xserver: Branch 'server-1.4-branch' - 2 commits

Wed Feb 20 13:18:09 PST 2008

Xext/shm.c   |   12 ++++++------
 dix/window.c |    3 ++-
 2 files changed, 8 insertions(+), 7 deletions(-)

New commits:
commit 44f46bfb981ca69515dafc520f62f33654711194
Author: Matthias Hopf <mhopf at suse.de>
Date:   Mon Jan 21 16:13:21 2008 +0100

    CVE-2007-6429: Always test for size+offset wrapping.

diff --git a/Xext/shm.c b/Xext/shm.c
index 6f99e90..376f123 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -753,10 +753,10 @@ CreatePmap:
     if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
         if (size < width * height)
             return BadAlloc;
-        /* thankfully, offset is unsigned */
-        if (stuff->offset + size < size)
-            return BadAlloc;
     }
+    /* thankfully, offset is unsigned */
+    if (stuff->offset + size < size)
+	return BadAlloc;
 
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
 
@@ -1098,10 +1098,10 @@ CreatePmap:
     if (sizeof(size) == 4 && BitsPerPixel(depth) > 8) {
 	if (size < width * height)
 	    return BadAlloc;
-	/* thankfully, offset is unsigned */
-	if (stuff->offset + size < size)
-	    return BadAlloc;
     }
+    /* thankfully, offset is unsigned */
+    if (stuff->offset + size < size)
+	return BadAlloc;
 
     VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
commit bcbfd619f8da888224afd80ee3a2db7d500523eb
Author: Kristian HÃ¸gsberg <krh at redhat.com>
Date:   Wed Jan 16 20:24:11 2008 -0500

    Don't break grab and focus state for a window when redirecting it.
    
    Composite uses an unmap/map cycle to trigger backing pixmap allocation
    and cliprect recomputation when a window is redirected or unredirected.
    To avoid protocol visible side effects, map and unmap events are
    disabled temporarily.  However, when a window is unmapped it is also
    removed from grabs and loses focus, but these state changes are not
    disabled.
    
    This change supresses the unmap side effects during the composite
    unmap/map cycle and fixes this bug:
    
      http://bugzilla.gnome.org/show_bug.cgi?id=488264
    
    where compiz would cause gnome-screensaver to lose its grab when
    compiz unredirects the fullscreen lock window.

diff --git a/dix/window.c b/dix/window.c
index be4ea2c..961c02a 100644
--- a/dix/window.c
+++ b/dix/window.c
@@ -3023,7 +3023,8 @@ UnrealizeTree(
 	    } 
 #endif
 	    (* Unrealize)(pChild);
-	    DeleteWindowFromAnyEvents(pChild, FALSE);
+	    if (MapUnmapEventsEnabled(pWin))
+		DeleteWindowFromAnyEvents(pChild, FALSE);
 	    if (pChild->viewable)
 	    {
 #ifdef DO_SAVE_UNDERS
