the latter's which allows
+ applications to benefit from Fitts's law. E.g. a maximized application
+ adjacent to a crtc border wouldn't get pointer events if the user moved the
+ pointer all the way until it's contained.
+
+ Signed-off-by: Rui Matos <tiagomatos@gmail.com>
+ Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
+ (cherry picked from commit 9cc44b955b27de33348d6a20bebc9704930ee18e)
+
commit 4689c84a07f87d35492feeae2bc59642c31b6eb3
Author: Jeremy Huddleston <jeremyhu@apple.com>
Date: Mon Nov 28 00:07:29 2011 -0800
diff --git a/debian/changelog b/debian/changelog
index 9f9b857..4b2a09f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+xorg-server (2:1.11.2.902-1) UNRELEASED; urgency=low
+
+ * New upstream release candidate (1.11.3 RC2)
+
+ -- Julien Cristau <jcristau@debian.org> Sat, 10 Dec 2011 16:42:42 +0100
+
xorg-server (2:1.11.2.901-1) unstable; urgency=low
* New upstream release candidate (1.11.3 RC1):
commit 0ca8869e4537412f25bfd5610aba5e604952608c
Author: Jeremy Huddleston <jeremyhu@apple.com>
Date: Fri Dec 9 12:58:30 2011 -0800
configure.ac: 1.11.2.902 (1.11.3 RC2)
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
diff --git a/configure.ac b/configure.ac
index 9237686..817c907 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,8 +26,8 @@ dnl
dnl Process this file with autoconf to create configure.
AC_PREREQ(2.57)
-AC_INIT([xorg-server], 1.11.2.901, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
-RELEASE_DATE="2011-11-28"
+AC_INIT([xorg-server], 1.11.2.902, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], xorg-server)
+RELEASE_DATE="2011-12-09"
AC_CONFIG_SRCDIR([Makefile.am])
AM_INIT_AUTOMAKE([foreign dist-bzip2])
AM_MAINTAINER_MODE
commit e76c397eb90291b048e0b2102111008e3d2e469e
Author: Dave Airlie <airlied@redhat.com>
Date: Mon Nov 28 16:37:59 2011 +0000
kdrive: drop screen crossing code.
The only kdrive server we probably care about anymore is Xephyr,
and this screen enable/disable code totally breaks it in multi-screen mode.
When you are in one screen the other stops updating.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=757457
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 98c4a888a4428789386c7c47cecc81933b5999ba)
diff --git a/hw/kdrive/src/kinput.c b/hw/kdrive/src/kinput.c
index c14dd82..500a3d8 100644
--- a/hw/kdrive/src/kinput.c
+++ b/hw/kdrive/src/kinput.c
@@ -2135,12 +2135,6 @@ KdCursorOffScreen(ScreenPtr *ppScreen, int *x, int *y)
static void
KdCrossScreen(ScreenPtr pScreen, Bool entering)
{
-#ifndef XIPAQ
- if (entering)
- KdEnableScreen (pScreen);
- else
- KdDisableScreen (pScreen);
-#endif
}
int KdCurScreen; /* current event screen */
commit db418ff7501d960c8de813a37b8bb37b1ba22175
Author: Dave Airlie <airlied@redhat.com>
Date: Thu Oct 20 10:48:26 2011 +0100
hal: free tmp_val in one missing case
Pointed out by coverity scan.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
(cherry picked from commit 8d3731a811e33e263920dd7c8ec63d02968cb56e)
diff --git a/config/hal.c b/config/hal.c
index 297520a..a4141d5 100644
--- a/config/hal.c
+++ b/config/hal.c
@@ -355,6 +355,7 @@ device_added(LibHalContext *hal_ctx, const char *udi)
if (!strcasecmp(tmp, ".options") && (!xkb_opts.options))
xkb_opts.options = strdup(tmp_val);
}
+ free(tmp_val);
}
}
}
commit 6b11b18ab683e1f38e5b27066b35947b96956e5f
Author: Dave Airlie <airlied@redhat.com>
Date: Thu Oct 20 11:00:43 2011 +0100
xv: test correct number of requests. (v2)
Pointed out by coverity.
