On Wed, Sep 30, 2009 at 11:41:16AM -0700, Keith Packard wrote:
> Excerpts from Peter Hutterer's message of Tue Sep 29 22:44:07 -0700 2009:
>
> > Question is now what to do - simply skipping the composite call for a NULL
> > source should make sense, doesn't it?
>
> Yes, with no bits, no composite is needed :-)
Patch version 3, this time split up since these are two different semantical
changes now.
0001-render-set-the-glyph-picture-to-NULL-by-default.patch
Hunks 1 and 2 of the previous patch plus an early exit when trying to
composite a NULL source.
0001-render-Fix-crash-in-RenderAddGlyphs-23645.patch
The actual fix to 23645, same as the original version.
Cheers,
Peter
>From da6dc2aef065e9e59466e16df766c8dbc5e78236 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <[email protected]>
Date: Thu, 1 Oct 2009 10:01:37 +1000
Subject: [PATCH] render: set the glyph picture to NULL by default.
In a follow-up patch we may have glyphs with a NULL picture. To cope with
that, always set the pictures for glyphs to NULL at creation time and cope
with cleaning up such glyphs. Also, since compositing a NULL source doesn't
do a lot anyway, return early when trying to do so.
Signed-off-by: Peter Hutterer <[email protected]>
---
render/glyph.c | 4 +++-
render/picture.c | 5 ++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/render/glyph.c b/render/glyph.c
index 6327c9f..55e1827 100644
--- a/render/glyph.c
+++ b/render/glyph.c
@@ -282,7 +282,8 @@ FreeGlyphPicture(GlyphPtr glyph)
{
ScreenPtr pScreen = screenInfo.screens[i];
- FreePicture ((pointer) GlyphPicture (glyph)[i], 0);
+ if (GlyphPicture(glyph)[i])
+ FreePicture ((pointer) GlyphPicture (glyph)[i], 0);
ps = GetPictureScreenIfSet (pScreen);
if (ps)
@@ -414,6 +415,7 @@ AllocateGlyph (xGlyphInfo *gi, int fdepth)
for (i = 0; i < screenInfo.numScreens; i++)
{
+ GlyphPicture(glyph)[i] = NULL;
ps = GetPictureScreenIfSet (screenInfo.screens[i]);
if (ps)
diff --git a/render/picture.c b/render/picture.c
index e1a2972..ed8f94f 100644
--- a/render/picture.c
+++ b/render/picture.c
@@ -1705,7 +1705,10 @@ CompositePicture (CARD8 op,
CARD16 height)
{
PictureScreenPtr ps = GetPictureScreen(pDst->pDrawable->pScreen);
-
+
+ if (!pSrc)
+ return;
+
ValidatePicture (pSrc);
if (pMask)
ValidatePicture (pMask);
--
1.6.3.rc1.2.g0164.dirty
>From 7fd98f9675c694c6c00f775725529c21224122a2 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <[email protected]>
Date: Thu, 1 Oct 2009 10:03:42 +1000
Subject: [PATCH] render: Fix crash in RenderAddGlyphs (#23645)
This patch fixes two bugs:
size is calculated as glyph height * padded_width. If the client submits
garbage, this may get above INT_MAX, resulting in a negative size if size is
unsigned. The sanity checks don't trigger for negative sizes and the server
goes and writes into random memory locations.
If the client submits glyphs with a width or height 0, the destination
pixmap is NULL, causing a null-pointer dereference. Since there's nothing to
composite if the width/height is 0, we might as well skip the whole thing
anyway.
Tested with Xvfb, Xephyr and Xorg.
X.Org Bug 23645 <http://bugs.freedesktop.org/show_bug.cgi?id=23645>
Signed-off-by: Peter Hutterer <[email protected]>
---
render/render.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/render/render.c b/render/render.c
index a306766..a32d797 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1043,7 +1043,7 @@ ProcRenderAddGlyphs (ClientPtr client)
CARD32 *gids;
xGlyphInfo *gi;
CARD8 *bits;
- int size;
+ unsigned int size;
int err;
int i, screen;
PicturePtr pSrc = NULL, pDst = NULL;
@@ -1131,6 +1131,10 @@ ProcRenderAddGlyphs (ClientPtr client)
ScreenPtr pScreen;
int error;
+ /* Skip work if it's invisibly small anyway */
+ if (!width || !height)
+ break;
+
pScreen = screenInfo.screens[screen];
pSrcPix = GetScratchPixmapHeader (pScreen,
width, height,
--
1.6.3.rc1.2.g0164.dirty
_______________________________________________
xorg-devel mailing list
[email protected]
http://lists.x.org/mailman/listinfo/xorg-devel
