[Git][xorg-team/xserver/xorg-server][ubuntu] 156 commits: Xi: Zero target buffer in SProcXSendExtensionEvent.

[Timo Aaltonen <tjaalton@debian.org>]

Title: GitLab

Timo Aaltonen pushed to branch ubuntu at X Strike Force / xserver / xorg-server

Commits:

• 8e627350
  by Michal Srb at 2017-07-07T07:22:37+02:00

  Xi: Zero target buffer in SProcXSendExtensionEvent.
  
  Make sure that the xEvent eventT is initialized with zeros, the same way as
  in SProcSendEvent.
  
  Some event swapping functions do not overwrite all 32 bytes of xEvent
  structure, for example XSecurityAuthorizationRevoked. Two cooperating
  clients, one swapped and the other not, can send
  XSecurityAuthorizationRevoked event to each other to retrieve old stack data
  from X server. This can be potentialy misused to go around ASLR or
  stack-protector.
  
  Signed-off-by: Michal Srb <msrb@suse.com>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 05442de962d3dc624f79fc1a00eca3ffc5489ced)
  

• 339d961d
  by Michal Srb at 2017-07-07T07:22:37+02:00

  dix: Disallow GenericEvent in SendEvent request.
  
  The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
  no less. Both ProcSendEvent and SProcSendEvent verify that the received data
  exactly match the request size. However nothing stops the client from passing
  in event with xEvent::type = GenericEvent and any value of
  xGenericEvent::length.
  
  In the case of ProcSendEvent, the event will be eventually passed to
  WriteEventsToClient which will see that it is Generic event and copy the
  arbitrary length from the receive buffer (and possibly past it) and send it to
  the other client. This allows clients to copy unitialized heap memory out of X
  server or to crash it.
  
  In case of SProcSendEvent, it will attempt to swap the incoming event by
  calling a swapping function from the EventSwapVector array. The swapped event
  is written to target buffer, which in this case is local xEvent variable. The
  xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
  expect that the target buffer has size matching the size of the source
  GenericEvent. This allows clients to cause stack buffer overflows.
  
  Signed-off-by: Michal Srb <msrb@suse.com>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 215f894965df5fb0bb45b107d84524e700d2073c)
  

• 877d9470
  by Michal Srb at 2017-07-07T07:22:37+02:00

  Xi: Verify all events in ProcXSendExtensionEvent.
  
  The requirement is that events have type in range
  EXTENSION_EVENT_BASE..lastEvent, but it was tested
  only for first event of all.
  
  Signed-off-by: Michal Srb <msrb@suse.com>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 8caed4df36b1f802b4992edcfd282cbeeec35d9d)
  

• e3f9ab63
  by Michal Srb at 2017-07-07T07:22:37+02:00

  Xi: Do not try to swap GenericEvent.
  
  The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
  it is assuming that the event has fixed size and gives the swapping function
  xEvent-sized buffer.
  
  A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
  
  Signed-off-by: Michal Srb <msrb@suse.com>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit ba336b24052122b136486961c82deac76bbde455)
  

• d7bc00f5
  by Julien Cristau at 2017-07-07T07:39:21+02:00

  Changelog update
  

• b0943284
  by Sven Joachim at 2017-07-22T17:01:32+02:00

  xvfb-run: Don't mix stderr and stdout when running the program
  
  There does not seem to be a good reason for this, and it prevents the
  user from redirecting the program's output without having it
  intermixed with diagnostics.
  

• cae1c933
  by Timo Aaltonen at 2017-08-15T10:25:02+03:00

  rules: Drop obsolete dh_strip line for -dbg package.
  

• c2d062e2
  by Timo Aaltonen at 2017-08-15T21:53:38+03:00

  restore dh_strip, drop -dbg from it
  

• 4882c259
  by Timo Aaltonen at 2017-08-16T09:49:26+03:00

  rules: Drop dh_strip override, dbgsym transition is done.
  

• ccb13640
  by Timo Aaltonen at 2017-08-28T18:40:59+03:00

  add-cfl-cnl-ids.diff: Add Coffee Lake and Cannonlake pci-ids.
  

• 6028ff2d
  by Timo Aaltonen at 2017-08-28T18:44:17+03:00

  release to artful
  

• cb00105f
  by Timo Aaltonen at 2017-08-30T14:49:57+03:00

  xwayland-add-grab-protocol-support.diff: Dropped, causes issues with kvm. (LP: #1713981)
  

• 2a47e328
  by Olivier Fourdan at 2017-09-21T15:00:08+02:00

  glamor: Check for NULL pixmap in glamor_get_pixmap_texture()
  
  glamor_create_pixmap() would return a NullPixmap if the given size is
  larger than the maximum size of a pixmap.
  
  But glamor_get_pixmap_texture() won't check if the given pixmap is
  non-null, leading to a segfault if glamor_create_pixmap() failed.
  
  This can be reproduced by passing Xephyr a very large screen width,
  e.g.:
  
   $ Xephyr -glamor -screen 32768x1024 :10
  
   (EE)
   (EE) Backtrace:
   (EE) 0: Xephyr (OsSigHandler+0x29)
   (EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0)
   (EE) 2: Xephyr (glamor_get_pixmap_texture+0x30)
   (EE) 3: Xephyr (ephyr_glamor_create_screen_resources+0xc6)
   (EE) 4: Xephyr (ephyrCreateResources+0x98)
   (EE) 5: Xephyr (dix_main+0x275)
   (EE) 6: /lib64/libc.so.6 (__libc_start_main+0xf1)
   (EE) 7: Xephyr (_start+0x2a)
   (EE) 8: ? (?+0x2a) [0x2a]
   (EE)
   (EE) Segmentation fault at address 0x0
   (EE)
   Fatal server error:
   (EE) Caught signal 11 (Segmentation fault). Server aborting
   (EE)
   Aborted (core dumped)
  
  Bugzilla: https://bugzilla.redhat.com/1431633
  Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
  Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
  (cherry picked from commit f40ff18c96e02ff18a367bf53feeb4bd8ee952a0)
  

• 52ab10aa
  by Olivier Fourdan at 2017-09-21T15:00:14+02:00

  Xephyr: Check screen resources creation success
  
  If the screen pixmap or the corresponding texture creation with glamor
  fails, exit cleanly with an error message instead of segfaulting.
  
  Fixes: https://bugzilla.redhat.com/1431633
  Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
  Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
  (cherry picked from commit b0ce1d088a863492f5de11e4dbde10af4261d892)
  

• 703ba42c
  by Olivier Fourdan at 2017-09-21T15:00:18+02:00

  glamor: glamor_set_destination_drawable() can fail
  
  The fbo_array of a given glamor pixmap can be NULL in some cases, as
  glamor_create_fbo_array() can fail to allocate the FBO array.
  
  If this is the case, glamor_pixmap_fbo_at() will return NULL even though
  the box index is valid, and glamor_set_destination_drawable() simply
  assumes glamor_pixmap_fbo_at() will return an FBO prior to pass the
  value to glamor_set_destination_pixmap_fbo(), which will segfault.
  
  We need a way for glamor_set_destination_drawable() to fail safely and
  let the caller know about the failure.
  
  Add a boolean return value to glamor_set_destination_drawable() for that
  purpose.
  
  Bugzilla: https://bugzilla.redhat.com/1417575
  Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
  (cherry picked from commit 04b4bad7c048fd077fe839f10634c99ef1e488af)
  

• 9db3361b
  by Olivier Fourdan at 2017-09-21T15:00:21+02:00

  glamor: Check glamor_set_destination_drawable() return value
  
  Check the value returned by glamor_set_destination_drawable() and use
  the fallback code path where possible.
  
  Bugzilla: https://bugzilla.redhat.com/1417575
  Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
  (cherry picked from commit 455051a0f1d2bc84f605c325f647bd64d414c47d)
  

• 8c609764
  by Adam Jackson at 2017-09-21T15:00:25+02:00

  parser: Fix crash when xf86nameCompare(s1 = x, s2 = NULL)
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit f1f865e909090406841a9b9416ea6259a75c2086)
  

• 2f36c6fa
  by Adam Jackson at 2017-09-22T18:45:58+02:00

  xinerama: Implement graphics exposures for window->pixmap copies (v4)
  
  This code is using GetImage to accumulate a logical view of the window
  image (since the windows will be clipped to their containing screen),
  and then PutImage to load that back into the pixmap.  What it wasn't
  doing was constructing a region for the obscured areas of the window and
  emitting graphics exposures for same.
  
  v2: Fix coordinate translation when the source is the root window
  v3: Create sourceBox with the right coordinates initially instead of
  translating (Keith Packard)
  v4: Clamp the region to 15 bits to avoid overflow (Keith Packard)
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit e337de2d488a124e5fee0fdcb882567b68f1767d)
  

• c58bff7e
  by Eric Anholt at 2017-09-22T18:45:58+02:00

  glamor: Fix dashed line rendering.
  
  We were binding the screen pixmap as the dash and sampling its alpha,
  which is usually just 1.0 (no dashing at all).
  
  Please cherry-pick this to active stable branches.
  
  Signed-off-by: Eric Anholt <eric@anholt.net>
  Reviewed-by: Keith Packard <keithp@keithp.com>
  Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
  (cherry picked from commit fe0b297420fc1de8a7fab28457d0864b3182e967)
  

• 0f3196bf
  by Adam Jackson at 2017-09-22T18:45:58+02:00

  ephyr: Don't clobber bitsPerPixel when using glamor
  
  This ends up passing 0 as the bpp argument to fb screen setup, which is
  not really the best plan.
  