v2: fix swapped as well, as pointed out by Alan
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 41229392b790f30a0f0ef1f4ed95647c5bca4001)
diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
index b968431..84b10b4 100644
--- a/Xext/xvdisp.c
+++ b/Xext/xvdisp.c
@@ -1265,7 +1265,7 @@ ProcXvDispatch(ClientPtr client)
UpdateCurrentTime();
- if (stuff->data > xvNumRequests) {
+ if (stuff->data >= xvNumRequests) {
SendErrorToClient(client, XvReqCode, stuff->data, 0, BadRequest);
return BadRequest;
}
@@ -1589,7 +1589,7 @@ SProcXvDispatch(ClientPtr client)
UpdateCurrentTime();
- if (stuff->data > xvNumRequests) {
+ if (stuff->data >= xvNumRequests) {
SendErrorToClient(client, XvReqCode, stuff->data, 0, BadRequest);
return BadRequest;
}
commit df16b789aaf5fe7025e5661117477a5f6f9129ee
Author: Dave Airlie <airlied@redhat.com>
Date: Wed Oct 19 16:57:13 2011 +0100
xaa: avoid possible freed pointer reuse in epilogue
If the pGCPriv->flags == 2, then we try to assign the freed pGCPriv->XAAOps
avoid this by clearing the flags in to be destroyed pGCPriv.
Reported by coverity.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
(cherry picked from commit 1049139499d9132a20cd6d4d156fe9da9cddb6c2)
diff --git a/hw/xfree86/xaa/xaaGC.c b/hw/xfree86/xaa/xaaGC.c
index 44d50e6..1bc35d9 100644
--- a/hw/xfree86/xaa/xaaGC.c
+++ b/hw/xfree86/xaa/xaaGC.c
@@ -239,6 +239,7 @@ XAADestroyGC(GCPtr pGC)
free(pGCPriv->XAAOps);
free(pGCPriv->DashPattern);
+ pGCPriv->flags = 0;
(*pGC->funcs->DestroyGC)(pGC);
XAA_GC_FUNC_EPILOGUE (pGC);
commit befa8a3b836e8b5781491aff4e659ae856beb494
Author: Dave Airlie <airlied@redhat.com>
Date: Wed Oct 19 16:22:31 2011 +0100
Xi: avoid overrun of callback array.
This code had an off-by-one and would allow writing one past the end of
the callbacks array.
Pointed out by coverity.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
(cherry picked from commit 682c09a2cedd234b005334cc01247d859dd7f26a)
diff --git a/Xi/extinit.c b/Xi/extinit.c
index 0905e18..0ce4e06 100644
--- a/Xi/extinit.c
+++ b/Xi/extinit.c
@@ -409,7 +409,7 @@ static int
ProcIDispatch(ClientPtr client)
{
REQUEST(xReq);
- if (stuff->data > ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data])
+ if (stuff->data >= ARRAY_SIZE(ProcIVector) || !ProcIVector[stuff->data])
return BadRequest;
return (*ProcIVector[stuff->data])(client);
@@ -428,7 +428,7 @@ static int
SProcIDispatch(ClientPtr client)
{
REQUEST(xReq);
- if (stuff->data > ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data])
+ if (stuff->data >= ARRAY_SIZE(SProcIVector) || !SProcIVector[stuff->data])
return BadRequest;
return (*SProcIVector[stuff->data])(client);
commit b22783f483d440a005ff76d5c7894e2cf2a95dcb
Author: Dave Airlie <airlied@redhat.com>
Date: Wed Oct 19 16:21:26 2011 +0100
xext: don't free uninitialised pointer when malloc fails. (v2)
Initialise the pAttr->values to values so if the values allocation
fails it just ends up as free(NULL).
Pointed out by coverity.
v2: use Alan's suggestion.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
(cherry picked from commit b62dc4fcbcffd10de16650bee284702c8608bb60)
diff --git a/Xext/saver.c b/Xext/saver.c
index 1888603..0f9e878 100644
--- a/Xext/saver.c
+++ b/Xext/saver.c
@@ -927,7 +927,7 @@ ScreenSaverSetAttributes (ClientPtr client)
goto bail;
}
/* over allocate for override redirect */
- values = malloc((len + 1) * sizeof (unsigned long));
+ pAttr->values = values = malloc((len + 1) * sizeof (unsigned long));
if (!values)
{
ret = BadAlloc;
@@ -947,7 +947,6 @@ ScreenSaverSetAttributes (ClientPtr client)
pAttr->pCursor = NullCursor;
pAttr->pBackgroundPixmap = NullPixmap;
pAttr->pBorderPixmap = NullPixmap;
- pAttr->values = values;
/*
* go through the mask, checking the values,
* looking up pixmaps and cursors and hold a reference
commit 083599c5597276289af9adaf8a8571cbe743c3fd
Author: Adam Jackson <ajax@redhat.com>
Date: Thu Apr 28 13:34:28 2011 +1000
fbdevhw: iterate over all modes that match a mode. (v3)
So on RHEL5 anaconda sets an xorg.conf with a fixed 800x600 mode in it,
we run radeonfb and fbdev since ati won't work in userspace due to domain
issues in the older codebase.
