xserver: Branch 'xorg-server-1.4-apple' - 4 commits

Jeremy Huddleston jeremyhu at kemper.freedesktop.org
Wed Feb 13 23:51:37 PST 2008 

 Xext/shm.c      |   36 ++++++++++++++++++++----------------
 dix/getevents.c |    2 +-
 xkb/xkbLEDs.c   |    3 +++
 3 files changed, 24 insertions(+), 17 deletions(-)

New commits:
commit 1b22192e5079cec0e0b5e072415e93aae67d8593
Merge: b3eabf1... bc72ef3...
Author: Jeremy Huddleston <jeremy at yuffie.local>
Date:   Wed Feb 13 23:48:02 2008 -0800

    Merge branch 'server-1.4-branch' into xorg-server-1.4-apple

commit bc72ef3a159efd67067322c043bba444869dc356
Author: Peter Hutterer <peter at cs.unisa.edu.au>
Date:   Wed Jan 30 10:39:54 2008 +1030

    xkb: don't update LEDs if they don't exist. (Bug #13961)
    
    In some weird cases we call this function when there is no SrvLedInfo on the
    device. And it turns out null-pointer dereferences are bad.
    
    X.Org Bug 13961 <http://bugs.freedesktop.org/show_bug.cgi?id=13961>
    (cherry picked from commit d954f9c80348de294602d931d387e5cd1ef4b9a5)

diff --git a/xkb/xkbLEDs.c b/xkb/xkbLEDs.c
index d607d90..d28973c 100644
--- a/xkb/xkbLEDs.c
+++ b/xkb/xkbLEDs.c
@@ -63,6 +63,9 @@ XkbSrvLedInfoPtr	sli;
 
     sli= XkbFindSrvLedInfo(dev,XkbDfltXIClass,XkbDfltXIId,0);
 
+    if (!sli)
+        return update;
+
     if (state_changes&(XkbModifierStateMask|XkbGroupStateMask))
 	update|= sli->usesEffective;
     if (state_changes&(XkbModifierBaseMask|XkbGroupBaseMask))
commit e98027c3ac7195fec665ef393d980b02870ca1b8
Author: Peter Hutterer <peter at cs.unisa.edu.au>
Date:   Tue Dec 18 13:57:07 2007 +1030

    dix: set the correct number of valuators in valuator events.
    
    (first_valuator + num_valuators) must never be larger than the number of axes,
    otherwise DIX freaks out. And from looking at libXI, anything larger than 6 is
    wrong too.
    (cherry picked from commit 9f6ae61ad12cc2813d04405458e1ca5aed8a539e)

diff --git a/dix/getevents.c b/dix/getevents.c
index 12d8189..b7ba69b 100644
--- a/dix/getevents.c
+++ b/dix/getevents.c
@@ -344,7 +344,7 @@ getValuatorEvents(xEvent *events, DeviceIntPtr pDev, int first_valuator,
     for (i = first_valuator; i < final_valuator; i += 6, xv++, events++) {
         xv->type = DeviceValuator;
         xv->first_valuator = i;
-        xv->num_valuators = num_valuators;
+        xv->num_valuators = ((num_valuators - i) > 6) ? 6 : (num_valuators - i);
         xv->deviceid = pDev->id;
         switch (final_valuator - i) {
         case 6:
commit b6d4cdf64f43ae805beada6122c8be2ed138742c
Author: Adam Jackson <ajax at redhat.com>
Date:   Fri Jan 18 14:41:20 2008 -0500

    CVE-2007-6429: Don't spuriously reject <8bpp shm pixmaps.
    
    Move size validation after depth validation, and only validate size if
    the bpp of the pixmap format is > 8.  If bpp < 8 then we're already
    protected from overflow by the width and height checks.
    (cherry picked from commit e9fa7c1c88a8130a48f772c92b186b8b777986b5)

diff --git a/Xext/shm.c b/Xext/shm.c
index 5633be9..6f99e90 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -737,14 +737,6 @@ ProcPanoramiXShmCreatePixmap(
     }
     if (width > 32767 || height > 32767)
         return BadAlloc;
-    size = PixmapBytePad(width, depth) * height;
-    if (sizeof(size) == 4) {
-        if (size < width * height)
-            return BadAlloc;
-        /* thankfully, offset is unsigned */
-        if (stuff->offset + size < size)
-            return BadAlloc;
-    }
 
     if (stuff->depth != 1)
     {
@@ -755,7 +747,17 @@ ProcPanoramiXShmCreatePixmap(
 	client->errorValue = stuff->depth;
         return BadValue;
     }
+
 CreatePmap:
+    size = PixmapBytePad(width, depth) * height;
+    if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+        if (size < width * height)
+            return BadAlloc;
+        /* thankfully, offset is unsigned */
+        if (stuff->offset + size < size)
+            return BadAlloc;
+    }
+
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
 
     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
@@ -1080,14 +1082,6 @@ ProcShmCreatePixmap(client)
     }
     if (width > 32767 || height > 32767)
 	return BadAlloc;
-    size = PixmapBytePad(width, depth) * height;
-    if (sizeof(size) == 4) {
-	if (size < width * height)
-	    return BadAlloc;
-	/* thankfully, offset is unsigned */
-	if (stuff->offset + size < size)
-	    return BadAlloc;
-    }
 
     if (stuff->depth != 1)
     {
@@ -1098,7 +1092,17 @@ ProcShmCreatePixmap(client)
 	client->errorValue = stuff->depth;
         return BadValue;
     }
+
 CreatePmap:
+    size = PixmapBytePad(width, depth) * height;
+    if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
+	if (size < width * height)
+	    return BadAlloc;
+	/* thankfully, offset is unsigned */
+	if (stuff->offset + size < size)
+	    return BadAlloc;
+    }
+
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
 			    pDraw->pScreen, stuff->width,

More information about the xorg-commit mailing list