  Reviewed-by: Eric Anholt <eric@anholt.net>
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit 83c4297d2c4fd501a9d36bc0cb7d357a8d22394c)
  

• 2191f9b4
  by Olivier Fourdan at 2017-09-22T18:45:59+02:00

  glamor: avoid a crash if texture allocation failed
  
  Texture creation in _glamor_create_tex() can fail if a GL_OUT_OF_MEMORY
  is raised, in which case the texture returned is zero.
  
  But the texture value is not checked in glamor_create_fbo() and glamor
  will abort in glamor_pixmap_ensure_fb() because the fbo->tex is 0:
  
    Truncated backtrace:
    Thread no. 1 (10 frames)
     #4 glamor_pixmap_ensure_fb at glamor_fbo.c:57
     #5 glamor_create_fbo_from_tex at glamor_fbo.c:112
     #6 glamor_create_fbo at glamor_fbo.c:159
     #7 glamor_create_fbo_array at glamor_fbo.c:210
     #8 glamor_create_pixmap at glamor.c:226
     #9 compNewPixmap at compalloc.c:536
     #10 compAllocPixmap at compalloc.c:605
     #11 compCheckRedirect at compwindow.c:167
     #12 compRealizeWindow at compwindow.c:267
     #13 RealizeTree at window.c:2617
  
  Check the value returned by _glamor_create_tex() in glamor_create_fbo()
  and return NULL in the texture is zero.
  
  All callers of glamor_create_fbo() actually check the returned value and
  will use a fallback code path if it's NULL.
  
  Please cherry-pick this to active stable branches.
  
  Bugzilla: https://bugzilla.redhat.com/1433305
  Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
  Reviewed-by: Eric Anholt <eric@anholt.net>
  (cherry picked from commit 8805a48ed35afb2ca66315656c1575ae5a01c639)
  

• 3166138e
  by Kenneth Graunke at 2017-09-22T18:45:59+02:00

  dri2: Sync i965_pci_ids.h from Mesa.
  
  Copied from Mesa with no modifications.  Gives us Geminilake PCI IDs.
  
  Signed-off-by: Kenneth Graunke <kenneth@whitecape.org>
  Acked-by: Eric Anholt <eric@anholt.net>
  (cherry picked from commit 368f60d461421fe5e2bbd90652d6ac858dbff8fe)
  

• e23000d8
  by Tobias Stoeckmann at 2017-09-22T18:45:59+02:00

  record: Fix OOB access in ProcRecordUnregisterClients
  
  If a client sends a RecordUnregisterClients request with an nClients
  field larger than INT_MAX / 4, an integer overflow leads to an
  out of boundary access in RecordSanityCheckClientSpecifiers.
  
  An example line with libXtst would be:
  XRecordUnregisterClients(dpy, rc, clients, 0x40000001);
  
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit 40c12a76c2ae57adefd3b1d412387ebbfe2fb784)
  

• df4d01e6
  by Tobias Stoeckmann at 2017-09-22T18:45:59+02:00

  dmx: Fix null pointer dereference
  
  A null pointer dereference can occur in dmxSync, because TimerForce
  does not handle a null pointer.
  
  dmxSyncTimer is set to NULL a few lines above on a certain condition,
  which happened on my machine. The explicit NULL check allowed me to
  start Xdmx again without a segmentation fault.
  
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit 21eda7464d0e13ac6558edaf6531c3d3251e05df)
  

• 60ae865a
  by Daniel Stone at 2017-09-22T18:45:59+02:00

  modesetting: Set correct DRM event context version
  
  DRM_EVENT_CONTEXT_VERSION is the latest context version supported by
  whatever version of libdrm is present. modesetting was blindly asserting
  it supported whatever version that may be, even if it actually didn't.
  
  With libdrm 2.4.78, setting a higher context version than 2 will attempt
  to call the page_flip_handler2 vfunc if it was non-NULL, which being a
  random chunk of stack memory, it might well have been.
  
  Set the version as 2, which should be bumped only with the appropriate
  version checks.
  
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  Signed-off-by: Daniel Stone <daniels@collabora.com>
  (cherry picked from commit 0c8e6ed85810e96d84173a52d628863802a78d82)
  

• 74126530
  by Adam Jackson at 2017-09-22T18:45:59+02:00

  xephyr: Check for host XVideo support before trying to use it
  
  Otherwise xcb will treat our attempt to send xv requests as a connection
  error (quite reasonably: we're asking it to emit a request for which
  there is no defined major opcode), and we'll die quietly the first time
  we hit KdBlockhandler.
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  Reviewed-by: Eric Anholt <eric@anholt.net>
  (cherry picked from commit 14d2fe74f4e51c5b37eab4b7475c804a0340b530)
  

• 1e8e68b7
  by Sven Joachim at 2017-09-25T18:16:49+02:00

  Add bug closure for #876690
  

• 6a6bf1ae
  by Michel Dänzer at 2017-09-25T15:34:10-04:00

  xfree86/modes: Make colormap/gamma glue code work with RandR disabled
  
  E.g. because Xinerama is enabled.
  
  Fixes crash on startup and wrong colours in that case.
  
  Bugzilla: https://bugs.freedesktop.org/100293
  Bugzilla: https://bugs.freedesktop.org/100294
  Fixes: 62f44052573b ("xfree86/modes: Move gamma initialization to
                        xf86RandR12Init12 v2")
  Tested-by: Mariusz Bialonczyk <manio@skyboo.net>
  Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
  (cherry picked from commit 41dafcc2a2942fc4c94ce3cbafc4a1b413c460c3)
  

• e59a32c8
  by Olivier Fourdan at 2017-09-25T15:34:10-04:00

  glamor: an FBO is not needed for Xv pixmaps
  
  It appears that on some hardware/diver combo such as nv30/nouveau, using
  GL_ALPHA as format for 8-bit depth will cause an incomplete attachment
  error (GL_FRAMEBUFFER_INCOMPLETE_ATTACHMENT) when trying to bind the
  texture.
  
  As a result, the FBO is NULL and glamor segfaults when trying to access
  the FBO width/height in pixmap_priv_get_scale() in glamor_xv_render().
  
  This happens with glamor-xv which uses 8-bit pixmaps, meaning that on
  such hardware/driver, trying to play a video using Xv will lead to a
  crash of the Xserver. This affects Xwayland, Xephyr, modesetting driver
  with glamor accel.
  
  But the use of an FBO is not actually needed for glamox-xv, so by
  disabling FBO at pixmap creation, we can avoid the issue entirely.
  
  Fix suggested by Eric Anholt <eric@anholt.net>
  
  Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
  Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=100710
  Fixes: https://bugzilla.redhat.com/1412814
  Reviewed-by: Eric Anholt <eric@anholt.net>
  (cherry picked from commit 7bfb87a2137853295ecc9e544a15626cfd773a02)
  

• b3de3ebc
  by Michel Dänzer at 2017-09-25T15:34:10-04:00

  os: Handle SIGABRT
  
  Without this, assertion failures can make life hard for users and those
  trying to help them.
  
  v2:
  * Change commit log wording slightly to "can make life hard", since
    apparently e.g. logind can alleviate that somewhat.
  * Set default handler for SIGABRT in
    hw/xfree86/common/xf86Init.c:InstallSignalHandlers() and
    hw/xquartz/quartz.c:QuartzInitOutput() (Eric Anholt)
  
  Reviewed-by: Eric Anholt <eric@anholt.net>
  Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
  (cherry picked from commit 27a6b9f7c84c914d0f5909ec1069d72f5035bc04)
  

• 7a2525fb
  by Keith Packard at 2017-09-25T15:34:10-04:00

  os: un-duplicate code to close client on write failure
  
  There are three copies of the same short sequence of operations to
  close down a client when a write error occurs. Create a new function,
  AbortClient, which performs these operations and then call it from the
  three places.
  
  Signed-off-by: Keith Packard <keithp@keithp.com>
  Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer@amd.com>
  (cherry picked from commit a82971b07035ee9a4e3ed01326e7c1eab34b5a19)
  

• d808b573
  by Keith Packard at 2017-09-25T15:34:10-04:00

  os: Mark client as ready to read when closing due to write failure [100863]
  
  This makes sure the server will go look at the client again, notice
  that the FD is no longer valid and close the client down.
  
  Bugzilla: https://bugs.freedesktop.org/100863
  Signed-off-by: Keith Packard <keithp@keithp.com>
  Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer@amd.com>
  (cherry picked from commit e2f68296ffb8e40035c0ebd949b67d1e2e424e11)
  

• 444929b4
  by Keith Packard at 2017-09-25T15:34:10-04:00

  dix: Remove clients from input and output ready queues after closing
  
  Delay removing the client from these two queues until all potential
  I/O has completed in case we mark the client as ready for reading or
  with pending output during the close operation.
  