On certain pseries blades the built-in KVM can't accept an 800x600-43 mode,
it requires the 800x600-60 mode, so we have to have the kernel radeonfb
driver reject the 800x600-43 mode when it sees it. However then fbdev
doesn't try any of the other 800x600 modes in the modelist, and we end up
getting a default 640x480 mode we don't want.
This patch changes the mode validation loop to continue on with the other modes
that match to find one that works.
v2: move code around to avoid extra loop, after comment from Jamey.
v3: move loop setup back into loop as per Jeremy's review.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
(cherry picked from commit 22605effd188436629a0dbc688666549473741e4)
diff --git a/hw/xfree86/fbdevhw/fbdevhw.c b/hw/xfree86/fbdevhw/fbdevhw.c
index dee731b..806b906 100644
--- a/hw/xfree86/fbdevhw/fbdevhw.c
+++ b/hw/xfree86/fbdevhw/fbdevhw.c
@@ -509,20 +509,22 @@ fbdevHWSetVideoModes(ScrnInfoPtr pScrn)
pScrn->virtualY = pScrn->display->virtualY;
for (modename = pScrn->display->modes; *modename != NULL; modename++) {
- for (mode = pScrn->monitor->Modes; mode != NULL; mode = mode->next)
- if (0 == strcmp(mode->name,*modename))
- break;
+ for (mode = pScrn->monitor->Modes; mode != NULL; mode = mode->next) {
+ if (0 == strcmp(mode->name,*modename)) {
+ if (fbdevHWSetMode(pScrn, mode, TRUE))
+ break;
+
+ xf86DrvMsg(pScrn->scrnIndex, X_INFO,
+ "\tmode \"%s\" test failed\n", *modename);
+ }
+ }
+
if (NULL == mode) {
xf86DrvMsg(pScrn->scrnIndex, X_INFO,
"\tmode \"%s\" not found\n", *modename);
continue;
}
- if (!fbdevHWSetMode(pScrn, mode, TRUE)) {
- xf86DrvMsg(pScrn->scrnIndex, X_INFO,
- "\tmode \"%s\" test failed\n", *modename);
- continue;
- }
xf86DrvMsg(pScrn->scrnIndex, X_INFO,
"\tmode \"%s\" ok\n", *modename);
commit 05a890df0ade7c4958a2a13ed0c6471e4658a098
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu Dec 1 23:45:42 2011 -0800
LoaderOpen returns either a valid pointer or NULL, so don't check for < 0
Fixes Sun cc warning that was recently elevated to error by the
stricter default CFLAGS changes to xorg-macros:
"loadmod.c", line 914: improper pointer/integer combination: op "<"
Should have been changed when commit ab7f057ce9df4e905b12 changed the
LoaderOpen return type from int to void *.
Changes log message when file is found but dlopen() fails from:
(EE) LoadModule: Module dbe does not have a dbeModuleData data object.
(EE) Failed to load module "dbe" (invalid module, 0)
to:
(EE) Failed to load module "dbe" (loader failed, 7)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit e4dcf580f007d6adcf5b0c639865d7aaab1a319d)
diff --git a/hw/xfree86/loader/loadmod.c b/hw/xfree86/loader/loadmod.c
index 9f82099..20a4719 100644
--- a/hw/xfree86/loader/loadmod.c
+++ b/hw/xfree86/loader/loadmod.c
@@ -918,7 +918,7 @@ doLoadModule(const char *module, const char *path, const char **subdirlist,
goto LoadModule_fail;
}
ret->handle = LoaderOpen(found, errmaj, errmin);
- if (ret->handle < 0)
+ if (ret->handle == NULL)
goto LoadModule_fail;
ret->path = strdup(found);
commit f4944108421d6ae4c728290baa43291f55ebaa67
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Nov 23 00:30:02 2011 -0800
Limit the number of screens Xvfb will attempt to allocate memory for
Commit f9e3a2955d2ca7 removing the MAXSCREEN limit left the screen
number too unlimited, and allowed any positive int for a screen number:
Xvfb :1 -screen 2147483647 1024x1024x8
Fatal server error:
Not enough memory for screen 2147483647
Found by Parfait 0.3.7:
Error: Integer overflow (CWE 190)
Integer parameter of memory allocation function realloc() may overflow due to multiplication with constant value 1112
at line 293 of hw/vfb/InitOutput.c in function 'ddxProcessArgument'.
