-
f54647df
by Willem Jan Palenstijn at 2024-04-05T13:46:40+10:00
mi: fix rounding issues around zero in miPointerSetPosition
Fixes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/577
This patch replaces the instances of trunc in miPointerSetPosition by
floor, thereby removing the incorrect behaviour with subpixel pointer
locations between -1 and 0.
This is the relevant code fragment:
/* In the event we actually change screen or we get confined, we just
* drop the float component on the floor
* FIXME: only drop remainder for ConstrainCursorHarder, not for screen
* crossings */
if (x != trunc(*screenx))
*screenx = x;
if (y != trunc(*screeny))
*screeny = y;
The behaviour of this code does not match its comment for subpixel
coordinates between -1 and 0. For example, if *screenx is -0.5, the
preceding code would (correctly) clamp x to 0, but this would not be
detected by this condition, since 0 == trunc(-0.5), leaving *screenx
at -0.5, out of bounds.
This causes undesirable behaviour in GTK3 code using xi2, where negative
subpixel coordinates like this would (to all appearances randomly)
remove the focus from windows aligned with the zero boundary when the
mouse hits the left or top screen boundaries.
The other occurences of trunc in miPointerSetPosition have a more subtle
effect which would prevent proper clamping if there is a pointer limit
at a negative integer rather than at 0. This patch changes these to
floor for consistency.
Signed-off-by: Willem Jan Palenstijn <wjp@usecode.org>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1451>
(cherry picked from commit 0ee4ed286ea238e2ba2ca57227c3e66aca11f56b)
-
b4ea6f9e
by Olivier Fourdan at 2024-04-09T09:26:21+02:00
render: Avoid possible double-free in ProcRenderAddGlyphs()
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
then frees it using FreeGlyph() to decrease the reference count, after
AddGlyph() has increased it.
AddGlyph() however may chose to reuse an existing glyph if it's already
in the glyphSet, and free the glyph that was given, in which case the
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
already freed glyph, as reported by ASan:
READ of size 4 thread T0
#0 in FreeGlyph xserver/render/glyph.c:252
#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
#2 in Dispatch xserver/dix/dispatch.c:546
#3 in dix_main xserver/dix/main.c:271
#4 in main xserver/dix/stubmain.c:34
#5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 in __libc_start_main_impl ../csu/libc-start.c:360
#7 (/usr/bin/Xwayland+0x44fe4)
Address is located 0 bytes inside of 64-byte region
freed by thread T0 here:
#0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
#2 in AddGlyph xserver/render/glyph.c:295
#3 in ProcRenderAddGlyphs xserver/render/render.c:1173
#4 in Dispatch xserver/dix/dispatch.c:546
#5 in dix_main xserver/dix/main.c:271
#6 in main xserver/dix/stubmain.c:34
#7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
#1 in AllocateGlyph xserver/render/glyph.c:355
#2 in ProcRenderAddGlyphs xserver/render/render.c:1085
#3 in Dispatch xserver/dix/dispatch.c:546
#4 in dix_main xserver/dix/main.c:271
#5 in main xserver/dix/stubmain.c:34
#6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph
To avoid that, make sure not to free the given glyph in AddGlyph().
v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)
Fixes: bdca6c3d1 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
(cherry picked from commit 337d8d48b618d4fc0168a7b978be4c3447650b04)
-
be276784
by Matt Turner at 2024-04-12T13:09:23-04:00
xserver 21.1.13
Signed-off-by: Matt Turner <mattst88@gmail.com>
-
8407181c
by José Expósito at 2024-05-12T08:00:00+00:00
ephyr: Fix incompatible pointer type build error
Fix a compilation error on 32 bits architectures with gcc 14:
ephyr_glamor_xv.c: In function ‘ephyr_glamor_xv_init’:
ephyr_glamor_xv.c:154:31: error: assignment to ‘SetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, int, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom, INT32, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, long int, void *)’} [-Wincompatible-pointer-types]
154 | adaptor->SetPortAttribute = ephyr_glamor_xv_set_port_attribute;
| ^
ephyr_glamor_xv.c:155:31: error: assignment to ‘GetPortAttributeFuncPtr’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, int *, void *)’} from incompatible pointer type ‘int (*)(KdScreenInfo *, Atom, INT32 *, void *)’ {aka ‘int (*)(struct _KdScreenInfo *, long unsigned int, long int *, void *)’} [-Wincompatible-pointer-types]
155 | adaptor->GetPortAttribute = ephyr_glamor_xv_get_port_attribute;
| ^
Build error logs:
https://koji.fedoraproject.org/koji/taskinfo?taskID=111964273
Signed-off-by: José Expósito <jexposit@redhat.com>
(cherry picked from commit e89edec497bac581ca9b614fb00c25365580f045)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1532>
-
68129d73
by Olivier Fourdan at 2024-07-23T17:16:15+02:00
build: Drop libxcvt requirement from SDK_REQUIRED_MODULES
The SDK doed not need libxcvt, only Xorg and Xwayland do.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1721
Fixes: a4ab57cb7 - build: Add dependency on libxcvt
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1618>
-
b08cb814
by Enrico Weigelt, metux IT consult at 2024-08-23T13:31:35+02:00
Xnest: cursor: fix potentially uninitialized memory
It's safer to zero-out the cursor-private memory on allocation,
instead of relying on being cleared initialized somewhere later.
Fixes: 3f3ff971ec - Replace X-allocation functions with their C89 counterparts
Backport-Of: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1652
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1653>
-
03bbf4b1
by Alexey at 2024-09-01T19:30:28+00:00
Fixed mirrored glyphs on big-endian machines
(cherry picked from commit 4cf89222701d73d46c098be9fcc8d9eb6d96f885)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1605>
-
408432fb
by Konstantin at 2024-10-10T21:48:33+00:00
glamor: make use of GL_EXT_texture_format_BGRA8888
For 24 and 32 bit depth pictures xserver uses PICT_x8r8g8b8 and PICT_a8r8g8b8 formats,
which must be backed with GL_BGRA format. It is present in OpenGL ES 2.0 only with
GL_EXT_texture_format_BGRA8888 extension. We require such extension in glamor_init,
so, why not to make use of it?
Fixes #1208
Fixes #1354
Signed-off-by: Konstantin Pugin <ria.freelander@gmail.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Emma Anholt <emma@anholt.net>
(cherry picked from commit 24cd5f34f8edcc6621ed9c0f2b1a3df08de7488d)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1546>
-
111dc705
by Peter Hutterer at 2024-10-11T00:18:05+00:00
dix: fix valuator copy/paste error in the DeviceStateNotify event
Fixes 219c54b8a3337456ce5270ded6a67bcde53553d5
(cherry picked from commit 133e0d651c5d12bf01999d6289e84e224ba77adc)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>
-
02e66395
by Alan Coopersmith at 2024-10-11T00:18:05+00:00
dix: check for calloc() failure in Xi event conversion routines
Clears up 12 -Wanalyzer-possible-null-dereference warnings from gcc 14.1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 25762834c9a5da3a7c672d89a7da73297252d905)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>
-
f9a5bc65
by Alan Coopersmith at 2024-10-11T00:18:05+00:00
dix: PolyText: fully initialize local_closure
Clears warning from gcc 14.1:
../dix/dixfonts.c:1352:15: warning: use of uninitialized value ‘*c.data’
[CWE-457] [-Wanalyzer-use-of-uninitialized-value]
1352 | free(c->data);
| ~^~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit d78836a3a6b827a282957c48898f9ba4cb0dbcf5)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>
-
0f10584e
by Alan Coopersmith at 2024-10-11T00:18:05+00:00
dix: SetFontPath: don't set errorValue on Success
Clears warning from gcc 14.1:
../dix/dixfonts.c: In function ‘SetFontPath’:
../dix/dixfonts.c:1697:28: warning: use of uninitialized value ‘bad’
[CWE-457] [-Wanalyzer-use-of-uninitialized-value]
1697 | client->errorValue = bad;
| ~~~~~~~~~~~~~~~~~~~^~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 1a86fba0d9ae2e107e3ed23519ab3b84d2e5240e)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>
-
abaf3c6f
by Alan Coopersmith at 2024-10-11T00:18:05+00:00
dix: enterleave.c: fix implicit fallthrough warnings
Clears 7 -Wimplicit-fallthrough warnings from gcc 14.1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 0cb826e3d0fd366914c34ab18e5917930f6695b4)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>
-
6cefa3a5
by Alan Coopersmith at 2024-10-11T00:18:05+00:00
dix: CreateScratchGC: avoid dereference of pointer we just set to NULL
Clears warning from gcc 14.1:
../dix/gc.c: In function ‘CreateScratchGC’:
../dix/gc.c:818:28: warning: dereference of NULL ‘pGC’
[CWE-476] [-Wanalyzer-null-dereference]
818 | pGC->graphicsExposures = FALSE;
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 7ee3a520184b355820923bc7a955d0834eb8afbd)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>
-
3bca0f56
by Alan Coopersmith at 2024-10-11T00:18:05+00:00
dix: InitPredictableAccelerationScheme: avoid memory leak on failure
Clears warning from gcc 14.1:
../dix/ptrveloc.c: In function ‘InitPredictableAccelerationScheme’:
../dix/ptrveloc.c:149:9: warning: leak of ‘<unknown>’
[CWE-401] [-Wanalyzer-malloc-leak]
149 | free(vel);
| ^~~~~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 462d13c2f6dc25adea1f19e6b621f97b997236af)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>
-
83a9950d
by Alan Coopersmith at 2024-10-11T00:18:05+00:00
dix: dixChangeWindowProperty: don't call memcpy if malloc failed
It shouldn't matter, since it would have a length of 0, but it
clears warnings from gcc 14.1:
../dix/property.c: In function ‘dixChangeWindowProperty’:
../dix/property.c:287:9: warning: use of possibly-NULL ‘data’ where
non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
287 | memcpy(data, value, totalSize);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../dix/property.c:324:13: warning: use of possibly-NULL ‘data’ where
non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
324 | memcpy(data, value, totalSize);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 10cafd0bbebfbb92c4e73088ba168ef96fcb983c)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>
-
f12dd243
by Alan Coopersmith at 2024-10-11T00:18:05+00:00
dix: ProcListProperties: skip unneeded work if numProps is 0
No real harm, but clears warning from gcc 14.1:
../dix/property.c: In function ‘ProcListProperties’:
..//dix/property.c:605:27: warning: dereference of NULL ‘temppAtoms’
[CWE-476] [-Wanalyzer-null-dereference]
605 | *temppAtoms++ = pProp->propertyName;
| ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 39f337fd497d6fd95efaae9ff5a62d60b49e16aa)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>
-
65644c32
by Alan Coopersmith at 2024-10-11T00:18:05+00:00
dix: HashResourceID: use unsigned integers for bit shifting
Clears warning from gcc 14.1:
../dix/resource.c: In function ‘HashResourceID’:
../dix/resource.c:691:44: warning: left shift of negative value
[-Wshift-negative-value]
691 | return (id ^ (id >> numBits)) & ~((~0) << numBits);
| ^~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 26a7ab09eae24fda6cbf51e03f974c7572e80e69)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>
-
52813e32
by Alan Coopersmith at 2024-10-11T00:18:05+00:00
dix: GetPairedDevice: check if GetMaster returned NULL
Clears warning from gcc 14.1:
../dix/devices.c: In function ‘GetPairedDevice’:
../dix/devices.c:2734:15: warning: dereference of NULL ‘dev’
[CWE-476] [-Wanalyzer-null-dereference]
2734 | return dev->spriteInfo? dev->spriteInfo->paired: NULL;
| ~~~^~~~~~~~~~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit e6fc0861d8016ab31536329acac6d6de4bc64164)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>
-
00d0eba8
by Alan Coopersmith at 2024-10-11T00:18:05+00:00
dix: FindBestPixel: fix implicit fallthrough warning
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 9c9e1afeb277030380daa9b22f88b05e1af783a0)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1717>
-
9d310679
by Enrico Weigelt, metux IT consult at 2024-10-12T00:46:34+00:00
Xnest: fix broken exposure events
Xnest fails to properly pass through expose events: the coordinates are
miscalculated in xnestCollectExposures(), before miSendExposures() is called.
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1735
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/132
Fixes: 605e6764df - Fix Motif menu drawing in Xnest
Backport-Of: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1397
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1651>
-
5f9cac4c
by Matthieu Herrb at 2024-10-22T21:07:14+00:00
Don't crash if the client argv or argv[0] is NULL.
Report from bauerm at pestilenz dot org.
(cherry picked from commit a8512146ba9f475a384a35337f51c7730ba7b4ce)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1719>
-
4adb5d58
by Matthieu Herrb at 2024-10-22T21:07:14+00:00
Return NULL in *cmdname if the client argv or argv[0] is NULL
(cherry picked from commit 59f5445a7ff3ee1468d86f03943c976c790c0893)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1719>
-
e3e14369
by Matthieu Herrb at 2024-10-22T21:07:14+00:00
Fix a double-free on syntax error without a new line.
$ echo "#foo\nfoo" > custom_config $ X -config custom_config
will trigger the double free because the contents of xf86_lex_val.str
have been realloc()ed aready when free is called in read.c:209.
This copies the lex token and adds all the necessary free() calls to
avoid leaking it
(cherry picked from commit fbc034e847a3862a0a28e5872135a3c502da6518)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1719>
-
ba1d14f8
by Matthieu Herrb at 2024-10-29T16:24:59+01:00
xkb: Fix buffer overflow in _XkbSetCompatMap()
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.
However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.
This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).
CVE-2024-9632, ZDI-CAN-24756
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: José Expósito <jexposit@redhat.com>
(cherry picked from commit 85b776571487f52e756f68a069c768757369bfe3)
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1734>
-
b25ad9b8
by José Expósito at 2024-10-29T16:41:13+01:00
xserver 21.1.14
Signed-off-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1734>