Take into account c_need_sizeof when evaluating
xcb_protocol_request_t.count
Incorrect xcb_protocol_request_t.count causes a segmentation fault when
calling functions:
- xcb_randr_set_monitor{_checked}
- xcb_input_change_feedback_control{_checked}
- xcb_input_change_device_control{_unchecked}
Steps to reproduce:
Call xcb_randr_set_monitor() with valid arguments
OBSERVED RESULT
Segmentation fault
```
Process terminating with default action of signal 11 (SIGSEGV)
Access not within mapped region at address 0x780
at 0x4852925: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-
amd64-linux.so)
by 0x486967C: memcpy (string_fortified.h:29)
by 0x486967C: send_request (xcb_out.c:59)
by 0x486967C: send_request (xcb_out.c:46)
by 0x486967C: xcb_send_request_with_fds64 (xcb_out.c:338)
by 0x48699FC: xcb_send_request (xcb_out.c:359)
by 0x4891F11: xcb_randr_set_monitor_checked (randr.c:5350)
```
EXPECTED RESULT
Function returns cookie
Amend: 77b594f958
Signed-off-by: Ilya Pominov <ipominov@astralinux.ru>
If DISPLAY starts with / or unix:, do not check for anything but a full
filesystem socket path. In particular, abstract AF_UNIX sockets and TCP
sockets will not be used in this case. Also be stricter about parsing
the screen part of /path.screen displays, and bail out after all stat()
errors other than ENOENT.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
When combined with xorg/lib/libxtrans!7, this allows CVE-2020-25697 to
be mitigated by placing the AF_UNIX socket in a secure directory on the
filesystem.
This enables HAVE_LAUNCHD unconditionally and deletes the configure
switch.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
If the function implementing xcb_connect is called directly with a
custom xcb_auth_info_t then checking that the screen in $DISPLAY
is valid is skipped.
Reported by chohag AT jtan DOT com
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
This fixes https://gitlab.freedesktop.org/xorg/lib/libxcb/-/issues/53
The issue was that libxcb expected to get a reply based on the request_expected
variable, but a reply would never arrive because the request was never actually
written. To resolve this, a separate request_expected_written variable is
added.
The c->in request counters are uint64_t, and can realistically go over
2**32 over a lifetime of a client. The c->in->replies map however uses
unsigned int keys and the passed request numbers are silently truncated.
I haven't analyzed in depth what happens what it wraps around but it's
probably nothing good.
The only user of the xcb_list.c map code is c->in->replies, so just
change it to use uint64_t keys.
Reviewed-by: Uli Schlachter <psychon@znc.in>
Signed-off-by: Ran Benita <ran@unusedvar.com>
The reason strings returned by the server don't all include a newline,
so make sure we add one to avoid confusing clients. Xlib used to do
this before it delegated that work to libxcb.
Fixes#34
Signed-off-by: Julien Cristau <jcristau@debian.org>
Using get_expr_fields() is only needed in case we are doing things that
can span multiple types easily, e.g. when deciding what data to pass via
function parameters and so on.
In _c_serialize_helper_list_field() we are building function body, so
acquiring field names via get_expr_field_names() is enough.
Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
There are at least two bugs in the previous implementation:
- If an early iovec is partially written, there can be a gap of missing
data (as a later iovec will be started before the early iovec is
completed).
- If a late iovec returns WSAEWOULDBLOCK, *vector and *count are not
updated, leading to a re-send of the entire request.
Move the *vector update into the send() loop to update piecemeal as
individual iovecs are sent.