  Bugzilla: https://bugs.freedesktop.org/100957
  Signed-off-by: Keith Packard <keithp@keithp.com>
  Tested-by: Nick Sarnie <commendsarnex@gmail.com>
  Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
  (cherry picked from commit d9e23ea4228575344e3b4c0443cecc5eb75356e4)
  

• d8f63717
  by Jason Gerecke at 2017-09-25T15:34:10-04:00

  xfree86: Fix interpretation of xf86WaitForInput timeout
  
  Commit aa6717ce2 switched xf86WaitForInput from using select(2) to using
  poll(2). Before this change, the timeout was interpreted as being in
  microseconds; afterwards it is fed directly to xorg_poll which interprets
  it as being in milliseconds. This results in the function potentially
  blocking 1000x longer than intended. This commit scales down the timeout
  argument before passing it to xorg_poll, being careful to ensure the result
  is not rounded down due to integer division.
  
  Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 2fbf62b2fb3dcb29551251d09aa695715bb754f4)
  

• 7c4f7b3a
  by Lyude at 2017-09-25T15:34:10-04:00

  xwayland: Don't load extension list more than once
  
  When running an Xwayland server from the command line, we end up
  resetting the server every time all of the clients connected to the
  server leave. This would be fine, except that xwayland makes the mistake
  of unconditionally calling LoadExtensionList(). This causes us to setup
  the glxExtension twice in a row which means that when we lose our last
  client on the second server generation, we end up trying to call the glx
  destructors twice in a row resulting in a segfault:
  
  (EE)
  (EE) Backtrace:
  (EE) 0: Xwayland (OsSigHandler+0x3b) [0x4982f9]
  (EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x70845bf]
  (EE) 2: /usr/lib64/dri/swrast_dri.so (__driDriverGetExtensions_virtio_gpu+0x32897d) [0x1196e5bd]
  (EE) 3: /usr/lib64/dri/swrast_dri.so (__driDriverGetExtensions_virtio_gpu+0x328a45) [0x1196e745]
  (EE) 4: /usr/lib64/dri/swrast_dri.so (__driDriverGetExtensions_virtio_gpu+0x32665f) [0x11969f7f]
  (EE) 5: Xwayland (__glXDRIscreenDestroy+0x30) [0x54686e]
  (EE) 6: Xwayland (glxCloseScreen+0x3f) [0x5473db]
  (EE) 7: Xwayland (glxCloseScreen+0x53) [0x5473ef]
  (EE) 8: Xwayland (dix_main+0x7b6) [0x44c8c9]
  (EE) 9: Xwayland (main+0x28) [0x61c503]
  (EE) 10: /lib64/libc.so.6 (__libc_start_main+0xf1) [0x72b1401]
  (EE) 11: Xwayland (_start+0x2a) [0x4208fa]
  (EE) 12: ? (?+0x2a) [0x2a]
  (EE)
  (EE) Segmentation fault at address 0x18
  (EE)
  Fatal server error:
  (EE) Caught signal 11 (Segmentation fault). Server aborting
  (EE)
  
  Easy reproduction recipe:
  - Start an Xwayland session with the default settings
  - Open a window
  - Close that window
  - Open another window
  - Close that window
  - Total annihilation occurs
  
  Signed-off-by: Lyude <lyude@redhat.com>
  Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 4f29366f1e5678505fb882143c9b4a892d5b8273)
  

• 40edd409
  by Michel Dänzer at 2017-09-25T15:34:10-04:00

  glamor: Store the actual EGL/GLX context pointer in lastGLContext
  
  Fixes subtle breakage which could sometimes trigger after a server reset
  with multiple screens using glamor:
  
  Screen A enters glamor_close_screen last and calls various cleanup
  functions, which at some point call glamor_make_current to make sure
  screen A's GL context is current. This sets lastGLContext to screen A's
  &glamor_priv->ctx. Finally, glamor_close_screen calls
  glamor_release_screen_priv, which calls free(glamor_priv).
  
  Later, screen B enters glamor_init, which allocates a new glamor_priv.
  With bad luck, this can return the same pointer which was previously
  used for screen A's glamor_priv. So when screen B's glamor_init calls
  glamor_make_current, lastGLContext == &glamor_priv->ctx, so MakeCurrent
  isn't called for screen B's GL context, and the following OpenGL API
  calls triggered by glamor_init mess up screen A's GL context.
  
  The observed end result of this was a crash in glamor_get_vbo_space
  because glamor_priv->vbo didn't match the GL context, though there might
  be other possible outcomes.
  
  Assigning the actual GL context pointer to lastGLContext prevents this
  by preventing the false negative test in glamor_make_current.
  
  Reviewed-by: Keith Packard <keithp@keithp.com>
  Reviewed-by: Eric Anholt <eric@anholt.net>
  (cherry picked from commit 7c88977d338a01aca866e52c9e736f8857fb9ae4)
  

• 420f77a1
  by Carlos Garnacho at 2017-09-25T15:34:10-04:00

  xwayland: Allow pointer warp on root/None window
  
  Of sorts, as we can't honor pointer warping across the whole root window
  coordinates, peek the pointer focus in these cases.
  
  Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit c217fcb4c4640ffd2fefee63c6fcd7ea5e64b942)
  

• 0e5b08f2
  by Carlos Garnacho at 2017-09-25T15:34:10-04:00

  xwayland: "Accept" confineTo on InputOnly windows
  
  Of sorts, actually make it confine to the pointer focus, as the
  InputOnly window is entirely invisible to xwayland accounting,
  we don't have a xwl_window for it.
  
  Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit fafdb0cc9697eb53635ed1e78bec1d4cd87ab3a2)
  

• 2ccea152
  by Carlos Garnacho at 2017-09-25T15:34:10-04:00

  xwayland: Update root window size when desktop size changes
  
  This fixes grabs on InputOnly windows whose parent is the root window
  failing with GrabNotViewable. This is due to window->borderSize/windowSize
  being computed as clipped by its parent, resulting in a null region.
  
  Setting up the right size on the root window makes the InputOnly size
  correct too, so the GrabNotViewable paths aren't hit anymore.
  
  Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
  Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 513e3bd3870fdb8a8e0e2e52c0fa93872300bc8b)
  

• c6df0d03
  by Carlos Garnacho at 2017-09-25T15:34:10-04:00

  xwayland: Lock the pointer if it is confined and has no cursor
  
  In the typical pattern in games of "hide cursor, grab with a confineTo,
  warp constantly the pointer to the middle of the window" the last warping
  step is actually rather optional. Some games may choose to just set up a
  grab with confineTo argument, and trust that they'll get correct relative
  X/Y axis values despite the hidden cursor hitting the confinement window
  edge.
  
  To cater for these cases, lock the pointer whenever there is a pointer
  confinement and the cursor is hidden. This ensures the pointer position
  is in sync with the compositor's when it's next shown again, and more
  importantly resorts to the relative pointer for event delivery.
  
  Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit ca17f3e9fd3b59fdc5ffd0e5d78e4db6ddc87aa1)
  

• faeee764
  by Carlos Garnacho at 2017-09-25T15:34:10-04:00

  Xi: Use WarpPointerProc hook on XI pointer warping implementation
  
  Just like we do with XWarpPointer's.
  
  Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 95febc42cadf392a888104ad6d5cf4f34fdde7d5)
  

• 87a73937
  by Adam Jackson at 2017-09-25T15:34:10-04:00

  modesetting: Validate the atom for enum properties
  
  The client could have said anything here, and if what they said doesn't
  actually name an atom NameForAtom() will return NULL, and strcmp() will
  be unhappy about that.
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit d4995a3936ae283b9080fdaa0905daa669ebacfc)
  

• 3a53e440
  by Michel Dänzer at 2017-09-25T15:34:10-04:00

  glamor: Fix temporary pixmap coordinate offsets
  
  The previous values happened to work in basic cases, but not in general
  if the destination is a subwindow or has a border.
  
  Fixes crash with xli, which moves a large subwindow inside a smaller
  parent window for scrolling.
  
  No regressions with xterm, x11perf -copyplane or the xscreensaver
  phosphor hack.
  
  Bug: https://bugs.debian.org/857983
  Reviewed-by: Keith Packard <keithp@keithp.com>
  (cherry picked from commit ffda82ed04d28feae2e001dbd0c32d6c795d90b1)
  

• cdf15ab8
  by Michal Srb at 2017-09-25T15:34:10-04:00

  Xi: Zero target buffer in SProcXSendExtensionEvent.
  
  Make sure that the xEvent eventT is initialized with zeros, the same way as
  in SProcSendEvent.
  
  Some event swapping functions do not overwrite all 32 bytes of xEvent
  structure, for example XSecurityAuthorizationRevoked. Two cooperating
  clients, one swapped and the other not, can send
  XSecurityAuthorizationRevoked event to each other to retrieve old stack data
  from X server. This can be potentialy misused to go around ASLR or
  stack-protector.
  
  Signed-off-by: Michal Srb <msrb@suse.com>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 05442de962d3dc624f79fc1a00eca3ffc5489ced)
  

• 21f55903
  by Michal Srb at 2017-09-25T15:34:10-04:00

  dix: Disallow GenericEvent in SendEvent request.
  
  The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
  no less. Both ProcSendEvent and SProcSendEvent verify that the received data
  exactly match the request size. However nothing stops the client from passing
  in event with xEvent::type = GenericEvent and any value of
  xGenericEvent::length.
  
  In the case of ProcSendEvent, the event will be eventually passed to
  WriteEventsToClient which will see that it is Generic event and copy the
  arbitrary length from the receive buffer (and possibly past it) and send it to
  the other client. This allows clients to copy unitialized heap memory out of X
  server or to crash it.
  
  In case of SProcSendEvent, it will attempt to swap the incoming event by
  calling a swapping function from the EventSwapVector array. The swapped event
  is written to target buffer, which in this case is local xEvent variable. The
  xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
  expect that the target buffer has size matching the size of the source
  GenericEvent. This allows clients to cause stack buffer overflows.
  
  Signed-off-by: Michal Srb <msrb@suse.com>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 215f894965df5fb0bb45b107d84524e700d2073c)
  

• e8f6a1bb
  by Michal Srb at 2017-09-25T15:34:10-04:00

  Xi: Verify all events in ProcXSendExtensionEvent.
  
  The requirement is that events have type in range
  EXTENSION_EVENT_BASE..lastEvent, but it was tested
  only for first event of all.
  
  Signed-off-by: Michal Srb <msrb@suse.com>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 8caed4df36b1f802b4992edcfd282cbeeec35d9d)
  

• ed8fbaba
  by Michal Srb at 2017-09-25T15:34:10-04:00

  Xi: Do not try to swap GenericEvent.
  
  The SProcXSendExtensionEvent must not attempt to swap GenericEvent because
  it is assuming that the event has fixed size and gives the swapping function
  xEvent-sized buffer.
  
  A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway.
  
  Signed-off-by: Michal Srb <msrb@suse.com>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit ba336b24052122b136486961c82deac76bbde455)
  

• 358f0bcd
  by Aaron Plattner at 2017-09-25T15:34:10-04:00

  randr: Use RRTransformEqual in RRCrtcPendingTransform
  
  Currently, RRCrtcPendingTransform returns false unless the
  transformation matrix itself is changing. This makes RRCrtcSet skip
  doing anything if the only thing that is changing is the transform
  filter.
  
  There's already a function for comparing RRTransformPtrs, so use that
  instead.
  
  Tested by running
  
    xrandr --output DP-1 --mode 1920x1080 --rate 144 --scale 0.5x0.5 --filter nearest
  
  follwed by
  
    xrandr --output DP-1 --mode 1920x1080 --rate 144 --scale 0.5x0.5 --filter bilinear
  
  Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
  Reviewed-and-Tested-by: Michel Dänzer <michel.daenzer@amd.com>
  (cherry picked from commit 091af80be48c37f16c679d35fc12ad33e6b0cd74)
  

• 0934d56d
  by Michel Dänzer at 2017-09-25T15:34:10-04:00

  xfree86/modes: Use RRTransformEqual in xf86RandR12CrtcSet
  
  The memcmp didn't catch when e.g. only the filter changed. Tested by
  alternately running
  
  xrandr --output DVI-I-0 --scale-from 3840x2160 --filter bilinear
  xrandr --output DVI-I-0 --scale-from 3840x2160 --filter nearest
  
  Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
  (cherry picked from commit 4212c884c423e5ce2cd3b4d67c0d656475fddc79)
  

• 37815323
  by Adam Jackson at 2017-09-25T15:34:10-04:00

  wayland: Sync drm.xml with Mesa
  
  ... where it is named src/egl/wayland/wayland-drm/wayland-drm.xml and
  has its requests sorted by protocol version number, avoiding a warning
  from wayland-scanner.
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  Reviewed-by: Daniel Stone <daniels@collabora.com>
  (cherry picked from commit 04511a0476b5c860e7d157b01080dff94d935f74)
  

• c8eb79c1
  by Rodrigo Vivi at 2017-09-25T15:34:10-04:00

  dri2: Sync i965_pci_ids.h from Mesa.
  
  Copied from Mesa with no modifications.
  
  Gives us Coffee Lake and Cannon Lake PCI IDs.
  
  Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
  Acked-by: Kenneth Graunke <kenneth@whitecape.org>
  (cherry picked from commit abb031e731f5c159add1b3351de9c4bb121bf00a)
  

• 6f29c837
  by Michal Srb at 2017-09-25T15:34:10-04:00

  Xi: Test exact size of XIBarrierReleasePointer
  
  Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer.
  
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 211e05ac85a294ef361b9f80d689047fa52b9076)
  

• baa25315
  by Olivier Fourdan at 2017-09-25T15:34:10-04:00

  xwayland: Fix a segfault with pointer locking
  
  Xwayland would crash in some circumstances while trying to issue a
  pointer locking when the cursor is hidden when there is no seat focus
  window set.
  
  The crash signature looks like:
  
   #0  zwp_pointer_constraints_v1_lock_pointer ()
   #1  xwl_pointer_warp_emulator_lock () at xwayland-input.c:2584
   #2  xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2756
   #3  xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2765
   #4  xwl_seat_cursor_visibility_changed () at xwayland-input.c:2768
   #5  xwl_set_cursor () at xwayland-cursor.c:245
   #6  miPointerUpdateSprite () at mipointer.c:468
   #7  miPointerDisplayCursor () at mipointer.c:206
   #8  CursorDisplayCursor () at cursor.c:150
   #9  AnimCurDisplayCursor () at animcur.c:220
   #10 ChangeToCursor () at events.c:936
   #11 ActivatePointerGrab () at events.c:1542
   #12 GrabDevice () at events.c:5120
   #13 ProcGrabPointer () at events.c:4908
   #14 Dispatch () at dispatch.c:478
   #15 dix_main () at main.c:276
  
  xwl_pointer_warp_emulator_lock() tries to use the surface from the
  xwl_seat->focus_window leading to a NULL pointer dereference when that
  value is NULL.
  
  Check that xwl_seat->focus_window is not NULL earlier in the stack in
  xwl_seat_maybe_lock_on_hidden_cursor() and return early if not the case
  to avoid the crash.
  
  Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=102474
  Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
  Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit cdd0352ba05d4d8482aaca41797e05d40e58da36)
  

• 421814bc
  by Olivier Fourdan at 2017-09-25T15:34:10-04:00

  glamor: handle NULL source picture
  
  COMPOSITE_REGION() can pass NULL as a source picture, make sure we
  handle that nicely in both glamor_composite_clipped_region() and
  glamor_composite_choose_shader().
  
  Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
  Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit bd353e9b84e013fc34ed730319d5b63d20977903)
  

• 69ab094a
  by Olivier Fourdan at 2017-09-25T15:34:10-04:00

  glamor: Avoid overflow between box32 and box16 box
  
  glamor_compute_transform_clipped_regions() uses a temporary box32
  internally which is copied back to a box16 to init the regions16,
  thus causing a potential overflow.
  
  If an overflow occurs, the given region is invalid and the pixmap
  init region will fail.
  
  Simply check that the coordinates won't overflow when copying back to
  the box16, avoiding a crash later down the line in glamor.
  
  Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=101894
  Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
  Tested-by: Fabrice Bellet <fabrice@bellet.info>
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit 9869dcb349b49f6d4cc2fab5d927cd8b1d1f463c)
  

• 0e79797e
  by Adam Jackson at 2017-09-25T15:52:25-04:00

  os: Fix warning in LockServer
  
  The meson build gives me:
  
  ../os/utils.c: In function ‘LockServer’:
  ../os/utils.c:310:40: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=]
       snprintf(pid_str, sizeof(pid_str), "%10ld\n", (long) getpid());
                                          ^~~~~~~~~
  ../os/utils.c:310:5: note: ‘snprintf’ output between 12 and 13 bytes into a destination of size 12
       snprintf(pid_str, sizeof(pid_str), "%10ld\n", (long) getpid());
       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  Which seems to be due to the %d part meaning that a negative number's -
  sign would be one wider than we're expecting. Fine, just coerce it to
  unsigned.
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  (cherry picked from commit aabf65d2a0206bd1a9c6e9a9f3153ded873dfd43)
  

• c5320244
  by Adam Jackson at 2017-09-25T15:54:20-04:00

  xfree86: Silence a new glibc warning
  
  glibc would like to stop declaring major()/minor() macros in
  <sys/types.h> because that header gets included absolutely everywhere
  and unix device major/minor is perhaps usually not what's expected. Fair
  enough. If one includes <sys/sysmacros.h> as well then glibc knows we
  meant it and doesn't warn, so do that if it exists.
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit d732c36597fab2e9bc4f2aa72cf1110997697557)
  

• d230e12d
  by Nick Sarnie at 2017-09-25T15:54:34-04:00

  suid: Include sysmacros.h to fix build after glibc-2.25
  
  [Added HAVE_SYS_SYSMACROS_H guard - ajax]
  
  Signed-off-by: Nick Sarnie <commendsarnex@gmail.com>
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit 84e3b96b531363e47f6789aacfcae4aa60135e2e)
  

• a114286c
  by Peter Hutterer at 2017-09-25T15:55:01-04:00

  test: fix compiler warning
  
  signal-logging.c:182:12: warning: suggest parentheses around assignment used as truth value [-Wparentheses]
  
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit ea82ececbf85a7ac3d0931687f44c57534fde17c)
  

• 126144c2
  by Peter Hutterer at 2017-09-25T15:56:22-04:00

  xfree86: up the path name size to 512 in xf86MatchDriverFromFiles
  
  ./hw/xfree86/common/xf86pciBus.c: In function ‘xf86MatchDriverFromFiles’:
  ../hw/xfree86/common/xf86pciBus.c:1330:52: warning: ‘snprintf’ output may be
  truncated before the last format character [-Wformat-truncation=]
               snprintf(path_name, sizeof(path_name), "%s/%s", ^~~~~~~
  ../hw/xfree86/common/xf86pciBus.c:1330:13: note: ‘snprintf’ output between 2
  
  dirent->d_name is 256, so sprintf("%s/%s") into a 256 buffer gives us:
  
  and 257 bytes into a destination of size 256
  
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 96af794dc648eadcd596893412d7530e92cb5421)
  

• 545c96c3
  by Timo Aaltonen at 2017-09-26T08:27:44+03:00

  Merge remote-tracking branch 'upstream/server-1.19-branch' into ubuntu-artful
  

• 2e77321a
  by Timo Aaltonen at 2017-09-26T10:50:09+03:00

  Update changelog, drop upstreamed patches.
  

• 6abd8d24
  by Timo Aaltonen at 2017-10-03T00:25:30+03:00

  release to artful
  

• 1135bbf8
  by Julien Cristau at 2017-10-04T14:02:24+02:00

  Restore definition of DEB_HOST_ARCH_OS in debian/rules
  
  This was lost in dh conversion (2:1.19.1-1).  Thanks, Helmut Grohne!
  

• 787655d5
  by Martin Peres at 2017-10-04T14:37:45-04:00

  modesetting: re-set the crtc's mode when link-status goes BAD
  
  Despite all the careful planning of the kernel, a link may become
  insufficient to handle the currently-set mode. At this point, the
  kernel should mark this particular configuration as being broken
  and potentially prune the mode before setting the offending connector's
  link-status to BAD and send the userspace a hotplug event. This may
  happen right after a modeset or later on.
  
  Upon receiving a hot-plug event, we iterate through the connectors to
  re-apply the currently-set mode on all the connectors that have a
  link-status property set to BAD. The kernel may be able to get the
  link to work by dropping to using a lower link bpp (with the same
  display bpp). However, the modeset may fail if the kernel has pruned
  the mode, so to make users aware of this problem a warning is outputed
  in the logs to warn about having a potentially-black display.
  
  This patch does not modify the current behaviour of always propagating
  the events to the randr clients. This allows desktop environments to
  re-probe the connectors and select a new resolution based on the new
  (currated) mode list if a mode disapeared. This behaviour is expected in
  order to pass the Display Port compliance tests.
  
  Signed-off-by: Martin Peres <martin.peres@linux.intel.com>
  Reviewed-by: Eric Anholt <eric@anholt.net>
  (cherry picked from commit bcee1b76aa0db8525b491485e90b8740763d7de6)
  

• 5571318f
  by Keith Packard at 2017-10-04T14:38:07-04:00

  modesetting: Skip no-longer-present connectors when resetting BAD links
  
  Outputs may have NULL mode_output (connector) pointers if the
  connector disappears while the server is running. Skip these when
  resetting outputs with BAD link status.
  
  Signed-off-by: Keith Packard <keithp@keithp.com>
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit 37f4e7651a2fd51efa613a08a1e705553be33e76)
  

• 359186b1
  by Dawid Kurek at 2017-10-04T14:38:21-04:00

  modesetting: Blacklist EVDI devices from PRIME sync
  
  UDL (usb) devices are blacklisted because of they weird behaviour when
  it comes to vblank events. As EVDI uses very similar model of handling
  vblanks it should be treated similarly.
  
  When doing a page flip, EVDI does not wait for real vblank, but
  simulates it by adding constant delay. It also does not support
  DRM_IOCTL_WAIT_VBLANK.
  
  In contrast to UDL, EVDI uses platform devices, thus instead of 'usb' in
  path they all have 'platform'.
  
  It is possible to blacklist by 'platform', so without explicitly saying
  'evdi', but it might be misleading when it comes to real reason for it.
  
  Signed-off-by: Dawid Kurek <dawid.kurek@displaylink.com>
  (cherry picked from commit fbd80b2c8ebe9fd41229dc5438524d107c071ff1)
  

• c5d409a2
  by Jon TURNEY at 2017-10-04T15:04:25-04:00

  Move statically linked xorgxkb files from dixmods to a separate directory
  
  [ajax: Fixed test/Makefile.am as well]
  
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit fbdd73fac68383c93f6f5c6a7615860503039999)
  

• 320e48c9
  by Adam Jackson at 2017-10-04T15:04:40-04:00

  dmx: Silence an unused-result warning
  
  Modern glibc is very insistent that you care about whether write()
  succeeds:
  
  ../hw/dmx/input/usb-keyboard.c: In function ‘kbdUSBCtrl’:
  ../hw/dmx/input/usb-keyboard.c:292:9: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result [-Wunused-result]
           write(priv->fd, &event, sizeof(event));
           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  Reviewed-by: Keith Packard <keithp@keithp.com>
  (cherry picked from commit 17ad6e5d5616039021455bc821d6ee2497f7ebde)
  

• 3cea13cc
  by Adam Jackson at 2017-10-04T15:04:48-04:00

  dmx: Remove some not-very-interesting debug prints
  
  gcc/glibc think the snprintf in dmxExecOS() might truncate. Yes, it
  might, and we also don't care. Just delete all this.
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  Acked-by: Keith Packard <keithp@keithp.com>
  (cherry picked from commit d6db66811643d3762716f6b144a7358572216a4f)
  

• a510fb81
  by Michal Srb at 2017-10-04T15:09:13-04:00

  Xext/shm: Validate shmseg resource id (CVE-2017-13721)
  
  Otherwise it can belong to a non-existing client and abort X server with
  FatalError "client not in use", or overwrite existing segment of another
  existing client.
  
  Signed-off-by: Julien Cristau <jcristau@debian.org>
  (cherry picked from commit b95f25af141d33a65f6f821ea9c003f66a01e1f1)
  

• 3094c4c6
  by Michal Srb at 2017-10-04T15:09:13-04:00

  xkb: Escape non-printable characters correctly.
  
  XkbStringText escapes non-printable characters using octal numbers. Such escape
  sequence would be at most 5 characters long ("\0123"), so it reserves 5 bytes
  in the buffer. Due to char->unsigned int conversion, it would print much longer
  string for negative numbers.
  
  Reviewed-by: Keith Packard <keithp@keithp.com>
  Signed-off-by: Julien Cristau <jcristau@debian.org>
  (cherry picked from commit eaf1f72ed8994b708d94ec2de7b1a99f5c4a39b8)
  

• 8bd33a2d
  by Keith Packard at 2017-10-04T15:09:13-04:00

  xkb: Handle xkb formated string output safely (CVE-2017-13723)
  
  Generating strings for XKB data used a single shared static buffer,
  which offered several opportunities for errors. Use a ring of
  resizable buffers instead, to avoid problems when strings end up
  longer than anticipated.
  
  Reviewed-by: Michal Srb <msrb@suse.com>
  Signed-off-by: Keith Packard <keithp@keithp.com>
  Signed-off-by: Julien Cristau <jcristau@debian.org>
  (cherry picked from commit 94f11ca5cf011ef123bd222cabeaef6f424d76ac)
  

• 388dc1ae
  by Keith Packard at 2017-10-04T15:25:51-04:00

  xf86-video-modesetting: Add ms_queue_vblank helper [v3]
  
  This provides an API wrapper around the kernel interface for queueing
  a vblank event, simplifying all of the callers.
  
  v2: Fix missing '|' in computing vbl.request.type
  
  v3: Remove spurious bit of next patch (thanks, Michel Dänzer)
  
  Signed-off-by: Keith Packard <keithp@keithp.com>
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit 677c32bcda98a96585bb1f66b57e0755a157b772)
  

• 12fe3d3e
  by Louis-Francis Ratté-Boulianne at 2017-10-04T15:25:56-04:00

  present: Check the whole exec queue on event
  
  Later events are sometimes added in front of the queue (e.g.
  if page flipping fails) so we need to check the whole queue
  on event.
  
  Signed-off-by: Louis-Francis Ratté-Boulianne <lfrb@collabora.com>
  Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
  (cherry picked from commit c2f2b25ab55c67f9f3ad07c02fa746eae7c61196)
  

• ec37e559
  by Adam Jackson at 2017-10-04T15:29:18-04:00

  xserver 1.19.4
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  

• 3a3bce94
  by Timo Aaltonen at 2017-10-05T09:54:11+03:00

  Merge branch 'upstream-unstable' into debian-unstable
  

• 891a2d03
  by Timo Aaltonen at 2017-10-05T10:03:56+03:00

  bump the version
  

• 2f7fb099
  by Timo Aaltonen at 2017-10-05T10:14:29+03:00

  signing-key.asc: Update Adam Jackson's key.
  

• 72d2aeda
  by Timo Aaltonen at 2017-10-05T10:23:27+03:00

  fixes two CVE's
  

• c4dec70a
  by Timo Aaltonen at 2017-10-05T10:36:23+03:00

  close some bugs
  

• 290ffbf0
  by Timo Aaltonen at 2017-10-10T00:33:34+03:00

  release to sid
  

• f17420f3
  by Timo Aaltonen at 2017-10-10T11:13:42+03:00

  Merge branch 'debian-unstable' into ubuntu-artful
  

• e23cb995
  by Timo Aaltonen at 2017-10-10T11:21:31+03:00

  release to artful
  

• d4d9be87
  by Emilio Pozuelo Monfort at 2017-10-10T18:55:57+02:00

  Simplify flags handling
  

• b68c3b6a
  by Emilio Pozuelo Monfort at 2017-10-10T18:56:36+02:00

  Drop useless spaces
  

• 80ab8f53
  by Emilio Pozuelo Monfort at 2017-10-10T18:57:11+02:00

  Let dh pass --disable-silent-rules
  

• 65d4d5a4
  by Emilio Pozuelo Monfort at 2017-10-10T19:06:32+02:00

  Merge dri3 flags with other (non-)linux ones
  

• b8b99a32
  by Emilio Pozuelo Monfort at 2017-10-10T19:37:24+02:00

  Move --lib(exec)dir to common flags
  

• b688ff31
  by Emilio Pozuelo Monfort at 2017-10-10T19:43:04+02:00

  Move rules to rules.flags
  

• 7edde320
  by Timo Aaltonen at 2017-10-11T11:13:05+03:00

  xvfb-run: Keep redirecting stderr to stdout, autopkgtests need it.
  

• 784d205f
  by Adam Jackson at 2017-10-12T12:17:53-04:00

  Revert "xf86-video-modesetting: Add ms_queue_vblank helper [v3]"
  
  Apparently introduces a regression:
  
  https://bugs.freedesktop.org/103243
  
  This reverts commit 388dc1aeac9acf2d51ad5103570beffd81d78b96.
  

• e751722a
  by Michal Srb at 2017-10-12T12:24:49-04:00

  os: Make sure big requests have sufficient length.
  
  A client can send a big request where the 32B "length" field has value
  0. When the big request header is removed and the length corrected,
  the value will underflow to 0xFFFFFFFF.  Functions processing the
  request later will think that the client sent much more data and may
  touch memory beyond the receive buffer.
  
  Signed-off-by: Eric Anholt <eric@anholt.net>
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9)
  

• c206f36a
  by Nathan Kidd at 2017-10-12T12:25:02-04:00

  Unvalidated lengths
  
  v2: Add overflow check and remove unnecessary check (Julien Cristau)
  
  This addresses:
  CVE-2017-12184 in XINERAMA
  CVE-2017-12185 in MIT-SCREEN-SAVER
  CVE-2017-12186 in X-Resource
  CVE-2017-12187 in RENDER
  
  Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
  Reviewed-by: Julien Cristau <jcristau@debian.org>
  Signed-off-by: Nathan Kidd <nkidd@opentext.com>
  Signed-off-by: Julien Cristau <jcristau@debian.org>
  (cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)
  

• 61502107
  by Nathan Kidd at 2017-10-12T12:25:10-04:00

  xfixes: unvalidated lengths (CVE-2017-12183)
  
  v2: Use before swap (Jeremy Huddleston Sequoia)
  
  v3: Fix wrong XFixesCopyRegion checks (Alan Coopersmith)
  
  Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
  Reviewed-by: Julien Cristau <jcristau@debian.org>
  Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
  Signed-off-by: Nathan Kidd <nkidd@opentext.com>
  Signed-off-by: Julien Cristau <jcristau@debian.org>
  (cherry picked from commit 55caa8b08c84af2b50fbc936cf334a5a93dd7db5)
  

• d264da92
  by Nathan Kidd at 2017-10-12T12:25:19-04:00

  hw/xfree86: unvalidated lengths
  
  This addresses:
  CVE-2017-12180 in XFree86-VidModeExtension
  CVE-2017-12181 in XFree86-DGA
  CVE-2017-12182 in XFree86-DRI
  
  Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
  Reviewed-by: Julien Cristau <jcristau@debian.org>
  Signed-off-by: Nathan Kidd <nkidd@opentext.com>
  Signed-off-by: Julien Cristau <jcristau@debian.org>
  (cherry picked from commit 1b1d4c04695dced2463404174b50b3581dbd857b)
  

• c77cd08e
  by Nathan Kidd at 2017-10-12T12:25:24-04:00

  Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer
  
  [jcristau: originally this patch fixed the same issue as commit
   211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
   addition of these checks]
  
  This addresses CVE-2017-12179
  
  Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
  Reviewed-by: Julien Cristau <jcristau@debian.org>
  Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
  Signed-off-by: Nathan Kidd <nkidd@opentext.com>
  Signed-off-by: Julien Cristau <jcristau@debian.org>
  (cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8)
  

• 6c151221
  by Nathan Kidd at 2017-10-12T12:25:31-04:00

  Xi: fix wrong extra length check in ProcXIChangeHierarchy (CVE-2017-12178)
  
  Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
  Reviewed-by: Julien Cristau <jcristau@debian.org>
  Signed-off-by: Nathan Kidd <nkidd@opentext.com>
  Signed-off-by: Julien Cristau <jcristau@debian.org>
  (cherry picked from commit 859b08d523307eebde7724fd1a0789c44813e821)
  

• cc41e5b5
  by Nathan Kidd at 2017-10-12T12:25:36-04:00

  dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
  
  v2: Protect against integer overflow (Alan Coopersmith)
  
  Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
  Reviewed-by: Julien Cristau <jcristau@debian.org>
  Signed-off-by: Nathan Kidd <nkidd@opentext.com>
  Signed-off-by: Julien Cristau <jcristau@debian.org>
  (cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831)
  

• 95f605b4
  by Nathan Kidd at 2017-10-12T12:25:41-04:00

  Unvalidated extra length in ProcEstablishConnection (CVE-2017-12176)
  
  Reviewed-by: Julien Cristau <jcristau@debian.org>
  Signed-off-by: Nathan Kidd <nkidd@opentext.com>
  Signed-off-by: Julien Cristau <jcristau@debian.org>
  (cherry picked from commit b747da5e25be944337a9cd1415506fc06b70aa81)
  

• b96e982e
  by Adam Jackson at 2017-10-12T12:32:31-04:00

  xserver 1.19.5
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  

• 6ba3544b
  by Andreas Boll at 2017-10-12T22:12:48+02:00

  Merge tag 'xorg-server-1.19.5' into debian-unstable
  
  xorg-server-1.19.5
  

• d97dac4a
  by Andreas Boll at 2017-10-12T22:18:52+02:00

  Bump changelog
  

• 0f184231
  by Andreas Boll at 2017-10-12T22:25:20+02:00

  Fixes twelve CVE's
  

• a91b0c6e
  by Timo Aaltonen at 2017-10-13T08:41:32+03:00

  Merge tag 'xorg-server-1.19.5' into ubuntu-artful
  
  xorg-server-1.19.5
  

• f3201678
  by Timo Aaltonen at 2017-10-13T08:46:22+03:00

  update the changelog
  

• d6f9ebcf
  by Timo Aaltonen at 2017-10-13T08:46:32+03:00

  release to artful
  

• 1347a57f
  by Julien Cristau at 2017-10-13T11:28:17+02:00

  Upload to unstable
  

• dab761d5
  by Emilio Pozuelo Monfort at 2017-11-21T19:50:04+01:00

  Use --sourcedir for dh_install
  

• aefc7f30
  by Emilio Pozuelo Monfort at 2017-11-21T20:37:04+01:00

  Install xorg-server.pc to a multiarch location
  

• 4f84f345
  by Emilio Pozuelo Monfort at 2017-11-21T20:50:16+01:00

  Move xserver-xorg-legacy to priority optional
  

• 18540225
  by Emilio Pozuelo Monfort at 2017-11-23T00:33:52+01:00

  Fail the build if calculating video/xinput abi fails
  

• e540fb20
  by Emilio Pozuelo Monfort at 2017-11-23T00:36:37+01:00

  Unbreak the pkg-config file
  

• a6776111
  by Adam Jackson at 2017-12-11T15:21:51-05:00

  xfixes: Remove the CursorCurrent array
  
  We're not wrapping all the ways a cursor can be destroyed, so this array
  ends up with stale data. Rather than try harder to wrap more code paths,
  just look up the cursor when we need it.
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit aa6651f83c698e8cc40de61aad36c73ca7a6adcf)
  

• cd5076a5
  by Nikolay Martynov at 2017-12-13T10:04:11-05:00

  XShmGetImage: fix censoring
  
  It looks like offsets calculated during image censoring are wrong.
  This results in black (empty) images returns.
  
  This fix is very similar to 6c6f09aac7f1d1367a042087b7681c7fdf1d1e0f
  that was applied to XGetImage
  
  Visually this fixes chromium/firefox window sharing in multiscreen
  configurations - without this patch most of the windows on 'secodnary'
  screens are black.
  
  This also should fix https://bugs.freedesktop.org/show_bug.cgi?id=101730.
  
  Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit 885636b7d42b3c7b151fc386d358184db004ce45)
  

• 4ef1aef0
  by Alex Goins at 2017-12-13T10:04:47-05:00

  ramdac: Check ScreenPriv != NULL in xf86ScreenSetCursor()
  
  Similar to change cba5a10f, xf86ScreenSetCursor() would dereference ScreenPriv
  without NULL checking it. If Option "SWCursor" is specified, ScreenPriv == NULL.
  
  Without this fix, it is observed that setting Option "SWCursor" "on" on the
  modesetting driver in a PRIME configuration will segfault the server.
  
  It is important to return success rather than failure in the instance that
  ScreenPriv == NULL and pCurs == NullCursor, because otherwise xf86SetCursor()
  can fall into infinite recursion: xf86SetCursor(pCurs) calls
  xf86ScreenSetCursor(pCurs), and if FALSE, calls xf86SetCursor(NullCursor). If
  xf86ScreenSetCursor(NullCursor) returns FALSE, it calls
  xf86SetCursor(NullCursor) again and this repeats forever.
  