Since the X11 connection setup only has a CARD8 for number of SCREENS,
limit to 255 screens, which is also low enough to avoid overflow on the
sizeof(*vfbScreens) * (screenNum + 1) calculation for realloc.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
(cherry picked from commit feebf6746374aa04b12e9e3e51313a3a82c03530)
diff --git a/hw/vfb/InitOutput.c b/hw/vfb/InitOutput.c
index dce3f84..c17f12c 100644
--- a/hw/vfb/InitOutput.c
+++ b/hw/vfb/InitOutput.c
@@ -280,7 +280,9 @@ ddxProcessArgument(int argc, char *argv[], int i)
int screenNum;
CHECK_FOR_REQUIRED_ARGUMENTS(2);
screenNum = atoi(argv[i+1]);
- if (screenNum < 0)
+ /* The protocol only has a CARD8 for number of screens in the
+ connection setup block, so don't allow more than that. */
+ if ((screenNum < 0) || (screenNum >= 255))
{
ErrorF("Invalid screen number %d\n", screenNum);
UseMsg();
commit bed7d7f31ed48cbf0931ca77fdac135e514a2a44
Author: Rui Matos <tiagomatos@gmail.com>
Date: Tue Nov 1 21:32:36 2011 +0000
randr: Make the RRConstrainCursorHarder logic the same as miPointerSetPosition
The constraining logic in RRConstrainCursorHarder allows the cursor to reach
crtc positions of x = width and y = height while the constraining code in
miPointerSetPosition only allows it to reach x = width - 1 and y = height - 1
for the analogous screen case.
This patch makes the former's logic equivalent to the latter's which allows
applications to benefit from Fitts's law. E.g. a maximized application
adjacent to a crtc border wouldn't get pointer events if the user moved the
pointer all the way until it's contained.
Signed-off-by: Rui Matos <tiagomatos@gmail.com>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 9cc44b955b27de33348d6a20bebc9704930ee18e)
diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c
index 0437795..305a270 100644
--- a/randr/rrcrtc.c
+++ b/randr/rrcrtc.c
@@ -1465,7 +1465,7 @@ RRConstrainCursorHarder(DeviceIntPtr pDev, ScreenPtr pScreen, int mode, int *x,
crtc_bounds(crtc, &left, &right, &top, &bottom);
- if ((*x >= left) && (*x <= right) && (*y >= top) && (*y <= bottom))
+ if ((*x >= left) && (*x < right) && (*y >= top) && (*y < bottom))
return;
}
@@ -1481,24 +1481,15 @@ RRConstrainCursorHarder(DeviceIntPtr pDev, ScreenPtr pScreen, int mode, int *x,
crtc_bounds(crtc, &left, &right, &top, &bottom);
miPointerGetPosition(pDev, &nx, &ny);
- if ((nx >= left) && (nx <= right) && (ny >= top) && (ny <= bottom)) {
- if ((*x <= left) || (*x >= right)) {
- int dx = *x - nx;
-
- if (dx > 0)
- *x = right;
- else if (dx < 0)
- *x = left;
- }
-
- if ((*y <= top) || (*y >= bottom)) {
- int dy = *y - ny;
-
- if (dy > 0)
- *y = bottom;
- else if (dy < 0)
- *y = top;
- }
+ if ((nx >= left) && (nx < right) && (ny >= top) && (ny < bottom)) {
+ if (*x < left)
+ *x = left;
+ if (*x >= right)
+ *x = right - 1;
+ if (*y < top)
+ *y = top;
+ if (*y >= bottom)
+ *y = bottom - 1;
return;
}
Reply to: