Xext/xace.c | 170 +++++++++++++++++----------------------- doc/Xserver.man.pre | 26 ++---- exa/exa_classic.c | 3 fb/fbbits.h | 2 hw/xfree86/common/xf86RandR.c | 4 hw/xfree86/ddc/interpret_edid.c | 2 hw/xfree86/parser/Input.c | 7 + os/access.c | 14 ++- render/render.c | 8 + xkb/xkbUtils.c | 4 10 files changed, 114 insertions(+), 126 deletions(-)
New commits: commit 4c313472c45de171efb76231e7c7f323aa4eda3f Author: Alan Coopersmith <[email protected]> Date: Thu May 20 17:56:26 2010 -0700 Xserver(1) man page updates - Note that -br is now default. - Move -bs after -br for alphabetical ordering. - Remove -config option that's been hidden in "ignore" section, since ajax removed the -config code a couple years back. - Add -nocursor option. - Add xinput & xrandr to list of runtime server control programs - Replace XDarwin with Xquartz in list of Xservers Signed-off-by: Alan Coopersmith <[email protected]> Reviewed-by: Adam Jackson <[email protected]> Signed-off-by: Keith Packard <[email protected]> (cherry picked from commit 7b09335a46f9428141811230c69eef7968531359) diff --git a/doc/Xserver.man.pre b/doc/Xserver.man.pre index 6154191..d225c26 100644 --- a/doc/Xserver.man.pre +++ b/doc/Xserver.man.pre @@ -100,12 +100,12 @@ specifies a file which contains a collection of authorization records used to authenticate access. See also the \fIxdm\fP(1) and \fIXsecurity\fP(__miscmansuffix__) manual pages. .TP 8 -.B \-bs -disables backing store support on all screens. -.TP 8 .B \-br sets the default root window to solid black instead of the standard root weave -pattern. +pattern. This is the default unless -retro or -wr is specified. +.TP 8 +.B \-bs +disables backing store support on all screens. .TP 8 .B \-c turns off key-click. @@ -117,17 +117,6 @@ sets key-click volume (allowable range: 0-100). sets the visual class for the root window of color screens. The class numbers are as specified in the X protocol. Not obeyed by all servers. -.ig -.TP 8 -.B \-config \fIfilename\fP -reads more options from the given file. Options in the file may be separated -by newlines if desired. If a '#' character appears on a line, all characters -between it and the next newline are ignored, providing a simple commenting -facility. The \fB\-config\fP option itself may appear in the file. -.BR NOTE : -This option is disabled when the Xserver is run with an effective uid -different from the user's real uid. -.. .TP 8 .B \-core causes the server to generate a core dump on fatal errors. @@ -184,6 +173,9 @@ sets the maximum big request to .I size MB. .TP 8 +.B \-nocursor +disable the display of the pointer cursor. +.TP 8 .B \-nolisten \fItrans-type\fP disables a transport type. For example, TCP/IP connections can be disabled with @@ -584,11 +576,11 @@ Security: \fIXsecurity\fP(__miscmansuffix__), \fIxauth\fP(1), \fIXau\fP(1), Starting the server: \fIstartx\fP(1), \fIxdm\fP(1), \fIxinit\fP(1) .PP Controlling the server once started: \fIxset\fP(1), \fIxsetroot\fP(1), -\fIxhost\fP(1) +\fIxhost\fP(1), \fIxinput\fP(1), \fIxrandr\fP(1) .PP Server-specific man pages: \fIXorg\fP(1), \fIXdmx\fP(1), \fIXephyr\fP(1), \fIXnest\fP(1), -\fIXvfb\fP(1), \fIXDarwin\fP(1), \fIXWin\fP(1). +\fIXvfb\fP(1), \fIXquartz\fP(1), \fIXWin\fP(1). .PP Server internal documentation: .I "Definition of the Porting Layer for the X v11 Sample Server" commit 7787526a715a3179085bdc70110f5102a02706e3 Author: Simon Farnsworth <[email protected]> Date: Tue Jun 22 10:13:30 2010 +0100 Don't crash when asked if a client that has disconnected was local ProcDRI2Dispatch uses LocalClient to determine if it's safe to respond to a client that has made DRI2 requests which aren't sensible for remote clients (anything but version). When the client has disappeared mid-request stream (e.g. as a result of a kill -9, or a client-side bug), LocalClient causes the X server to follow suit, as ((OsCommPtr)client->osPrivate)->trans_conn is NULL at this point. The simple and obvious fix is to just return "not local" when trans_conn is NULL, which fixes the crash I was seeing; however Keith Packard pointed out that just checking trans_conn isn't enough; quoting Keith: "This looks almost right to me -- I reviewed the os code to see when _XSERVTransClose is called (which is what frees the trans_conn data) and found that every place which called that immediately set trans_conn to NULL, except for the call in CloseDownFileDescriptor which is only called from CloseDownConnection and which is immediately followed by freeing the OsCommRec and setting client->osPrivate to NULL. So, I'd suggest checking client->osPrivate in addition to the above check." Signed-off-by: Simon Farnsworth <[email protected]> Reviewed-by: Keith Packard <[email protected]> Signed-off-by: Keith Packard <[email protected]> (cherry picked from commit 660f6ab5494a728c3ca7ba00c305e9ff06c8ecb2) diff --git a/os/access.c b/os/access.c index 3572da0..859f32e 100644 --- a/os/access.c +++ b/os/access.c @@ -1123,6 +1123,11 @@ Bool LocalClient(ClientPtr client) pointer addr; register HOST *host; + if (!client->osPrivate) + return FALSE; + if (!((OsCommPtr)client->osPrivate)->trans_conn) + return FALSE; + if (!_XSERVTransGetPeerAddr (((OsCommPtr)client->osPrivate)->trans_conn, ¬used, &alen, &from)) { commit e1cf1e88bb527d48f7bdea5fc0091a1bd651acec Author: Alan Coopersmith <[email protected]> Date: Thu Apr 29 18:45:34 2010 -0700 Fix compiler issues with getifaddrs() call on OpenSolaris OpenSolaris recently added support for the getifaddrs() API. Building with that uncovered two compiler issues (one warning, one error) in the code that was now being built for the first time in our builds: "access.c", line 768: warning: argument #1 is incompatible with prototype: prototype: pointer to struct sockaddr {unsigned short sa_family, array[14] of char sa_data} : "access.c", line 213 argument : pointer to struct sockaddr_storage {unsigned short ss_family, array[6] of char _ss_pad1, double _ss_align, array[240] of char _ss_pad2} "access.c", line 838: assignment type mismatch: struct sockaddr {unsigned short sa_family, array[14] of char sa_data} "=" struct sockaddr_storage {unsigned short ss_family, array[6] of char _ss_pad1, double _ss_align, array[240] of char _ss_pad2} Signed-off-by: Alan Coopersmith <[email protected]> Reviewed-by: Jamey Sharp <[email protected]> (cherry picked from commit e42a29d269fadc11e065c63ee369e3165196f2d7) diff --git a/os/access.c b/os/access.c index 74c340a..3572da0 100644 --- a/os/access.c +++ b/os/access.c @@ -765,7 +765,8 @@ DefineSelf (int fd) continue; #endif /* DNETCONN */ len = sizeof(*(ifr->ifa_addr)); - family = ConvertAddr(ifr->ifa_addr, &len, (pointer *)&addr); + family = ConvertAddr((struct sockaddr *) ifr->ifa_addr, &len, + (pointer *)&addr); if (family == -1 || family == FamilyLocal) continue; #if defined(IPv6) && defined(AF_INET6) @@ -789,7 +790,6 @@ DefineSelf (int fd) } #ifdef XDMCP { - struct sockaddr broad_addr; /* * If this isn't an Internet Address, don't register it. */ @@ -835,11 +835,10 @@ DefineSelf (int fd) if ((ifr->ifa_flags & IFF_BROADCAST) && (ifr->ifa_flags & IFF_UP) && ifr->ifa_broadaddr) - broad_addr = *ifr->ifa_broadaddr; + XdmcpRegisterBroadcastAddress( + (struct sockaddr_in *) ifr->ifa_broadaddr); else continue; - XdmcpRegisterBroadcastAddress((struct sockaddr_in *) - &broad_addr); } #endif /* XDMCP */ commit c4717321c01678209ea5c7215d31556f6eadb798 Author: Jesse Adkins <[email protected]> Date: Wed Aug 4 23:39:14 2010 -0700 xfree86: parser: Never use constant strings for driver names (fixes #17438) When the parser sees the "keyboard" driver, it automatically (and silently) replaces it with the constant string "kbd". Everybody else uses malloc'd memory for the driver name, so input device closure assumes it can use free. Free val.str, so this crash doesn't turn into a memory leak. Whew. Signed-off-by: Jesse Adkins <[email protected]> Reviewed-by: Peter Hutterer <[email protected]> Signed-off-by: Peter Hutterer <[email protected]> (cherry picked from commit bce12f2956f23c0ee53f7f6485dba631293a0931) diff --git a/hw/xfree86/parser/Input.c b/hw/xfree86/parser/Input.c index 4e3c04e..953215b 100644 --- a/hw/xfree86/parser/Input.c +++ b/hw/xfree86/parser/Input.c @@ -59,6 +59,7 @@ #include <xorg-config.h> #endif +#include "os.h" #include "xf86Parser.h" #include "xf86tokens.h" #include "Configint.h" @@ -102,8 +103,10 @@ xf86parseInputSection (void) case DRIVER: if (xf86getSubToken (&(ptr->inp_comment)) != STRING) Error (QUOTE_MSG, "Driver"); - if (strcmp(val.str, "keyboard") == 0) - ptr->inp_driver = "kbd"; + if (strcmp(val.str, "keyboard") == 0) { + ptr->inp_driver = strdup("kbd"); + free(val.str); + } else ptr->inp_driver = val.str; break; commit 7c544986656713b5bbdb936bb7c3cb5a83d9f833 Author: Keith Packard <[email protected]> Date: Fri Aug 20 10:01:48 2010 -0700 fb: make isClipped always reject negative coordinates (bug 11503) A window with either dimension > 32767 can be positioned such that coordinates > 32767 are visible on the screen. Attempts to draw to those pixels will generate coordinates wrapped around to negative values. The optimized clipping macro, 'isClipped', in fbbits.h, computes clipping in window space rather than screen space using int16 values, and so it too has coordinates wrapped around to negative values and hence ends up accepting the wrapped drawing coordinates. Two possible fixes for this problem 1) Detect wrapped region coordinates and clip those to 32767. 2) Detect negative incoming coordinates and reject those This patch takes the second approach as it is much shorter, simply detecting when either X or Y incoming coordinate is negative, which can never be 'within' any drawable. Signed-off-by: Keith Packard <[email protected]> Reviewed-by: Adam Jackson <[email protected]> (cherry picked from commit 3e56efcfb63677cd8574e1e435e61d96f79ea536) diff --git a/fb/fbbits.h b/fb/fbbits.h index 44991f1..b8af785 100644 --- a/fb/fbbits.h +++ b/fb/fbbits.h @@ -25,7 +25,7 @@ * underlying datatypes instead of masks */ -#define isClipped(c,ul,lr) ((((c) - (ul)) | ((lr) - (c))) & 0x80008000) +#define isClipped(c,ul,lr) (((c) | ((c) - (ul)) | ((lr) - (c))) & 0x80008000) #ifdef HAVE_DIX_CONFIG_H #include <dix-config.h> commit f43e105ee8741c8be49a602b08752f2390f094f7 Author: Chris Wilson <[email protected]> Date: Fri Aug 20 13:51:04 2010 +0100 edid: Adjust rounding of max_clock A simple hack to accommodate various EDID who have detailed modes that exceed the EDID's max pixel clock. The pixel clock is only defined in units of 10MHz and often appears as the maximum pixel code of the detailed modes, rounded to the nearest 10MHz. Adjusting the max_clock to include an extra 5MHz prevents the parser from rejecting the detailed modes. The kernel uses the same fuzz and by including it in X we can use the same modes in X as for the console. Fixes: Bug 23833 - X uses different refresh rate to that set by kernel module https://bugs.freedesktop.org/show_bug.cgi?id=23833 In the future, we will want to try harder to keep the KMS modes but at the same time we need to apply the restrictions as specified by the user's configuration, and need to fill in modes for fullscreen games on fixed-mode panels. Reported-and-tested-by: Fabio Pedretti <[email protected]> Signed-off-by: Chris Wilson <[email protected]> Reviewed-by: Alex Deucher <[email protected]> Signed-off-by: Keith Packard <[email protected]> (cherry picked from commit 951605b4660290044fb238bcf1d6d9e498567e8c) diff --git a/hw/xfree86/ddc/interpret_edid.c b/hw/xfree86/ddc/interpret_edid.c index 12a5254..f48ed52 100644 --- a/hw/xfree86/ddc/interpret_edid.c +++ b/hw/xfree86/ddc/interpret_edid.c @@ -385,7 +385,7 @@ get_monitor_ranges(Uchar *c, struct monitor_ranges *r) r->max_h = MAX_H; r->max_clock = 0; if(MAX_CLOCK != 0xff) /* is specified? */ - r->max_clock = MAX_CLOCK * 10; + r->max_clock = MAX_CLOCK * 10 + 5; if (HAVE_2ND_GTF) { r->gtf_2nd_f = F_2ND_GTF; r->gtf_2nd_c = C_2ND_GTF; commit d5248f036470150bd68148755b47abbbae3bfb33 Author: Adam Jackson <[email protected]> Date: Mon Jun 28 18:08:50 2010 -0400 render: Bounds check for nglyphs in ProcRenderAddGlyphs (#28801) Signed-off-by: Adam Jackson <[email protected]> Reviewed-by: Julien Cristau <[email protected]> Signed-off-by: Keith Packard <[email protected]> (cherry picked from commit 5725849a1b427cd4a72b84e57f211edb35838718) diff --git a/render/render.c b/render/render.c index 3f7edf7..b78c75b 100644 --- a/render/render.c +++ b/render/render.c @@ -1085,6 +1085,14 @@ ProcRenderAddGlyphs (ClientPtr client) gi = (xGlyphInfo *) (gids + nglyphs); bits = (CARD8 *) (gi + nglyphs); remain -= (sizeof (CARD32) + sizeof (xGlyphInfo)) * nglyphs; + + /* protect against bad nglyphs */ + if (gi < stuff || gi > ((CARD32 *)stuff + client->req_len) || + bits < stuff || bits > ((CARD32 *)stuff + client->req_len)) { + err = BadLength; + goto bail; + } + for (i = 0; i < nglyphs; i++) { size_t padded_width; commit 845f0bb1b941e770d88c40afe029e2fedd8655d9 Author: Chris Wilson <[email protected]> Date: Tue Aug 10 19:30:20 2010 +0100 xace: Invalid reference to out-of-scope data. The callback data passed by reference to the hook was allocated on stack within the scope of the case statement. The compiler is free to reuse any of that stack space whilst making the function call so we may end up passing garbage into the callback. References: Bug 18451 - Xorg server 1.5.2 SEGV during XFixesGetCursorImage() https://bugs.freedesktop.org/show_bug.cgi?id=18451 v2: Drop the unrelated hunk that snuck in when ammending the commit message. Signed-off-by: Chris Wilson <[email protected]> Reviewed-by: Alan Coopersmith <[email protected]> Signed-off-by: Keith Packard <[email protected]> (cherry picked from commit 6dae7f3792611aace1df0cca63bf50c50d93de43) diff --git a/Xext/xace.c b/Xext/xace.c index bf0e98f..414eb4a 100644 --- a/Xext/xace.c +++ b/Xext/xace.c @@ -87,7 +87,18 @@ void XaceHookAuditEnd(ClientPtr ptr, int result) */ int XaceHook(int hook, ...) { - pointer calldata; /* data passed to callback */ + union { + XaceResourceAccessRec res; + XaceDeviceAccessRec dev; + XaceSendAccessRec send; + XaceReceiveAccessRec recv; + XaceClientAccessRec client; + XaceExtAccessRec ext; + XaceServerAccessRec server; + XaceScreenAccessRec screen; + XaceAuthAvailRec auth; + XaceKeyAvailRec key; + } u; int *prv = NULL; /* points to return value from callback */ va_list ap; /* argument list */ va_start(ap, hook); @@ -99,117 +110,86 @@ int XaceHook(int hook, ...) */ switch (hook) { - case XACE_RESOURCE_ACCESS: { - XaceResourceAccessRec rec; - rec.client = va_arg(ap, ClientPtr); - rec.id = va_arg(ap, XID); - rec.rtype = va_arg(ap, RESTYPE); - rec.res = va_arg(ap, pointer); - rec.ptype = va_arg(ap, RESTYPE); - rec.parent = va_arg(ap, pointer); - rec.access_mode = va_arg(ap, Mask); - rec.status = Success; /* default allow */ - calldata = &rec; - prv = &rec.status; + case XACE_RESOURCE_ACCESS: + u.res.client = va_arg(ap, ClientPtr); + u.res.id = va_arg(ap, XID); + u.res.rtype = va_arg(ap, RESTYPE); + u.res.res = va_arg(ap, pointer); + u.res.ptype = va_arg(ap, RESTYPE); + u.res.parent = va_arg(ap, pointer); + u.res.access_mode = va_arg(ap, Mask); + u.res.status = Success; /* default allow */ + prv = &u.res.status; break; - } - case XACE_DEVICE_ACCESS: { - XaceDeviceAccessRec rec; - rec.client = va_arg(ap, ClientPtr); - rec.dev = va_arg(ap, DeviceIntPtr); - rec.access_mode = va_arg(ap, Mask); - rec.status = Success; /* default allow */ - calldata = &rec; - prv = &rec.status; + case XACE_DEVICE_ACCESS: + u.dev.client = va_arg(ap, ClientPtr); + u.dev.dev = va_arg(ap, DeviceIntPtr); + u.dev.access_mode = va_arg(ap, Mask); + u.dev.status = Success; /* default allow */ + prv = &u.dev.status; break; - } - case XACE_SEND_ACCESS: { - XaceSendAccessRec rec; - rec.client = va_arg(ap, ClientPtr); - rec.dev = va_arg(ap, DeviceIntPtr); - rec.pWin = va_arg(ap, WindowPtr); - rec.events = va_arg(ap, xEventPtr); - rec.count = va_arg(ap, int); - rec.status = Success; /* default allow */ - calldata = &rec; - prv = &rec.status; + case XACE_SEND_ACCESS: + u.send.client = va_arg(ap, ClientPtr); + u.send.dev = va_arg(ap, DeviceIntPtr); + u.send.pWin = va_arg(ap, WindowPtr); + u.send.events = va_arg(ap, xEventPtr); + u.send.count = va_arg(ap, int); + u.send.status = Success; /* default allow */ + prv = &u.send.status; break; - } - case XACE_RECEIVE_ACCESS: { - XaceReceiveAccessRec rec; - rec.client = va_arg(ap, ClientPtr); - rec.pWin = va_arg(ap, WindowPtr); - rec.events = va_arg(ap, xEventPtr); - rec.count = va_arg(ap, int); - rec.status = Success; /* default allow */ - calldata = &rec; - prv = &rec.status; + case XACE_RECEIVE_ACCESS: + u.recv.client = va_arg(ap, ClientPtr); + u.recv.pWin = va_arg(ap, WindowPtr); + u.recv.events = va_arg(ap, xEventPtr); + u.recv.count = va_arg(ap, int); + u.recv.status = Success; /* default allow */ + prv = &u.recv.status; break; - } - case XACE_CLIENT_ACCESS: { - XaceClientAccessRec rec; - rec.client = va_arg(ap, ClientPtr); - rec.target = va_arg(ap, ClientPtr); - rec.access_mode = va_arg(ap, Mask); - rec.status = Success; /* default allow */ - calldata = &rec; - prv = &rec.status; + case XACE_CLIENT_ACCESS: + u.client.client = va_arg(ap, ClientPtr); + u.client.target = va_arg(ap, ClientPtr); + u.client.access_mode = va_arg(ap, Mask); + u.client.status = Success; /* default allow */ + prv = &u.client.status; break; - } - case XACE_EXT_ACCESS: { - XaceExtAccessRec rec; - rec.client = va_arg(ap, ClientPtr); - rec.ext = va_arg(ap, ExtensionEntry*); - rec.access_mode = DixGetAttrAccess; - rec.status = Success; /* default allow */ - calldata = &rec; - prv = &rec.status; + case XACE_EXT_ACCESS: + u.ext.client = va_arg(ap, ClientPtr); + u.ext.ext = va_arg(ap, ExtensionEntry*); + u.ext.access_mode = DixGetAttrAccess; + u.ext.status = Success; /* default allow */ + prv = &u.ext.status; break; - } - case XACE_SERVER_ACCESS: { - XaceServerAccessRec rec; - rec.client = va_arg(ap, ClientPtr); - rec.access_mode = va_arg(ap, Mask); - rec.status = Success; /* default allow */ - calldata = &rec; - prv = &rec.status; + case XACE_SERVER_ACCESS: + u.server.client = va_arg(ap, ClientPtr); + u.server.access_mode = va_arg(ap, Mask); + u.server.status = Success; /* default allow */ + prv = &u.server.status; break; - } case XACE_SCREEN_ACCESS: - case XACE_SCREENSAVER_ACCESS: { - XaceScreenAccessRec rec; - rec.client = va_arg(ap, ClientPtr); - rec.screen = va_arg(ap, ScreenPtr); - rec.access_mode = va_arg(ap, Mask); - rec.status = Success; /* default allow */ - calldata = &rec; - prv = &rec.status; + case XACE_SCREENSAVER_ACCESS: + u.screen.client = va_arg(ap, ClientPtr); + u.screen.screen = va_arg(ap, ScreenPtr); + u.screen.access_mode = va_arg(ap, Mask); + u.screen.status = Success; /* default allow */ + prv = &u.screen.status; break; - } - case XACE_AUTH_AVAIL: { - XaceAuthAvailRec rec; - rec.client = va_arg(ap, ClientPtr); - rec.authId = va_arg(ap, XID); - calldata = &rec; + case XACE_AUTH_AVAIL: + u.auth.client = va_arg(ap, ClientPtr); + u.auth.authId = va_arg(ap, XID); break; - } - case XACE_KEY_AVAIL: { - XaceKeyAvailRec rec; - rec.event = va_arg(ap, xEventPtr); - rec.keybd = va_arg(ap, DeviceIntPtr); - rec.count = va_arg(ap, int); - calldata = &rec; + case XACE_KEY_AVAIL: + u.key.event = va_arg(ap, xEventPtr); + u.key.keybd = va_arg(ap, DeviceIntPtr); + u.key.count = va_arg(ap, int); break; - } - default: { + default: va_end(ap); return 0; /* unimplemented hook number */ - } } va_end(ap); /* call callbacks and return result, if any. */ - CallCallbacks(&XaceHooks[hook], calldata); + CallCallbacks(&XaceHooks[hook], &u); return prv ? *prv : Success; } commit f07fc1461d38c8228d1bacf3d19932cac7bacddd Author: Peter Hutterer <[email protected]> Date: Fri Jun 11 10:12:52 2010 +1000 xkb: fix invalid memory writes in _XkbCopyGeom. Classic strlen/strcpy mistake of foo = malloc(strlen(bar)); strcpy(foo, bar); Testcase: valgrind Xephyr :1 ==8591== Invalid write of size 1 ==8591== at 0x4A0638F: strcpy (mc_replace_strmem.c:311) ==8591== by 0x605593: _XkbCopyGeom (xkbUtils.c:1994) ==8591== by 0x605973: XkbCopyKeymap (xkbUtils.c:2118) ==8591== by 0x6122B3: InitKeyboardDeviceStruct (xkbInit.c:560) ==8591== by 0x4472E2: CoreKeyboardProc (devices.c:577) ==8591== by 0x447162: ActivateDevice (devices.c:530) ==8591== by 0x4475D6: InitCoreDevices (devices.c:672) ==8591== by 0x4449EE: main (main.c:254) ==8591== Address 0x6f96505 is 0 bytes after a block of size 53 alloc'd ==8591== at 0x4A0515D: malloc (vg_replace_malloc.c:195) ==8591== by 0x6054B7: _XkbCopyGeom (xkbUtils.c:1980) ==8591== by 0x605973: XkbCopyKeymap (xkbUtils.c:2118) ==8591== by 0x6122B3: InitKeyboardDeviceStruct (xkbInit.c:560) ==8591== by 0x4472E2: CoreKeyboardProc (devices.c:577) ==8591== by 0x447162: ActivateDevice (devices.c:530) ==8591== by 0x4475D6: InitCoreDevices (devices.c:672) ==8591== by 0x4449EE: main (main.c:254) Reported-by: Dave Airlie <[email protected]> Signed-off-by: Peter Hutterer <[email protected]> Reviewed-by-and-apologised-for: Daniel Stone <[email protected]> Signed-off-by: Keith Packard <[email protected]> (cherry picked from commit 7f19a7a6e90a4fd7b7ec0256974f62e575218541) Conflicts: xkb/xkbUtils.c (cherry picked from commit f85552aa452d5f575fee9f6031a33ca79bdc3cc8) Signed-off-by: Julien Cristau <[email protected]> diff --git a/xkb/xkbUtils.c b/xkb/xkbUtils.c index 30ec438..1abb5a8 100644 --- a/xkb/xkbUtils.c +++ b/xkb/xkbUtils.c @@ -1940,7 +1940,7 @@ _XkbCopyGeom(XkbDescPtr src, XkbDescPtr dst) /* font */ if (src->geom->label_font) { if (!dst->geom->label_font) { - tmp = xalloc(strlen(src->geom->label_font)); + tmp = xalloc(strlen(src->geom->label_font) + 1); if (!tmp) return FALSE; dst->geom->label_font = tmp; @@ -1948,7 +1948,7 @@ _XkbCopyGeom(XkbDescPtr src, XkbDescPtr dst) else if (strlen(src->geom->label_font) != strlen(dst->geom->label_font)) { tmp = xrealloc(dst->geom->label_font, - strlen(src->geom->label_font)); + strlen(src->geom->label_font) + 1); if (!tmp) return FALSE; dst->geom->label_font = tmp; commit b9638391394d1f4797b5421fa4ccbe9d194eee5a Author: Pierre-Loup A. Griffais <[email protected]> Date: Wed Apr 21 18:11:05 2010 -0700 xf86: Don't crash when switching modes through RandR without owning the VT. While VT-switched, FB access is disabled and should remain so. Trying to switch modes in that state would re-enable it, potentially causing crashes if trying to access it before the driver has recovered from the mode switch. Signed-off-by: Pierre-Loup A. Griffais <[email protected]> Reviewed-by: Adam Jackson <[email protected]> Signed-off-by: Keith Packard <[email protected]> (cherry picked from commit 41bdb6c003cca3ef0ff88d9c7de318115bab1ba2) Signed-off-by: Julien Cristau <[email protected]> diff --git a/hw/xfree86/common/xf86RandR.c b/hw/xfree86/common/xf86RandR.c index 02dcc34..d4beb2c 100644 --- a/hw/xfree86/common/xf86RandR.c +++ b/hw/xfree86/common/xf86RandR.c @@ -163,7 +163,7 @@ xf86RandRSetMode (ScreenPtr pScreen, WindowPtr pRoot = WindowTable[pScreen->myNum]; Bool ret = TRUE; - if (pRoot) + if (pRoot && scrp->vtSema) (*scrp->EnableDisableFBAccess) (pScreen->myNum, FALSE); if (useVirtual) { @@ -229,7 +229,7 @@ xf86RandRSetMode (ScreenPtr pScreen, */ xf86SetViewport (pScreen, pScreen->width, pScreen->height); xf86SetViewport (pScreen, 0, 0); - if (pRoot) + if (pRoot && scrp->vtSema) (*scrp->EnableDisableFBAccess) (pScreen->myNum, TRUE); return ret; } commit 5154dede3d53151f4bed43b0e1626abf64b91fc5 Author: Éric Piel <[email protected]> Date: Fri Jun 11 09:16:32 2010 -0700 exa: fix ExaCheckCopyNtoN for exa_classic when source = dest In case you want to copy a region with source = dest, you have the same pixmap as source and dest. At the end of exaPixmapIsOffscreen_classic() the devPrivate.ptr is reset to NULL (look at the sources). Now this is what happens in ExaCheckCopyNtoN: exaPrepareAccess( pDst ); Calls IsOffscreen() sets devPrivate.ptr to NULL sets up devPrivate.ptr to real pointer Everything OK exaPrepareAccess( pSrc ); Calls IsOffscreen() sets devPrivate.ptr to NULL BAILS OUT CAUSE OF NESTED OPERATION SINCE DST EQUALS SRC We end up with devPrivate.ptr as NULL, and that is clearly wrong. In particular this fixes a segfault when using the psb driver (bug 28077) Signed-off-by: Éric Piel <[email protected]> Reviewed-by: Michel Dänzer <[email protected]> Signed-off-by: Keith Packard <[email protected]> (cherry picked from commit 7e8f1001217326cc451974bacf25275420c4bb4e) diff --git a/exa/exa_classic.c b/exa/exa_classic.c index 12f3987..28cc421 100644 --- a/exa/exa_classic.c +++ b/exa/exa_classic.c @@ -256,9 +256,10 @@ exaPixmapIsOffscreen_classic(PixmapPtr pPixmap) Bool ret; if (pExaScr->info->PixmapIsOffscreen) { + void* old_ptr = pPixmap->devPrivate.ptr; pPixmap->devPrivate.ptr = ExaGetPixmapAddress(pPixmap); ret = pExaScr->info->PixmapIsOffscreen(pPixmap); - pPixmap->devPrivate.ptr = NULL; + pPixmap->devPrivate.ptr = old_ptr; } else ret = (pExaPixmap->offscreen && pExaPixmap->fb_ptr); -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
