commit xorg-x11-server for openSUSE:Factory

[h_root]

Hello community,

here is the log from the commit of package xorg-x11-server for openSUSE:Factory
checked in at Fri Mar 18 09:51:13 CET 2011.



--------
--- xorg-x11-server/xorg-x11-server.changes     2011-02-26 11:57:51.000000000 
+0100
+++ /mounts/work_src_done/STABLE/xorg-x11-server/xorg-x11-server.changes        
2011-03-17 18:02:04.000000000 +0100
@@ -1,0 +2,14 @@
+Thu Mar 17 16:55:16 UTC 2011 - sndir...@novell.com
+
+- Replace-malloc-with-calloc-to-initialize-the-buffers.patch
+  * Replace malloc with calloc to initialize the buffers[] as NULL
+    in do_get_buffers function (bnc #673595)
+
+-------------------------------------------------------------------
+Thu Mar 17 13:35:55 UTC 2011 - sndir...@novell.com
+
+- record-avoid-crash-when-calling-RecordFlushReplyBuff.patch
+  * record: avoid crash when calling RecordFlushReplyBuffer
+    recursively (bnc #673575) 
+
+-------------------------------------------------------------------

calling whatdependson for head-i586


New:
----
  Replace-malloc-with-calloc-to-initialize-the-buffers.patch
  record-avoid-crash-when-calling-RecordFlushReplyBuff.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ xorg-x11-server.spec ++++++
--- /var/tmp/diff_new_pack.lOJAvN/_old  2011-03-18 09:48:51.000000000 +0100
+++ /var/tmp/diff_new_pack.lOJAvN/_new  2011-03-18 09:48:51.000000000 +0100
@@ -32,7 +32,7 @@
 %endif
 Url:            http://xorg.freedesktop.org/
 Version:        7.6_%{dirsuffix}
-Release:        18
+Release:        19
 License:        GPLv2+ ; MIT License (or similar)
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Group:          System/X11/Servers/XF86_4
@@ -122,6 +122,8 @@
 Patch223:       use-last-screen.patch
 Patch224:       pad-size-of-system-memory-copy-for-1x1-pixmaps
 Patch225:       xorg-server-stop-cpu-eating.diff
+Patch226:       record-avoid-crash-when-calling-RecordFlushReplyBuff.patch
+Patch227:       Replace-malloc-with-calloc-to-initialize-the-buffers.patch
 %if %moblin
 Patch300:       moblin-use_preferred_mode_for_all_outputs.diff
 %endif
@@ -255,6 +257,8 @@
 %patch223 -p1
 %patch224 -p1
 %patch225 -p1
+%patch226 -p1
+%patch227 -p1
 %if %moblin
 %patch300 -p1
 %endif

++++++ Replace-malloc-with-calloc-to-initialize-the-buffers.patch ++++++
>From a73c28f0bdafb1c5cb8129179188a99c0ca052e2 Mon Sep 17 00:00:00 2001
From: Justin Dou <justin....@intel.com>
Date: Thu, 10 Feb 2011 16:27:29 -0500
Subject: [PATCH] Replace malloc with calloc to initialize the buffers[] as NULL 
in do_get_buffers function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The calling for allocate_or_reuse_buffer may fail due to some reason, e.g. out 
of memory.
If the buffers[] were not initialized to be NULL, the following err_out may try 
to access an illegal memory, which will cause X crash afterward.

Reviewed-by: Kristian Høgsberg <k...@bitplanet.net>
Signed-off-by: Justin Dou <justin....@intel.com>
Signed-off-by: Keith Packard <kei...@keithp.com>
---
 hw/xfree86/dri2/dri2.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
index 39996f9..9ca378f 100644
--- a/hw/xfree86/dri2/dri2.c
+++ b/hw/xfree86/dri2/dri2.c
@@ -403,7 +403,7 @@ do_get_buffers(DrawablePtr pDraw, int *width, int *height,
        && (pDraw->height == pPriv->height)
        && (pPriv->serialNumber == DRI2DrawableSerial(pDraw));
 
-    buffers = malloc((count + 1) * sizeof(buffers[0]));
+    buffers = calloc((count + 1), sizeof(buffers[0]));
 
     for (i = 0; i < count; i++) {
        const unsigned attachment = *(attachments++);
-- 
1.7.4.1

++++++ record-avoid-crash-when-calling-RecordFlushReplyBuff.patch ++++++
>From 0801afbd7c2c644c672b37f8463f1a0cbadebd2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Erkki=20Sepp=C3=A4l=C3=A4?= <erkki.sepp...@vincit.fi>
Date: Thu, 10 Feb 2011 15:35:14 +0200
Subject: [PATCH] record: avoid crash when calling RecordFlushReplyBuffer 
recursively
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RecordFlushReplyBuffer can call itself recursively through
WriteClient->CallCallbacks->_CallCallbacks->RecordFlushAllContexts
when the recording client's buffer cannot be completely emptied in one
WriteClient. When a such a recursion occurs, it will not be broken out
of which results in segmentation fault when the stack is exhausted.

This patch adds a counter (a flag, really) that guards against this
situation, to break out of the recursion.

One alternative to this change would be to change _CallCallbacks to
check the corresponding counter before the callback loop, but that
might affect existing behavior, which may be relied upon.

Reviewed-by: Rami Ylimäki <rami.ylim...@vincit.fi>
Signed-off-by: Erkki Seppälä <erkki.sepp...@vincit.fi>
Signed-off-by: Keith Packard <kei...@keithp.com>
---
 record/record.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/record/record.c b/record/record.c
index 6a93d7a..facaebb 100644
--- a/record/record.c
+++ b/record/record.c
@@ -77,6 +77,7 @@ typedef struct {
     char       bufCategory;       /* category of protocol in replyBuffer */
     int                numBufBytes;       /* number of bytes in replyBuffer */
     char       replyBuffer[REPLY_BUF_SIZE]; /* buffered recorded protocol */
+    int                inFlush;           /*  are we inside 
RecordFlushReplyBuffer */
 } RecordContextRec, *RecordContextPtr;
 
 /*  RecordMinorOpRec - to hold minor opcode selections for extension requests
@@ -245,8 +246,9 @@ RecordFlushReplyBuffer(
     int len2
 )
 {
-    if (!pContext->pRecordingClient || pContext->pRecordingClient->clientGone) 
+    if (!pContext->pRecordingClient || pContext->pRecordingClient->clientGone 
|| pContext->inFlush)
        return;
+    ++pContext->inFlush;
     if (pContext->numBufBytes)
        WriteToClient(pContext->pRecordingClient, pContext->numBufBytes,
                      (char *)pContext->replyBuffer);
@@ -255,6 +257,7 @@ RecordFlushReplyBuffer(
        WriteToClient(pContext->pRecordingClient, len1, (char *)data1);
     if (len2)
        WriteToClient(pContext->pRecordingClient, len2, (char *)data2);
+    --pContext->inFlush;
 } /* RecordFlushReplyBuffer */
 
 
@@ -1938,6 +1941,7 @@ ProcRecordCreateContext(ClientPtr client)
     pContext->numBufBytes = 0;
     pContext->pBufClient = NULL;
     pContext->continuedReply = 0;
+    pContext->inFlush = 0;
 
     err = RecordRegisterClients(pContext, client,
                                (xRecordRegisterClientsReq *)stuff);
-- 
1.7.4.1


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org