Example program that demonstrates the issue (this program should run
forever after these bugs have been fixed):
#include <stdio.h>
#include <stdlib.h>
#include "xcb.h"
// Non-cryptographic random number generator from http://burtleburtle.net/bob/rand/smallprng.html
// because Microsoft's random number generators either have a too small RAND_MAX or are too slow
typedef struct ranctx { uint32_t a; uint32_t b; uint32_t c; uint32_t d; } ranctx;
static uint32_t ranval(ranctx *x);
static void raninit(ranctx *x, uint32_t seed);
#define MAX_PROP_LEN (128 * 1024)
int main(int argc, char *argv[]) {
uint32_t seed = 0x12345678;
if (argc > 1) {
seed = strtoul(argv[1], NULL, 0);
}
ranctx ran;
raninit(&ran, seed);
xcb_connection_t *c = xcb_connect(NULL, NULL);
if (!c || xcb_connection_has_error(c)) {
printf("Cannot connect to $DISPLAY\n");
return 1;
}
const xcb_setup_t *setup = xcb_get_setup(c);
char *buf = malloc(MAX_PROP_LEN + 8); // plus a bit of slack so we can run random values off the end
if (!buf) {
printf("oom\n");
return 1;
}
for (uint32_t i=0; i < (MAX_PROP_LEN + 3) / 4; i++) {
((uint32_t *)buf)[i] = ranval(&ran);
}
xcb_window_t win = xcb_generate_id(c);
xcb_create_window(c, 0, win, xcb_setup_roots_iterator(setup).data[0].root, 0, 0, 1, 1, 0,
XCB_WINDOW_CLASS_INPUT_ONLY, 0, 0, NULL);
printf("Created window 0x%X\n", win);
for (;;) {
xcb_flush(c);
xcb_generic_event_t *ev = xcb_poll_for_event(c);
if (ev) {
if (ev->response_type == 0) {
xcb_generic_error_t *err = (xcb_generic_error_t *)ev;
printf("Unexpected X Error %d\n", err->error_code);
printf(" Sequence %d\n", err->sequence);
printf(" Resource ID 0x%X\n", err->resource_id);
printf(" Opcode: %d.%d\n", err->major_code, err->minor_code);
return 1;
}
printf("Unexpected X Event %d\n", ev->response_type);
return 1;
}
uint32_t siz = ranval(&ran) % MAX_PROP_LEN + 1;
xcb_change_property(c, XCB_PROP_MODE_REPLACE, win, XCB_ATOM_STRING, XCB_ATOM_STRING, 8, siz, buf);
}
return 0;
}
#define rot(x,k) (((x)<<(k))|((x)>>(32-(k))))
static uint32_t ranval(ranctx *x) {
uint32_t e = x->a - rot(x->b, 27);
x->a = x->b ^ rot(x->c, 17);
x->b = x->c + x->d;
x->c = x->d + e;
x->d = e + x->a;
return x->d;
}
static void raninit(ranctx *x, uint32_t seed) {
uint32_t i;
x->a = 0xf1ea5eed, x->b = x->c = x->d = seed;
for (i = 0; i<20; ++i) {
(void)ranval(x);
}
}
Signed-off-by: Peter Harris <pharris@opentext.com>
Notable changes: Protect include of unistd.h (and other POSIX headers).
Use SOCKET (which is larger than int) and closesocket (because close is
not compatible) for sockets. Use <stdint.h>'s intptr_t instead of the
non-portable ssize_t.
Signed-off-by: Peter Harris <pharris@opentext.com>
xcb_auth.c:135:14: warning: this statement may fall through [-Wimplicit-fallthrough=]
addr += 12;
~~~~~^~~~~
xcb_auth.c:138:5: note: here
case AF_INET:
^~~~
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Somewhat belatedly given the last update was in xcb-proto 1.13 in 2017...
Quoting @smcv from https://bugs.debian.org/921069:
>>>
libxcb-dri3 version 1.13 appears to have added new symbols without increasing
the minor ABI version in its -version-info. This will break anything that
compares libraries by their version info to decide which one is newer.
The Steam Runtime uses libraries' major/minor/micro ABI version info (in this
case 0.0.0) to decide whether to use the system copy of a library or the copy
in the Steam Runtime, depending on which one is newer (#921026). We can
work around this by adding a versioned dependency on libxcb-dri3-0 and
deleting the copy from the Steam Runtime, but this isn't a particularly
scalable solution.
>>>
Returns raw byte counts that have been read or written to the
xcb_connection_t.
I found it very useful when developing a high level widget toolkit, to
track down inefficient/sub-optimum code that generates a lot of X
protocol traffic.
Signed-off-by: Sam Varshavchik <mrsam@courier-mta.com>
I have a GTK application which occasionally crashes with an "interrupted
system call" g_message from gdk. After a lot of debugging, I've found
that the call to recvmsg in _xcb_in_read occasionally fails with EINTR,
and instead of retrying the system call, xcb would just shut down the
connection.
