xorg-server: Changes to 'debian-experimental'
ChangeLog | 2126 +++++++++++------------
Xi/exevents.c | 5
config/udev.c | 30
configure.ac | 8
debian/changelog | 16
devbook.am | 10
dix/dispatch.c | 2
dix/getevents.c | 6
doc/Makefile.am | 2
doc/filter-xmlto.sh | 21
glamor/glamor.c | 41
glamor/glamor.h | 2
glamor/glamor_egl.c | 12
glamor/glamor_fbo.c | 4
glamor/glamor_priv.h | 2
glamor/glamor_xv.c | 26
glx/glxcmds.c | 71
hw/kdrive/ephyr/ephyr.c | 10
hw/kdrive/ephyr/ephyr.h | 1
hw/kdrive/ephyr/hostx.c | 11
hw/kdrive/ephyr/hostx.h | 2
hw/xfree86/Makefile.am | 2
hw/xfree86/Xorg.sh.in | 4
hw/xfree86/common/xf86AutoConfig.c | 1
hw/xfree86/dri2/dri2.c | 9
hw/xfree86/drivers/modesetting/Makefile.am | 3
hw/xfree86/drivers/modesetting/dri2.c | 2
hw/xfree86/drivers/modesetting/driver.c | 94 -
hw/xfree86/drivers/modesetting/driver.h | 14
hw/xfree86/drivers/modesetting/drmmode_display.c | 491 +++--
hw/xfree86/drivers/modesetting/drmmode_display.h | 32
hw/xfree86/drivers/modesetting/dumb_bo.c | 134 +
hw/xfree86/drivers/modesetting/dumb_bo.h | 45
hw/xfree86/drivers/modesetting/present.c | 228 ++
hw/xfree86/drivers/modesetting/vblank.c | 37
hw/xfree86/man/Xorg.wrap.man | 2
hw/xfree86/os-support/solaris/sun_init.c | 33
hw/xfree86/os-support/xf86_OSlib.h | 5
hw/xfree86/xorg-wrapper.c | 10
hw/xnest/Keyboard.c | 9
hw/xwayland/Makefile.am | 1
hw/xwayland/xwayland-glamor.c | 3
hw/xwayland/xwayland-input.c | 7
hw/xwayland/xwayland.c | 2
include/regionstr.h | 2
mi/mipointer.c | 4
os/WaitFor.c | 41
os/osinit.c | 6
os/xsha1.c | 25
present/present.c | 15
randr/rroutput.c | 7
randr/rrscreen.c | 22
randr/rrxinerama.c | 12
xkb/xkb.c | 100 -
54 files changed, 2260 insertions(+), 1550 deletions(-)
New commits:
commit 844389319f72ed964479b09c353b2f8f73a9dde8
Author: Maarten Lankhorst <maarten.lankhorst@ubuntu.com>
Date: Wed Feb 11 11:17:51 2015 +0100
bump version to 1.17.1
diff --git a/ChangeLog b/ChangeLog
index e613918..3983221 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,739 +1,1240 @@
-commit 27017380f96d7cec79ce8d618ea0ec389fa716a9
-Merge: 91651e7 9b037af
-Author: Maarten Lankhorst <maarten.lankhorst@ubuntu.com>
-Date: Thu Dec 11 15:47:29 2014 +0100
+commit 3b0d1ba2266d2780bfc111bab74885b90458eca4
+Author: Keith Packard <keithp@keithp.com>
+Date: Tue Feb 10 14:43:34 2015 -0800
- Merge branch 'upstream-unstable' into upstream-experimental
+ Release 1.17.1
+
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit 91651e7c15892aa846fc406fbb13b37f094dd3f0
-Author: Michel Dänzer <michel.daenzer@amd.com>
-Date: Wed Dec 10 16:21:44 2014 +0900
+commit f160e722672dbb2b5215870b47bcc51461d96ff1
+Author: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri Jan 16 08:44:45 2015 +0100
- glamor: Reinstate glamor_(egl_)destroy_textured_pixmap
+ xkb: Check strings length against request size
- They are part of the ABI.
+ Ensure that the given strings length in an XkbSetGeometry request remain
+ within the limits of the size of the request.
- Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
- Reviewed-by: Keith Packard <keithp@keithp.com>
- Signed-off-by: Keith Packard <keithp@keithp.com>
+ Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+ (cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
-commit c1455f76c6b1aa4ecaacb2221a687244285aa44b
-Author: Neil Roberts <neil@linux.intel.com>
-Date: Mon Dec 1 16:06:17 2014 -0500
+commit 29be310c303914090298ddda93a5bd5d00a94945
+Author: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri Jan 16 20:08:59 2015 +0100
- glx: Add implementation of __GLXContext->loseCurrent for direct ctxts
+ xkb: Don't swap XkbSetGeometry data in the input buffer
- This adds a dummy implementation for the loseCurrent function in
- __GLXContext for direct contexts which just returns GL_TRUE. Without
- this then the X server can crash if receives a MakeCurrent message for
- a direct context because it will attempt to call loseCurrent when
- cleaning up the client in the callback for ClientStateGone.
+ The XkbSetGeometry request embeds data which needs to be swapped when the
+ server and the client have different endianess.
- [ajax: added assumed s-o-b line]
+ _XkbSetGeometry() invokes functions that swap these data directly in the
+ input buffer.
- Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=86531
- Reviewed-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Neil Roberts <neil@linux.intel.com>
- Signed-off-by: Keith Packard <keithp@keithp.com>
-
-commit 9b037af0410bb1f63d370d8b8be06135de7af600
-Author: Julien Cristau <jcristau@debian.org>
-Date: Tue Dec 9 20:55:02 2014 +0100
-
- Bump to 1.16.2.901
+ However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
+ (if there is more than one keyboard), thus causing on swapped clients the
+ same data to be swapped twice in memory, further causing a server crash
+ because the strings lengths on the second time are way off bounds.
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ To allow _XkbSetGeometry() to run reliably more than once with swapped
+ clients, do not swap the data in the buffer, use variables instead.
+
+ Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+ (cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
-commit f7ff55a374d91f8b513159809ed41c3e029a6074
+commit 28f6427aec1f5a1982e1c01eff45af0d401bf659
Author: Keith Packard <keithp@keithp.com>
-Date: Tue Dec 9 09:31:00 2014 -0800
+Date: Mon Feb 2 07:41:06 2015 +0100
- dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
-
- GetHosts saves the pointer to allocated memory in *data, and then
- wants to bounds-check writes to that region, but was mistakenly using
- a bare 'data' instead of '*data'. Also, data is declared as void **,
- so we need a cast to turn it into a byte pointer so we can actually do
- pointer comparisons.
+ Update to version 1.17.0
Signed-off-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit 1559a94395258fd73e369f1a2c98a44bfe21a486)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
-commit 8e7c4380a56ab05412f630e9b6e02580cb04a804
-Author: Keith Packard <keithp@keithp.com>
-Date: Tue Dec 9 09:30:59 2014 -0800
+commit 697b696e5e24d0679f133183a3bb0852025377c2
+Author: Dave Airlie <airlied@redhat.com>
+Date: Fri Jan 30 09:59:49 2015 +1000
- Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
+ config/udev: Respect seat assignments when assigned devices
- The 'n' parameter must be surrounded by parens in both places to
- prevent precedence from mis-computing things.
+ Jonathan Dieter posted a few patches to do this inside the Xorg
+ server but it makes no sense to do it there, just have the code
+ we use to probe the device list at startup check seat assignments
+ using the same code we check at hotplug time.
+ Bugilla: https://bugzilla.redhat.com/show_bug.cgi?id=1183654
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+ Acked-by: Hans de Goede <hdegoede@redhat.com>
+ Tested-by: Jonathan Dieter <jdieter@lesbg.com>
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit 9802a0162f738de03585ca3f3b8a8266494f7d45)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
-commit 1069ca99298bf1e85e001bfde90b00a42afdb5d8
-Author: Keith Packard <keithp@keithp.com>
-Date: Tue Dec 9 09:30:58 2014 -0800
+commit df1b401f57ad4b4925bad66684445b476562f26f
+Author: Dave Airlie <airlied@redhat.com>
+Date: Wed Jan 7 09:19:27 2015 +1000
- glx: Can't mix declarations and code in X.org sources [CVE-2014-8098 pt. 9]
+ randr: attempt to fix primary on slave output (v2)
- We're using compiler compatibility settings which generate warnings
- when a variable is declared after the first statement.
+ If the user wants to set one of the slave devices as
+ the primary output, we shouldn't fail to do so,
+ we were returning BadMatch which was tripping up
+ gnome-settings-daemon and bad things ensues.
+
+ Fix all the places we use primaryOutput to work
+ out primaryCrtc and take it into a/c when slave
+ gpus are in use.
+ v2: review from Aaron, fix indent, unhide has_primary from
+ macro. I left the int vs Bool alone to be consistent with
+ code below, a future patch could fix both.
+
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+ Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit 61b17c0f10307e25e51e30e6fb1d3e3127f82d86)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
-commit 044764b5c627d1a6e8ea1dd8cf741a26aeb4b2e7
-Author: Keith Packard <keithp@keithp.com>
-Date: Tue Dec 9 09:30:57 2014 -0800
+commit 62fcd364ac8c71a2db1db84b17b17cade6832492
+Author: Adel Gadllah <adel.gadllah@gmail.com>
+Date: Sat Jan 3 21:12:25 2015 +0100
- dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2]
+ dri2: Set vdpau driver name if ddx does not provide any driver name
- When the local types used to walk the DBE request were changed, this
- changed the type of the parameter passed to the DDX SwapBuffers API,
- but there wasn't a matching change in the API definition.
+ Currently when the ddx does not set any driver name we set DRI2 driver but
+ not the VDPAU driver name. The result is that VDPAU drivers will not get found
+ by libvdpau when the modesetting driver is being used.
- At this point, with the API frozen, I just stuck a new variable in
- with the correct type. Because we've already bounds-checked nStuff to
- be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
- fit in a signed int without overflow.
+ Just assume that the VDPAU driver matches the DRI2 driver name, this is true
+ for nouveau, r300, r600 and radeonsi i.e all VDPAU drivers currently supported
+ by mesa.
- Signed-off-by: Keith Packard <keithp@keithp.com
+ Signed-off-by: Adel Gadllah <adel.gadllah@gmail.com>
+ Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit b20912c3d45cbbde3c443e6c3d9e189092fe65e1)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
-
-commit 6704bb0ed7a10dabe8ef3bb3adf8b8a7f29a78f0
-Merge: 8aa23f2 1559a94
-Author: Keith Packard <keithp@keithp.com>
-Date: Tue Dec 9 11:47:11 2014 -0800
-
- Merge remote-tracking branch 'alanc/master'
-
-commit 1559a94395258fd73e369f1a2c98a44bfe21a486
-Author: Keith Packard <keithp@keithp.com>
-Date: Tue Dec 9 09:31:00 2014 -0800
+ Signed-off-by: Keith Packard <keithp@keithp.com>
- dix: GetHosts bounds check using wrong pointer value [CVE-2014-8092 pt. 6]
+commit fe4c774c572e3f55a7417f0ca336ae1479a966ad
+Author: Nikhil Mahale <nmahale@nvidia.com>
+Date: Sat Jan 24 17:06:59 2015 -0800
+
+ os: Fix timer race conditions
+
+ Fixing following kind of race-conditions -
+
+ WaitForSomething()
+ |
+ ----> // timers -> timer-1 -> timer-2 -> null
+ while (timers && (int) (timers->expires - now) <= 0)
+ // prototype - DoTimer(OsTimerPtr timer, CARD32 now, OsTimerPtr *prev)
+ DoTimer(timers, now, &timers)
+ |
+ |
+ ----> OsBlockSignals(); .... OS Signal comes just before blocking it,
+ .... timer-1 handler gets called.
+ // timer-1 gets served and scheduled again;
+ // timers -> timer-2 -> timer-1 -> null
+ ....
+ *prev = timer->next;
+ timer->next = NULL; // timers -> null
+ // timers list gets corrupted here and timer-2 gets removed from list.
+
+ Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=86288
+ Signed-off-by: Nikhil Mahale <nmahale@nvidia.com>
+ Reviewed-by: Julien Cristau <jcristau@debian.org>
- GetHosts saves the pointer to allocated memory in *data, and then
- wants to bounds-check writes to that region, but was mistakenly using
- a bare 'data' instead of '*data'. Also, data is declared as void **,
- so we need a cast to turn it into a byte pointer so we can actually do
- pointer comparisons.
+ v2: Apply warning fixes from Keith Packard <keithp@keithp.com>
+ Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
+ Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-commit 9802a0162f738de03585ca3f3b8a8266494f7d45
+commit 58f28b0427f0a0c0c445f314bd42721ca8e1e844
Author: Keith Packard <keithp@keithp.com>
-Date: Tue Dec 9 09:30:59 2014 -0800
+Date: Fri Jan 23 10:59:39 2015 -0800
- Missing parens in REQUEST_FIXED_SIZE macro [CVE-2014-8092 pt. 5]
-
- The 'n' parameter must be surrounded by parens in both places to
- prevent precedence from mis-computing things.
+ Update to version 1.16.99.902
Signed-off-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-commit 61b17c0f10307e25e51e30e6fb1d3e3127f82d86
-Author: Keith Packard <keithp@keithp.com>
-Date: Tue Dec 9 09:30:58 2014 -0800
+commit fef2f6357b40b238ae01c4c80b0d29b17b839686
+Author: Jason Ekstrand <jason@jlekstrand.net>
+Date: Tue Jan 13 15:08:38 2015 -0800
- glx: Can't mix declarations and code in X.org sources [CVE-2014-8098 pt. 9]
+ modesetting: Return the crtc for a drawable even if it's rotated
- We're using compiler compatibility settings which generate warnings
- when a variable is declared after the first statement.
+ All of our checks for what crtc we are on take rotation into account so we
+ select the correct crtc. The only problem is that we weren't returning it
+ we were rotated. This caused X to think DRI3 apps were not on any crtc and
+ limit them to 1 FPS.
+ Signed-off-by: Jason Ekstrand <jason.ekstrand@intel.com>
+ Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-commit b20912c3d45cbbde3c443e6c3d9e189092fe65e1
-Author: Keith Packard <keithp@keithp.com>
-Date: Tue Dec 9 09:30:57 2014 -0800
+commit 3dcd591fa9b71a3dce58d612ca5970209d8386eb
+Author: Jason Ekstrand <jason@jlekstrand.net>
+Date: Tue Jan 13 15:08:37 2015 -0800
- dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2]
+ modesetting: Add support for using RandR shadow buffers
- When the local types used to walk the DBE request were changed, this
- changed the type of the parameter passed to the DDX SwapBuffers API,
- but there wasn't a matching change in the API definition.
+ This replaces the stubs for shadow buffer creation/allocation with actual
+ functions and adds a shadow_destroy function. With this, we actually get
+ shadow buffers and RandR now works properly. Most of this is copied from
+ the xf86-video-intel driver and modified for modesetting.
- At this point, with the API frozen, I just stuck a new variable in
- with the correct type. Because we've already bounds-checked nStuff to
- be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
- fit in a signed int without overflow.
+ v2 Jason Ekstrand <jason.ekstrand@intel.com>:
+ - Fix build with --disable-glamor
+ - Set the pixel data pointer in the pixmap header for dumb shadow bo's
+ - Call drmmode_create_bo with the right bpp
- Signed-off-by: Keith Packard <keithp@keithp.com
- Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ v2 Jason Ekstrand <jason.ekstrand@intel.com>:
+ - Make shadow buffers per-crtc and leave shadow_enable alone
+
+ Signed-off-by: Jason Ekstrand <jason.ekstrand@intel.com>
+ Reviewed-by: Keith Packard <keithp@keithp.com>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit 73b1880eb37bd8ffbc3e36739e94f9b56b8323b9
-Author: Robert Morell <rmorell@nvidia.com>
-Date: Wed Nov 12 18:51:43 2014 -0800
+commit 7c656bfcae1d68aeffd5e202b3c1569885f5d13d
+Author: Jason Ekstrand <jason@jlekstrand.net>
+Date: Tue Jan 13 15:08:36 2015 -0800
- glx: Fix mask truncation in __glXGetAnswerBuffer [CVE-2014-8093 6/6]
+ modesetting: Add drmmode_bo_has_bo and drmmode_bo_map helper function
- On a system where sizeof(unsigned) != sizeof(intptr_t), the unary
- bitwise not operation will result in a mask that clears all high bits
- from temp_buf in the expression:
- temp_buf = (temp_buf + mask) & ~mask;
-
- Signed-off-by: Robert Morell <rmorell@nvidia.com>
- Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit 7e7630bbb775573eea2a2335adb9d190c3e1e971)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Signed-off-by: Jason Ekstrand <jason.ekstrand@intel.com>
+ Reviewed-by: Keith Packard <keithp@keithp.com>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit 912df16404b80ea143bd75cdacc0d0976bae4c96
-Author: Adam Jackson <ajax@redhat.com>
-Date: Mon Nov 10 12:13:48 2014 -0500
+commit b4703a5a6e529b78810db8d8782317f0b4e2f265
+Author: Jason Ekstrand <jason@jlekstrand.net>
+Date: Tue Jan 13 15:08:35 2015 -0800
- glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8]
+ modesetting: Refactor drmmode_glamor_new_screen_pixmap
- v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
+ The original drmmode_glamor_new_screen_pixmap function was specific to the
+ primary screen pixmap. This commit pulls the guts out into a new, more
+ general, drmmode_set_pixmap_bo function for setting a buffer on a pixmap.
+ The new function also properly tears down the glamor bits if the buffer
+ being set is NULL. The drmmode_glamor_new_screen_pixmap function is now
+ just a 3-line wrapper around drmmode_set_pixmap_bo.
- Reviewed-by: Julien Cristau <jcristau@debian.org>
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
- Signed-off-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit e883c170c15493ab3637c0a01890f5a7ca4e16a5)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ v2 Jason Ekstrand <jason.ekstrand@intel.com>:
+ - Re-arranged code in drmmode_set_pixmap_bo and
+ drmmode_glamor_handle_new_screen_pixmap so that glamor_set_screen_pixmap
+ only gets called for the screen pixmap
+ - Guard the call to glamor_set_screen_pixmapa with a drmmode->glamor check
+
+ Signed-off-by: Jason Ekstrand <jason.ekstrand@intel.com>
+ Reviewed-by: Keith Packard <keithp@keithp.com>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit 92de7a90a1f48b7fd37b8c78f6a2b8dfa13714a6
+commit bb23fbf5bb278113c9c481875423b4d128180972
Author: Adam Jackson <ajax@redhat.com>
-Date: Mon Nov 10 12:13:47 2014 -0500
+Date: Mon Jan 5 16:48:11 2015 -0500
- glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8]
+ dix: make RegionInit legal C++
- v2:
- Fix single versus vendor-private length checking for ARB_imaging subset
- extensions. (Julien Cristau)
+ The CVE fix in:
- v3:
- Fix single versus vendor-private length checking for ARB_imaging subset
- extensions. (Julien Cristau)
+ commit 97015a07b9e15d8ec5608b95d95ec0eb51202acb
+ Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Date: Wed Jan 22 22:37:15 2014 -0800
+
+ dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
+
+ offended the C++ demons:
+
+ ../../include/regionstr.h:147:45: error: invalid conversion from 'void*' to
+ 'pixman_region16_data_t* {aka pixman_region16_data*}' [-fpermissive]
+
+ Normally this isn't a problem, because around here we have the sense and
+ common decency to not use C++, but this does make tigervnc fail to build,
+ which is a little rude of us.
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Julien Cristau <jcristau@debian.org>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit 984583a497c813df5827ae22483133e704fee79c)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit 44ed4a6547136a0945cd85f93b83392cf53f58f2
-Author: Adam Jackson <ajax@redhat.com>
-Date: Mon Nov 10 12:13:46 2014 -0500
+commit 082931014811e587a9734cbf4d88fd948979b641
+Author: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Sat Jan 17 10:09:54 2015 +0000
- glx: Length-checking for non-generated vendor private requests [CVE-2014-8098 6/8]
+ dri2: SourceOffloads may be for DRI3 only
- Reviewed-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
- Signed-off-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit 44ba149f28ece93c2fbfc9cc980588de5322dd4b)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ As a DDX may declare offload support without supporting DRI2
+ (because it is using an alternative acceleration mechanism like DRI3),
+ when iterating the list of offload_source Screens to find a matching
+ DRI2 provider we need to check before assuming it is DRI2 capable.
+
+ Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=88514
+ Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+ Reviewed-by: Dave Airlie <airlied@redhat.com>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit fe9672204ad9edc09c4ae6ba1b9e9de09ec98287
-Author: Adam Jackson <ajax@redhat.com>
-Date: Mon Nov 10 12:13:45 2014 -0500
+commit f27d743c1899f307ec8063febbb3198c8945d372
+Author: Carlos Olmedo Escobar <carlos.olmedo.e@gmail.com>
+Date: Wed Jan 21 01:44:54 2015 +0100
- glx: Request length checks for SetClientInfoARB [CVE-2014-8098 5/8]
+ Avoid possible null pointer dereference.
- Reviewed-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Julien Cristau <jcristau@debian.org>
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
- Signed-off-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit afe177020d1fb776c6163f21eddc82cb185b95ca)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Signed-off-by: Carlos Olmedo Escobar <carlos.olmedo.e@gmail.com>
+ Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit 525db4433b042ad5a116ca0366498f5bc36e1640
-Author: Adam Jackson <ajax@redhat.com>
-Date: Mon Nov 10 12:13:44 2014 -0500
+commit 437d2ec5f250f8ab4b44cbae56f938719802e1cc
+Author: Carlos Sánchez de La Lama <csanchezdll@gmail.com>
+Date: Wed Jan 21 10:22:05 2015 +0100
- glx: Top-level length checking for swapped VendorPrivate requests [CVE-2014-8098 4/8]
+ randr: swap num-preferred field on RRGetOutputInfo reply
- Reviewed-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Julien Cristau <jcristau@debian.org>
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
- Signed-off-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit c91e4abc3b892f42802efa20fef7ada442c2d3f5)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=88614
+ Signed-off-by: Carlos Sánchez de La Lama <csanchezdll@gmail.com>
+ Reviewed-by: Dave Airlie <airlied@redhat.com>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit cbf197e1c97ae0402abfc35514ef62120baee3a6
-Author: Adam Jackson <ajax@redhat.com>
-Date: Mon Nov 10 12:13:43 2014 -0500
+commit 3d12941b408de7a3bdc579e34e119f8aa81ea926
+Author: Keith Packard <keithp@keithp.com>
+Date: Thu Jan 22 22:28:34 2015 -0800
- glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8]
-
- This is a half-measure until we start passing request length into the
- varsize function, but it's better than the nothing we had before.
+ drivers/modesetting: Save current BlockHandler on return in msBlockHandler
- v2: Verify that there's at least a large render header's worth of
- dataBytes (Julien Cristau)
-
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
- Signed-off-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit a33a939e6abb255b14d8dbc85fcbd2c55b958bae)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ If the BlockHandler chain is modified while it is active, we need to
+ re-fetch the current value and store it in our private for use the
+ next time through.
- Conflicts:
- glx/glxcmds.c
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit 7590915c9d76ff7efdc6398a37351df9fab2ce7d
-Author: Adam Jackson <ajax@redhat.com>
-Date: Mon Nov 10 12:13:42 2014 -0500
+commit b3e496c6d21058147de9a11b78860e73c74db3cb
+Author: Dave Airlie <airlied@redhat.com>
+Date: Fri Jan 23 16:28:28 2015 +1000
- glx: Integer overflow protection for non-generated render requests (v3) [CVE-2014-8093 5/6]
+ glamor: use screen blockhandler rather than dix one (v3)
- v2:
- Fix constants in __glXMap2fReqSize (Michal Srb)
- Validate w/h/d for proxy targets too (Keith Packard)
+ This adds glamor into the block handler call chain
+ in the correct place.
- v3:
- Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
+ This should fix interactions between glamor and drivers
+ requiring damage from glamor.
+ v2: okay don't consolidate, just leave things wierd for now
+ remove blcokhandler in screen close.
+
+ v3: block handler wrapping the right way.
+
+ Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
- Signed-off-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit 698888e6671d54c7ae41e9d456f7f5483a3459d2)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit 20bc891f767a398bff3301369f8a78f9e65b7eda
-Author: Julien Cristau <jcristau@debian.org>
-Date: Mon Nov 10 12:13:41 2014 -0500
+commit 5af2f5b7d2f955586d0cb40eb30812f1893db22e
+Author: Markus Wick <markus@selfnet.de>
+Date: Thu Jan 15 22:03:18 2015 +0100
- glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8]
+ xwayland: Set glamor filter to nearest
- v2:
- Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
+ glEGLImageTargetTexture2DOES only set the first level.
+ Mesa handles this new texture as incomplete and renders a black screen.
+ We also want to prevent linear filtering.
- Reviewed-by: Adam Jackson <ajax@redhat.com>
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
- Signed-off-by: Julien Cristau <jcristau@debian.org>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit be09e0c988ffdb0371293af49fb4ea8f49ed324a)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ https://bugs.freedesktop.org/show_bug.cgi?id=81800
+
+ Signed-off-by: Markus Wick <markus@selfnet.de>
+ Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer@amd.com>
+ Reviewed-by: Eric Anholt <eric@anholt.net>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit 233429c1d8c1183bead2d6f3726c92a7fc557ca9
-Author: Adam Jackson <ajax@redhat.com>
-Date: Mon Nov 10 12:13:40 2014 -0500
+commit 5f2e8ac51ccbf7c02f25c8cb7617df0238418cd1
+Merge: 4e12d7b 4301479
+Author: Keith Packard <keithp@keithp.com>
+Date: Sat Jan 10 14:51:57 2015 +1300
- glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6]
-
- These are paranoid about integer overflow, and will return -1 if their
- operation would overflow a (signed) integer or if either argument is
- negative.
+ Merge remote-tracking branch 'whot/for-keith'
+
+commit 4e12d7b6f4489fa06475465993a3e1e1d896390b
+Author: Jasper St. Pierre <jstpierre@mecheye.net>
+Date: Sun Jan 4 23:27:32 2015 -0800
+
+ modesetting: Update the cursor without hiding it
- Note that RenderLarge requests are sized with a uint32_t so in principle
- this could be sketchy there, but dix limits bigreqs to 128M so you
- shouldn't ever notice, and honestly if you're sending more than 2G of
- rendering commands you're already doing something very wrong.
+ In the new KMS APIs, the legacy drmModeSetCursor ioctl actually waits
+ for a vblank after changing the cursor image before returning, meaning
+ that the X server, in attempting to hide the cursor before updating
+ its image, actually makes that hide *visible* for a full vblank.
- v2: Use INT_MAX for consistency with the rest of the server (jcristau)
- v3: Reject negative arguments (anholt)
+ It's unknown why the X server does this by default, but turn it off.
- Reviewed-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Julien Cristau <jcristau@debian.org>
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
- Signed-off-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit 2a5cbc17fc72185bf0fa06fef26d1f782de72595)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
-
-commit e7dc700de969242983ca0964e38e87a79675f7fa
-Author: Adam Jackson <ajax@redhat.com>
-Date: Mon Nov 10 12:13:39 2014 -0500
-
- glx: Fix image size computation for EXT_texture_integer [CVE-2014-8098 1/8]
+ If we're with a legacy driver that doesn't support the modern
+ drmModeSetCursor by waiting for a vblank before returning, we're going
+ to get a tiny bit of tearing on the cursor plane. But between tearing
+ with a new cursor image and tearing with a blank cursor image, I'd
+ rather the former.
- Without this we'd reject the request with BadLength. Note that some old
- versions of Mesa had a bug in the same place, and would _send_ zero
- bytes of image data; these will now be rejected, correctly.
+ The only proper solution to this is an atomic ioctl that page flips
+ all planes, including the cursor plane, at vblank time and at the same
+ time.
+ Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Julien Cristau <jcristau@debian.org>
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
- Signed-off-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit 13d36923e0ddb077f4854e354c3d5c80590b5d9d)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
-commit 25e0fe2b59189be91a84626bc45278c7596ac438
-Author: Adam Jackson <ajax@redhat.com>
-Date: Mon Nov 10 12:13:38 2014 -0500
+commit 43014795087a0a8774dd9687f5967329b15f06a2
+Author: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon Jan 5 16:44:22 2015 +0100
- glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER (v2) [CVE-2014-8093 3/6]
+ Synchronize capslock in Xnest and Xephyr
- If the computed reply size is negative, something went wrong, treat it
- as an error.
+ In Xnest or Xephyr, pressing CapsLock when focus is on another
+ window does not update the state in the nested X server.
- v2: Be more careful about size_t being unsigned (Matthieu Herrb)
- v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
+ This is because when synchronizing the lock modifier, sending a
+ keypress or a key release only is not sufficient to toggle the state,
+ unlike regular modifiers, one has to emulate a full press/release
+ to lock or unlock the modifier.
- Reviewed-by: Julien Cristau <jcristau@debian.org>
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
- Signed-off-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit 717a1b37767b41e14859e5022ae9e679152821a9)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+ Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-commit de17ad13eb38af4bd5c8f085200bdab88496062f
-Author: Adam Jackson <ajax@redhat.com>
-Date: Mon Nov 10 12:13:37 2014 -0500
+commit 24b943132f90bc72ce8b5dc954fe9ee8484edfc2
+Author: Olivier Fourdan <fourdan@xfce.org>
+Date: Fri Jan 2 18:50:17 2015 +0100
- glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]
+ Fix subwindow in Xi emulated events
- Before this we'd just clamp the image size to 0, which was just
- hideously stupid; if the parameters were such that they'd overflow an
- integer, you'd allocate a small buffer, then pass huge values into (say)
- ReadPixels, and now you're scribbling over arbitrary server memory.
+ Bug: 70790
- Reviewed-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Julien Cristau <jcristau@debian.org>
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
- Signed-off-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit ab2ba9338aa5e85b4487bc7fbe69985c76483e01)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Signed-off-by: Olivier Fourdan <fourdan@xfce.org>
-commit 1d496e046e398cd9d6d77edf8958967c86983bf0
-Author: Adam Jackson <ajax@redhat.com>
-Date: Mon Nov 10 12:13:36 2014 -0500
+commit b058dec281568d6a9c5b5e230c20eed096cbdc6d
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon Jan 5 11:19:46 2015 +1000
- glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6]
+ mi: fix accidental x/y coordinate swap
- If the size computation routine returns -1 we should just reject the
- request outright. Clamping it to zero could give an attacker the
- opportunity to also mangle cmdlen in such a way that the subsequent
- length check passes, and the request would get executed, thus passing
- data we wanted to reject to the renderer.
-
- Reviewed-by: Keith Packard <keithp@keithp.com>
- Reviewed-by: Julien Cristau <jcristau@debian.org>
- Reviewed-by: Michal Srb <msrb@suse.com>
- Reviewed-by: Andy Ritger <aritger@nvidia.com>
- Signed-off-by: Adam Jackson <ajax@redhat.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit 23fe7718bb171e71db2d1a30505c2ca2988799d9)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Reported-by: Adam Greenblatt <adam.greenblatt@gmail.com>
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+ Reviewed-by: Eric Anholt <eric@anholt.net>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit 5a4760babdfeb114d1e89df735496f042df352fe
-Author: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun Feb 9 22:42:47 2014 -0800
+commit 23a11fd85e12e94d29ee6d33715ac49684867b16
+Author: Keith Packard <keithp@keithp.com>
+Date: Sun Jan 4 19:13:35 2015 -0800
- Add REQUEST_FIXED_SIZE testcases to test/misc.c
+ doc: Create a script to filter xmlto output
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ This reduces the build log spam while still preserving the xmlto
+ status to catch build failures correctly.
+
+ Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
- (cherry picked from commit f4afd53f2aeaddf509bf9f71d1716dd273fd6e14)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
-commit efacb60e01513e9a96f2630159727835e2a8af0b
-Author: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun Feb 9 21:28:05 2014 -0800
+commit 1c01633877caa4239f901f02fbe113926318d030
+Merge: 3573855 e774663
+Author: Keith Packard <keithp@keithp.com>
+Date: Sun Jan 4 17:02:25 2015 -0800
- Add request length checking test cases for some Xinput 2.x requests
-
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
- (cherry picked from commit 2df83bb122debc3c20cfc3d3b0edc85cd0270f79)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Merge remote-tracking branch 'ajax/xserver-next'
-commit 3b4aa58d565ea4542586cfc8be3f88d5616f77ed
-Author: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun Feb 9 21:27:27 2014 -0800
+commit 3573855514557a518de40a93b3c578f28c7d9c2b
+Author: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed Dec 3 13:49:37 2014 +0100
- Add request length checking test cases for some Xinput 1.x requests
+ Remove explicit dependency on $(WAYLAND_LIBS)
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
- (cherry picked from commit d153a85f7478a7a67ccb02fbca6390b0ab1732ee)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Xwayland Makefile explicitely set its dependencies on
+ WAYLAND_LIBS. If the ibrairies are installed in a non-standard
+ path, WAYLAND_LIBS contains '-L/path/to/the/lib' which will fail
+ at build time with:
- Conflicts:
- test/Makefile.am
-
-commit 4f30f4dd47df6dfd363a15a12fd30b727c0bbaa8
-Author: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun Jan 26 20:02:20 2014 -0800
-
- xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]
+ "No rule to make target '-L/path/to/the/lib', needed by 'Xwayland'.
+ Stop"
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Remove that explicit dependency to avoid the problem (LDADD ought
+ to be enough to get the right libraries linked).
+
+ Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
- (cherry picked from commit a0ece23a8bd300c8be10812d368dc8058c97c63e)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Signed-off-by: Keith Packard <keithp@keithp.com>
-commit 18c7f1e49b16ce9264e77f9c244495ceb24e3f5a
-Author: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun Jan 26 19:51:29 2014 -0800
+commit de89c6b8c6e81bad131c7f432e355cb42d233e87
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Tue Dec 16 13:59:45 2014 +1000
- render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]
+ xfree86: rename Xorg.bin to Xorg
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
- (cherry picked from commit 5d3a788aeb2fbd3ca2812747dc18c94a8b981c63)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ If the suid wrapper is enabled, /usr/bin/Xorg is just a shell script that
+ execs either /usr/libexec/Xorg.bin directly or the Xorg.wrap binary which then
+ execve's /usr/libexec/Xorg.bin.
+
+ Either way, we end up with Xorg.bin, which is problematic for two reasons:
+ * ps shows the command as Xorg.bin
+ * _COMM and _EXE in systemd's journal will both show Xorg.bin as well
+
+ There's not much we can do about the path, but having the actual command stay
+ as Xorg means better compatibility to existing scripts. And, the reason for
+ this path: the command
+ journalctl _COMM=Xorg
+ works universally, regardless of whether the wrapper is used or not.
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+ Reviewed-by: Keith Packard <keithp@keithp.com>
+ Acked-by: Hans de Goede <hdegoede@redhat.com>
-commit 0ad9121071adf1425623170c9d3bc19333d0f1a2
-Author: Julien Cristau <jcristau@debian.org>
-Date: Tue Oct 28 10:30:04 2014 +0100
+commit ee21be1324de1d6ef14e529fed7b75992e971beb
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu Dec 11 10:32:45 2014 +1000
- render: check request size before reading it [CVE-2014-8100 1/2]
+ dix: offset touch root coordinates by ScreenRec origins (#86655)
- Otherwise we may be reading outside of the client request.
+ For two ScreenRecs abs pointer positioning was working fine, but touch events
+ stuck to the lower/right edge on any screen but the one with a 0/0 origin.
+ Cause is a missing offset by the screen coordinates, causing the root
+ coordinates in the event to desktop-wide, not screen-wide.
- Signed-off-by: Julien Cristau <jcristau@debian.org>
- Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- (cherry picked from commit b5f9ef03df6a650571b29d3d1c1d2b67c6e84336)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Offset properly, just like we do for pointer events.
+
+ X.Org Bug 86655 <http://bugs.freedesktop.org/show_bug.cgi?id=86655>
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
-commit df64ac720642c86efcc47b64621e8a0f1e705f16
-Author: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun Jan 26 19:38:09 2014 -0800
+commit dc777c346d5d452a53b13b917c45f6a1bad2f20b
+Author: Keith Packard <keithp@keithp.com>
+Date: Sat Jan 3 08:46:45 2015 -0800
- randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]
+ dix: Allow zero-height PutImage requests
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
- (cherry picked from commit 3df2fcf12499ebdb26b9b67419ea485a42041f33)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ The length checking code validates PutImage height and byte width by
+ making sure that byte-width >= INT32_MAX / height. If height is zero,
+ this generates a divide by zero exception. Allow zero height requests
+ explicitly, bypassing the INT32_MAX check.
+
+ Signed-off-by: Keith Packard <keithp@keithp.com>
+ Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-commit ea45001614b771933590a77fdd281b910c637c1b
-Author: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sun Jan 26 19:33:34 2014 -0800
+commit 924996c41c419dda0f02a96aafdf52f7670ff4ea
+Author: Michele Baldessari <michele@redhat.com>
+Date: Wed Dec 3 11:53:10 2014 -0500
- present: unvalidated lengths in Present extension procs [CVE-2014-8103 2/2]
+ ephyr: Implement per-screen colormaps
- Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
- Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
- Reviewed-by: Julien Cristau <jcristau@debian.org>
- (cherry picked from commit d155b7a8e38e74aee96bf52c20c8b6a330d7d462)
- Signed-off-by: Julien Cristau <jcristau@debian.org>
+ Xephyr's pseudocolor emulation added in:
+
+ commit 81a3b6fe27567b4f91033ece69996aa6bf8d01a3
+ Author: Matthew Allum <breakfast@10.am>
+ Date: Mon Nov 8 22:39:47 2004 +0000
+
Reply to: