8f61533...
by
Olivier Fourdan <email address hidden>
xkb: Check strings length against request size
Ensure that the given strings length in an XkbSetGeometry request remain
within the limits of the size of the request.
Signed-off-by: Olivier Fourdan <email address hidden>
Reviewed-by: Peter Hutterer <email address hidden>
Signed-off-by: Peter Hutterer <email address hidden>
(cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
(cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1)
Signed-off-by: Julien Cristau <email address hidden>
747cea1...
by
Olivier Fourdan <email address hidden>
xkb: Don't swap XkbSetGeometry data in the input buffer
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.
_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.
To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.
Signed-off-by: Olivier Fourdan <email address hidden>
Signed-off-by: Peter Hutterer <email address hidden>
(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
Signed-off-by: Julien Cristau <email address hidden>
As a DDX may declare offload support without supporting DRI2
(because it is using an alternative acceleration mechanism like DRI3),
when iterating the list of offload_source Screens to find a matching
DRI2 provider we need to check before assuming it is DRI2 capable.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=88514
Signed-off-by: Chris Wilson <email address hidden>
Reviewed-by: Dave Airlie <email address hidden>
Signed-off-by: Keith Packard <email address hidden>
(cherry picked from commit 082931014811e587a9734cbf4d88fd948979b641)
commit 97015a07b9e15d8ec5608b95d95ec0eb51202acb
Author: Alan Coopersmith <email address hidden>
Date: Wed Jan 22 22:37:15 2014 -0800
dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
offended the C++ demons:
../../include/regionstr.h:147:45: error: invalid conversion from 'void*' to
'pixman_region16_data_t* {aka pixman_region16_data*}' [-fpermissive]
Normally this isn't a problem, because around here we have the sense and
common decency to not use C++, but this does make tigervnc fail to build,
which is a little rude of us.
Signed-off-by: Adam Jackson <email address hidden>
Reviewed-by: Alan Coopersmith <email address hidden>
Signed-off-by: Keith Packard <email address hidden>
(cherry picked from commit bb23fbf5bb278113c9c481875423b4d128180972)
config/udev: Respect seat assignments when assigned devices
Jonathan Dieter posted a few patches to do this inside the Xorg
server but it makes no sense to do it there, just have the code
we use to probe the device list at startup check seat assignments
using the same code we check at hotplug time.
Bugilla: https://bugzilla.redhat.com/show_bug.cgi?id=1183654
Reviewed-by: Peter Hutterer <email address hidden>
Acked-by: Hans de Goede <email address hidden>
Tested-by: Jonathan Dieter <email address hidden>
Signed-off-by: Dave Airlie <email address hidden>
Signed-off-by: Keith Packard <email address hidden>
(cherry picked from commit 697b696e5e24d0679f133183a3bb0852025377c2)
randr: attempt to fix primary on slave output (v2)
If the user wants to set one of the slave devices as
the primary output, we shouldn't fail to do so,
we were returning BadMatch which was tripping up
gnome-settings-daemon and bad things ensues.
Fix all the places we use primaryOutput to work
out primaryCrtc and take it into a/c when slave
gpus are in use.
v2: review from Aaron, fix indent, unhide has_primary from
macro. I left the int vs Bool alone to be consistent with
code below, a future patch could fix both.
Signed-off-by: Dave Airlie <email address hidden>
Reviewed-by: Aaron Plattner <email address hidden>
Signed-off-by: Keith Packard <email address hidden>
(cherry picked from commit df1b401f57ad4b4925bad66684445b476562f26f)
The length checking code validates PutImage height and byte width by
making sure that byte-width >= INT32_MAX / height. If height is zero,
this generates a divide by zero exception. Allow zero height requests
explicitly, bypassing the INT32_MAX check.
Signed-off-by: Keith Packard <email address hidden>
Reviewed-by: Alan Coopersmith <email address hidden>
(cherry picked from commit dc777c346d5d452a53b13b917c45f6a1bad2f20b)
Signed-off-by: Julien Cristau <email address hidden>