  Signed-off-by: Alex Goins <agoins@nvidia.com>
  Reviewed-by: Dave Airlie <airlied@redhat.com>
  (cherry picked from commit 68d95e759f8b6ebca6bd52e69e6bc34cc174f8ca)
  

• e8530b87
  by Daniel Martin at 2017-12-13T10:05:36-05:00

  modesetting: Fix potential buffer overflow
  
  If one misconfigures a ZaphodHeads value (more than 20 characters
  without a delimiter), we get an overflow of our buffer.  Use
  xstrtokenize() instead of writing/fixing our own tokenizer.
  
  Signed-off-by: Daniel Martin <consume.noise@gmail.com>
  Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
  (cherry picked from commit 04a305121fbc08ecc2ef345ee7155d6087a43fd1)
  

• e663998f
  by Daniel Martin at 2017-12-13T10:05:46-05:00

  test: input: Fix used uninitialized warning in dix_event_to_core
  
  input.c: In function ‘dix_event_to_core’:
  ../include/inputstr.h:61:55: warning: ‘*((void *)&ev+80)’ is used uninitialized in this function [-Wuninitialized]
   #define SetBit(ptr, bit)  (((BYTE *) (ptr))[(bit)>>3] |= (1 << ((bit) & 7)))
                                                         ^~
  
  Signed-off-by: Daniel Martin <consume.noise@gmail.com>
  Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
  (cherry picked from commit 0bcc65f2bf479c6a74ac70bb5b5181d6834dded6)
  

• 8817747c
  by Daniel Martin at 2017-12-13T10:05:53-05:00

  test: signal-logging: Fix looping signed number tests
  
  unsigned_tests[] was used to compute the amount of signed numbers to
  test.
  
  Signed-off-by: Daniel Martin <consume.noise@gmail.com>
  Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
  (cherry picked from commit 15a32ee5d1fffa171bb05af9a0e5b472e4af1488)
  

• 5a5b6d6c
  by Peter Hutterer at 2017-12-13T10:06:02-05:00

  config/udev: consider ID_INPUT_FOO=0 as 'unset'
  
  Historically we didn't need to care about this case but more devices are
  having invalid types set and they cannot be unset with a hwdb entry (which
  doesn't handle the empty string). Allow for "0" to mean "unset" because
  anything else would be crazy anyway.
  
  Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 5aad81445c8c3d6b7b30d503cfe26027fa482870)
  

• c39de5f7
  by Eric Anholt at 2017-12-13T10:06:07-05:00

  xkb: Print the xkbcomp path being executed when we fail to compile.
  
  I don't know how many times I've had a broken server due to a bad
  directory to xkbcomp, and only finding the whole path has shown me
  where I went wrong.
  
  Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  (cherry picked from commit 30f4d440ebc3517fdcc1d3c6a422a8fbf3af1f23)
  

• c3285706
  by Giuseppe Bilotta at 2017-12-13T10:06:44-05:00

  xkb: initialize tsyms
  
  This fixes some “Conditional jump depends on uninitialized value(s)”
  errors spotted by valgrind.
  
  Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
  Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
  (cherry picked from commit b2167015043a458e9cf93b827b43eb5b7c552ce9)
  

• c010bcb8
  by Giuseppe Bilotta at 2017-12-13T10:06:49-05:00

  randr: ProcRRGetOutputInfo: initialize memory
  
  Running Xephyr under valgrind reveals that we're sending some
  uninitialized memory over the wire (particularly, the leftover padding
  that comes from rounding extraLen to the next 32-bit multiple).
  
  Solve by calloc()ing the memory instead of malloc()ing (the alternative
  would be to memset just the padding, but I'm not sure it's more
  convenient.)
  
  Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit bb766ef11227bd8c71ac65845d1930edd0eda40d)
  

• b3fa60ed
  by Adam Jackson at 2017-12-13T10:07:07-05:00

  glx: Fix typos that break GLX_ARB_context_flush_control
  
  The trailing \n are just wrong here, __glXEnableExtension wants a string
  without them.
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
  Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
  (cherry picked from commit fd0eafb18426da14601d5c0d0a50092c49a7aff8)
  

• d1a2a275
  by Hector Martin at 2017-12-13T10:07:17-05:00

  edid: fix off-by-one error in CEA mode numbering
  
  The CEA extension short video descriptors contain the VIC, which starts
  at 1, not 0.
  
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  Signed-off-by: Hector Martin <marcan@marcan.st>
  (cherry picked from commit 68556d74b49e99d3490166c446079f7d5de26ca4)
  

• ece2e82e
  by Adam Jackson at 2017-12-13T10:07:24-05:00

  glx: Only flush indirect contexts in MakeCurrent (v2)
  
  If the context is direct none of the GL commands were issued by this
  process, the server couldn't flush them even if it wanted to.
  
  v2: Fix embarassingly obvious boolean inversion (Michel Dänzer)
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
  (cherry picked from commit 307c124d6bcfe26057767b2c0990dc9ac66b9c93)
  

• a4bd27bd
  by Giuseppe Bilotta at 2017-12-13T10:07:32-05:00

  randr: rrGetScreenResources: initialize memory
  
  Similarly to bb766ef11227bd8c71ac65845d1930edd0eda40d, ensure that the
  extra padding is set to 0.
  
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  Signed-off-by: Giuseppe Bilotta <giuseppe.bilotta@gmail.com>
  (cherry picked from commit fb5ee77b91a93e27801006be8ee34d27984e7fa6)
  

• 5c00e693
  by Michel Dänzer at 2017-12-13T10:08:00-05:00

  present: Only send PresentCompleteNotify events to the presenting client
  
  We were sending the events to all clients listening for them on the
  window. But clients can get confused by events from another client, and
  I can't imagine any case where receiving events from other clients would
  be required.
  
  v2:
  * Also restrict events sent to additional windows to the presenting
    client
  * Don't shorten line lengths
  
  Reviewed-by: Keith Packard <keithp@keithp.com>
  (cherry picked from commit 559954aaa8d811a22cf918cc16a7d618e12201a0)
  

• ee64427c
  by Daniel Martin at 2017-12-13T10:08:06-05:00

  os/xdmcp: Honour -once when session is dead
  
  Terminate a dead session when -once was passed. Don't restart it.
  
  Signed-off-by: Daniel Martin <consume.noise@gmail.com>
  Reviewed-by: Walter Harms <wharms@bfs.de>
  (cherry picked from commit 918afeecbc63d70413e222efdb2ac4cfb16eae9e)
  

• b832dac7
  by Adam Jackson at 2017-12-13T10:08:40-05:00

  glx: Fix glXQueryContext for GLX_FBCONFIG_ID and GLX_RENDER_TYPE (v2)
  
  Just never filled in, oops. Seems to have gone unnoticed because
  normally glXQueryContext simply returns the values filled in by the
  client library when the context was created. The only path by which you
  normally get to a GLXQueryContext request is glXImportContext, and then
  only if the context is already indirect.
  
  However, that's a statement about Mesa's libGL (and anything else that
  inherited that bit of the SGI SI more or less intact). Nothing prevents
  a mischeivous client from issuing that request of a direct context, and
  if they did we'd be in trouble because we never bothered to preserve the
  associated fbconfig in the context state, so we'd crash looking up
  GLX_VISUAL_ID_EXT. So let's fix that too.
  
  v2: Fixed missing preservation of the config in DRI2 (Eric Anholt)
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  Reviewed-by: Eric Anholt <eric@anholt.net>
  (cherry picked from commit 5d667df6ea1634191a26f9a7c26bc883701d62b0)
  

• f9a55653
  by Olivier Fourdan at 2017-12-13T10:08:45-05:00

  xwayland: Fix non-argb cursor conversion
  
  >From the bug: "What happens if bits->width is less than 8? :)"
  
  Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103012
  Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
  Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
  Reviewed-by: Daniel Stone <daniels@collabora.com>
  (cherry picked from commit 97ac59b1ed3624f7c04e54dd3e3dadfa46a8f170)
  

• 072dff82
  by Olivier Fourdan at 2017-12-13T10:09:11-05:00

  dix: avoid deferencing NULL PtrCtrl
  
  PtrCtrl really makes sense for relative pointing device only, absolute
  devices such as touch devices do not have any PtrCtrl set.
  
  In some cases, if the client issues a XGetPointerControl() immediatlely
  after a ChangeMasterDeviceClasses() copied the touch device to the VCP,
  a NULL pointer dereference will occur leading to a crash of Xwayland.
  
  Check whether the PtrCtrl is not NULL in ProcGetPointerControl() and
  return the default control values otherwise, to avoid the NULL pointer
  dereference.
  
  Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1519533
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
  (cherry picked from commit 9f7a9be13d6449c00c86d3035374f4f543654b3f)
  

• dbf97534
  by Tomasz Śniatowski at 2017-12-13T10:09:20-05:00

  os: Fix strtok/free crash in ComputeLocalClient
  
  Don't reuse cmd for strtok output to ensure the proper pointer is
  freed afterwards.
  
  The code incorrectly assumed the pointer returned by strtok(cmd, ":")
  would always point to cmd. However, strtok(str, sep) != str if str
  begins with sep. This caused an invalid-free crash when running
  a program under X with a name beginning with a colon.
  
  Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=104123
  Signed-off-by: Tomasz Śniatowski <kailoran@gmail.com>
  Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
  (cherry picked from commit 6883ae43eb72fe4e2651c1dca209563323fad2db)
  

• c70d8e55
  by Adam Jackson at 2017-12-20T15:20:43-05:00

  composite: Remove a misleading comment
  
  This comment is above compIsAlternateVisual, which used to be the only
  thing determining whether implicit redirect was needed. It's not anymore
  due to the redirection exception list. That job is now performed by
  compImplicitRedirect, whose code is self-explanitory.
  
  Reviewed-by: Eric Anholt <eric@anholt.net>
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit bccbaf7c113b1300071601879002682ebbe8b1c1)
  

• 06d1c83d
  by Adam Jackson at 2017-12-20T15:20:43-05:00

  composite: Export compIsAlternateVisual
  
  Reviewed-by: Eric Anholt <eric@anholt.net>
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit ef2345aaa28461a76f77c65240ce5facc180f98e)
  

• 0a73e7bf
  by Adam Jackson at 2017-12-20T15:20:43-05:00

  composite: Make compIsAlternateVisual safe even if Composite is off
  
  As of ea483af9 we're calling this unconditionally from the GLX code so
  the synthetic visual is in a lower select group. If Composite has been
  disabled then GetCompScreen() will return NULL, and this would crash.
  
  Rather than force the caller to check first, just always return FALSE if
  Composite is disabled (which is correct, since none of the visuals will
  be synthetic in that case).
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
  (cherry picked from commit f80119120c487581ac050ce741808f7c8f438f35)
  

• 4c64b20a
  by Adam Jackson at 2017-12-20T15:20:43-05:00

  glx: Send GLX_VISUAL_SELECT_GROUP_SGIX attribute for visuals
  
  We already send this for fbconfigs. Mesa happens to implement
  glXChooseVisual relative to the fbconfig data, but that might not be
  true of NVIDIA's libGL.
  
  Reviewed-by: Eric Anholt <eric@anholt.net>
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit 43efaa6e4fd903229dc9c508da4177ad4bbdd4d8)
  

• c64bd21d
  by Adam Jackson at 2017-12-20T15:20:43-05:00

  glx: Move Composite's synthetic visuals to a different select group
  
  Should you find yourself using a 16bpp display while also using a
  compositor, you poor soul, you may find that your GLX applications
  behave strangely; in particular, glxgears will be transparent. This is
  because it clears to (0,0,0,0) which is transparent if you honor alpha,
  and it will choose the synthetic visual because it has the most
  available r/g/b bits.
  
  To avoid this, bump synthetic visuals to a higher (less-preferred)
  select group. Unless the client explicitly asks for non-zero alpha bits,
  this will prefer any rgb565 visual ahead of the argb8888 visual.
  
  Reviewed-by: Eric Anholt <eric@anholt.net>
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit ea483af99a6351323afe00a0b630cd63310efdb1)
  

• 1726badd
  by Thomas Hellstrom at 2017-12-20T15:20:43-05:00

  glx: Work around a GLX_OML swap method in older dri drivers
  
  The swapMethod config member would typically contain an arbitrary value
  on older dri drivers. Fix this so that if we detect an illegal value,
  return GLX_SWAP_UNDEFINED_OML.
  
  Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit 0fc26310d5b09213c65f50bde444a1758172b016)
  

• 22b0880d
  by Thomas Hellstrom at 2017-12-20T15:20:43-05:00

  glx: Fix visual fbconfig matching with respect to swap method
  
  For the built in visuals, we'd typically select the "best" fbconfig
  without considering the swap method. If the client then requests a
  specific swap method, say GLX_SWAP_COPY_OML, it may well happen that the
  first fbconfig matching requirements would have been paired with the 32-bit
  compositing visual, and the client would render a potentially transparent
  window.
  
  Fix this so that we try to match fbconfigs with the same swap method to all
  built-in visuals. That would guarantee that selecting a specific swap-
  method would not influence the chance of getting a compositing visual.
  
  Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit 4486d199bd3bcb5b2b8ad9bc54eb11604d9bd653)
  

• 91c42093
  by Thomas Hellstrom at 2017-12-20T15:20:43-05:00

  glx: Duplicate relevant fbconfigs for compositing visuals
  
  Previously, before GLX_OML_swap_method was fixed, both the X server and
  client ignored the swapMethod fbconfig value, which meant that, if the dri
  driver thought it exposed more than one swapMethod, it actually just
  exported a duplicated set of fbconfigs. When fixing GLX_OML_swap_method
  and restricting the choice for built-in visuals to a single swap method
  that meant we didn't have that many fbconfigs to choose from when pairing
  the compositing visual with an fbconfig, resulting in the fbconfig paired
  with the compositing visual becoming too restrictive for some applications,
  (at least for kwin). This problem would also happen if the dri driver
  only exposed a single swap method to begin with.
  
  So, to make sure the compositing visual gets a good enough fbconfig,
  duplicate fbconfigs that are suitable for compositing visuals and make
  sure these duplicated fbconfigs can be used only by compositing visuals.
  For duplicated fbconfigs not paired with a compositing visual, construct
  new compositing visuals, making compositing clients able to choose visuals
  / fbconfig more adapted to their needs.
  
  This is in some sense equivalent to adding a new "TRUECOLOR_COMPOSITING"
  GLX visualtype.
  
  Fixes: 4486d199bd3b ("glx: Fix visual fbconfig matching with respect to
                        swap method")
  Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=102806
  Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
  Tested-By: Nick Sarnie <commendsarnex@gmail.com>
  Tested-by: Fredrik Höglund <fredrik@kde.org>
  Reviewed-by: Adam Jackson <ajax@redhat.com>
  (cherry picked from commit f84e59a4f474d22860bac8aec2947798a86db69b)
  

• ebfb06b1
  by Adam Jackson at 2017-12-20T15:20:43-05:00

  xserver 1.19.6
  
  Signed-off-by: Adam Jackson <ajax@redhat.com>
  

• 4405392d
  by Timo Aaltonen at 2018-01-18T12:54:52+02:00

  Merge branch 'upstream-unstable' into debian-unstable
  

• 9eb362a8
  by Timo Aaltonen at 2018-01-18T13:09:54+02:00

  update changelog
  

• e01fd54d
  by Timo Aaltonen at 2018-01-18T14:06:20+02:00

  07-glx-do-not-pick-srgb-config-for-32bit-rgba-visual.diff: Add a patch from upstream to fix potential issues with mesa git.
  

• 79d48c61
  by Timo Aaltonen at 2018-01-26T16:30:15+02:00

  release to unstable
  

• 2672d213
  by Timo Aaltonen at 2018-01-26T16:42:37+02:00

  sync with the archive
  

• 46029759
  by Timo Aaltonen at 2018-01-26T17:06:23+02:00

  Merge branch 'debian-unstable' into ubuntu
  

• b4af6384
  by Timo Aaltonen at 2018-01-26T17:18:38+02:00

  update changelog
  

• 9da8b4de
  by Timo Aaltonen at 2018-01-26T17:19:22+02:00

  XShmGetImage_fix_censoring.patch: Dropped, upstream.
  

• 6dc09988
  by Timo Aaltonen at 2018-01-26T17:20:03+02:00

  control: Merge fix: add dh-autoreconf back.
  

• 51c65e1e
  by Timo Aaltonen at 2018-01-26T17:28:06+02:00

  release to bionic
  

• d4cfc843
  by Timo Aaltonen at 2018-02-15T15:09:08+02:00

  improve-outputclass.diff: Backport commits from upstream to improve OutputClass to support options and overriding primary GPU.
  

• 35be6ad6
  by Timo Aaltonen at 2018-02-15T15:18:16+02:00

  191-Xorg-add-an-extra-module-path.patch, rules.flags: Drop adding extra-modules dir, not necessary anymore with outputclass additions.
  

• 5d933228
  by Timo Aaltonen at 2018-02-15T15:19:55+02:00

  105_nvidia_autodetect.patch: Dropped, obsolete now.
  

• 60f59c5b
  by Timo Aaltonen at 2018-02-15T15:29:30+02:00

  188_default_primary_to_first_busid.patch: Dropped, obsolete now.
  

30 changed files:

• Xext/panoramiX.c
• Xext/panoramiXprocs.c
• Xext/saver.c
• Xext/shm.c
• Xext/vidmode.c
• Xext/xres.c
• Xext/xvdisp.c
• Xi/sendexev.c
• Xi/xibarriers.c
• Xi/xichangehierarchy.c
• Xi/xiwarppointer.c
• composite/compositeext.h
• composite/compwindow.c
• config/udev.c
• configure.ac
• dbe/dbe.c
• debian/changelog
• debian/control
• + debian/patches/07-glx-do-not-pick-srgb-config-for-32bit-rgba-visual.diff
• − debian/patches/105_nvidia_autodetect.patch
• − debian/patches/188_default_primary_to_first_busid.patch
• − debian/patches/191-Xorg-add-an-extra-module-path.patch
• − debian/patches/CVE-2017-10971-1.patch
• − debian/patches/CVE-2017-10971-2.patch
• − debian/patches/CVE-2017-10971-3.patch
• − debian/patches/CVE-2017-10972.patch
• + debian/patches/improve-outputclass.diff
• debian/patches/series
• − debian/patches/sync-i965-ids.diff
• − debian/patches/xwayland-add-grab-protocol-support.diff

The diff was not included because it is too large.

—
View it on GitLab.
You're receiving this email because of your account on salsa.debian.org. If you'd like to receive fewer emails, you can adjust your notification settings.