This change makes _xcb_in_read treat EINTR the same as it would treat
EAGAIN; it returns 1 and libX11 ends up calling xcb_poll_for_event
again (from what I have understood).
I have spoken with a few people who think recvmsg failing with EINTR in
this case shouldn't ever happen, and I don't know enough to agree or
disagree with that. In case anyone wants to dig further and try to
figure out why the recvmsg call sometimes fails with EINTR, here's the
backtrace from inside of _xcb_in_read where that happened:
Thread 1 "beanbar" hit Breakpoint 1, _xcb_in_read (c=c@entry=0x55ecbe4aba80) at xcb_in.c:1059
1059 fprintf(stderr, "Hello World am %s:%i, errno is %s\n", __FILE__, __LINE__, strerror(errno));
(gdb) bt
0 0x00007fa48fa48639 in _xcb_in_read (c=c@entry=0x55ecbe4aba80) at xcb_in.c:1059
1 0x00007fa48fa489d8 in poll_for_next_event (c=0x55ecbe4aba80, queued=queued@entry=0) at xcb_in.c:352
2 0x00007fa48fa48a3d in poll_for_next_event (queued=0, c=<optimized out>) at xcb_in.c:722
3 0x00007fa48fa48a3d in xcb_poll_for_event (c=<optimized out>) at xcb_in.c:722
4 0x00007fa4908d1b7e in poll_for_event (dpy=dpy@entry=0x55ecbe4a9730, queued_only=queued_only@entry=0) at xcb_io.c:245
5 0x00007fa4908d1cf0 in poll_for_response (dpy=dpy@entry=0x55ecbe4a9730) at xcb_io.c:303
6 0x00007fa4908d1fed in _XEventsQueued (mode=2, dpy=0x55ecbe4a9730) at xcb_io.c:363
7 0x00007fa4908d1fed in _XEventsQueued (dpy=dpy@entry=0x55ecbe4a9730, mode=mode@entry=2) at xcb_io.c:344
8 0x00007fa4908c3d47 in XPending (dpy=0x55ecbe4a9730) at Pending.c:55
9 0x00007fa493cadbc7 in () at /usr/lib/libgdk-3.so.0
10 0x00007fa49234d08a in g_main_context_prepare () at /usr/lib/libglib-2.0.so.0
11 0x00007fa49234d6e6 in () at /usr/lib/libglib-2.0.so.0
12 0x00007fa49234d8ae in g_main_context_iteration () at /usr/lib/libglib-2.0.so.0
13 0x00007fa4938b920e in g_application_run () at /usr/lib/libgio-2.0.so.0
14 0x000055ecbc820af4 in main (argc=1, argv=0x7ffd06238098) at src/main.c:190
Signed-off-by: Martin Dørum <martid0311@gmail.com>
If any flags are specified in a call to xcb_take_socket,
they should only be applied to replies for requests sent
after that function returns (and until the socket is
re-acquired by XCB).
Previously, they would also be incorrectly applied to the
reply for the last request sent before the socket was taken.
For instance, in this example program the reply for the
GetInputFocus request gets discarded, even though it was
sent before the socket was taken. This results in the
call to retrieve the reply hanging indefinitely.
static void return_socket(void *closure) {}
int main(void)
{
Display *dpy = XOpenDisplay(NULL);
xcb_connection_t *c = XGetXCBConnection(dpy);
xcb_get_input_focus_cookie_t cookie = xcb_get_input_focus_unchecked(c);
xcb_flush(c);
uint64_t seq;
xcb_take_socket(c, return_socket, dpy, XCB_REQUEST_DISCARD_REPLY, &seq);
xcb_generic_error_t *err;
xcb_get_input_focus_reply(c, cookie, &err);
}
In practice, this has been causing intermittent KWin crashes when
used in combination with the proprietary NVIDIA driver such as
https://bugs.kde.org/show_bug.cgi?id=386370 since when Xlib fails to
retrieve one of these incorrectly discarded replies it triggers
an IO error.
Signed-off-by: Erik Kurzinger <ekurzinger@nvidia.com>
Signed-off-by: Uli Schlachter <psychon@znc.in>
Matching xcbgen changes, add support having a ListType which contains
file descriptors. Use this to send a variable number of FDs to the
server, including when the list size is not fixed.
Signed-off-by: Daniel Stone <daniels@collabora.com>
For when we have a variable-sized field followed by a fixed field, make
sure we do not serialise non-wire fields.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Using the mesa vulkan driver, if you acquire an image from a
swapchain using a finite timeout (x11_acquire_next_image_poll_x11),
it will occasionally lock, calling xcb_poll_for_special_event in
a loop until the timeout expires.
Call _xcb_in_read() once from the polling functions for special
events and replies, in the same way as xcb_poll_for_event.
Signed-off-by: David McFarland <corngood@gmail.com>
Signed-off-by: Uli Schlachter <psychon@znc.in>
_xcb_open does not check strdup's return value for NULL if launchd suport
was configured.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Signed-off-by: Uli Schlachter <psychon@znc.in>
eventstruct allows to use events as part of requests.
This is, e.g., needed by xcb_input_send_extension_event.
Signed-off-by: Christian Linhart <chris@demorecorder.com>
xcb contains an xml-definition for the GenericEvent extension
but this extension was neither generated nor built.
This patch enables optional building of the GenericEvent extension
with configure option --enable-ge
By default, the GenericEvent extension is not built.
Normally this is not needed by application programs
because there is implicit support for the GE-extension
for the specific events built with this extension.
But it may be useful for X-protocol analyzers and stuff like that.
Signed-off-by: Christian Linhart <chris@demorecorder.com>
replace the complicated symboltable lookup for sumof expr
by accessing the lenfield of the expr-object.
This requires the corresponding patch for xcb/proto
which sets the lenfield accordingly.
This should be OK because for official releases we define
that dependency in the build system.
For getting versions off the HEAD of the git repo, it should
be obvious that xcb/proto and xcb/libxcb have to be updated together.
I have tested this patch and it generates exactly the same code
as before.
Tested-by: Christian Linhart <chris@demorecorder.com>
Signed-off-by: Christian Linhart <chris@demorecorder.com>
Found by clang -Wdocumentation:
./xcbext.h:271:11: warning: parameter 'e' not found in the function
declaration [-Wdocumentation]
* @param e Location to store errors in, or NULL. Ignored for un...
^
./xcbext.h:271:11: note: did you mean 'error'?
* @param e Location to store errors in, or NULL. Ignored for un...
^
error
./xcbext.h:283:11: warning: parameter 'e' not found in the function
declaration [-Wdocumentation]
* @param e Location to store errors in, or NULL. Ignored for un...
^
./xcbext.h:283:11: note: did you mean 'error'?
* @param e Location to store errors in, or NULL. Ignored for un...
^
error
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Uli Schlachter <psychon@znc.in>
Makes style match the @param names in autogenerated headers and makes
clang -Wdocumentation stop complaining about all of them:
./xcb.h:523:11: warning: parameter 'display:' not found in the function
declaration [-Wdocumentation]
* @param display: A pointer to the display number.
^~~~~~~~
./xcb.h:523:11: note: did you mean 'display'?
* @param display: A pointer to the display number.
^~~~~~~~
display
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Uli Schlachter <psychon@znc.in>
Some systems (e.g. OpenBSD) have a rather small default socket send buffer
size of 4KB. The result is that sending requests with a largish payload
requires serveral writev(2) system calls. Make sure the socket send buffer
is at least 64KB such that we're likely to succeed with a single system
call for most requests. A similar change was made to the xtrans code
some time ago.
Signed-off-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Pads should not be serialized/deserialized to maintain
ABI compatibility when adding explicit align pads.
Therefore this pad switches off serialization of pads
unless it is enforced by serialize=true in the xml-definition
of that pad
Signed-off-by: Christian Linhart <chris@demorecorder.com>
If a list is preceded by an align-pad, then
accessor for the end-iterator returned a wrong
value.
Reason: the length of the align-iterator was added
to a pointer of list-member type. Therefore, the length
was multiplied by the size of the list-member type,
due to C pointer arithmetic rules.
This has looked like the following, e.g., in
xcb_randr_get_crtc_transform_pending_params_end:
i.data = ((xcb_render_fixed_t *) prev.data) + ((-prev.index) & (4 - 1)) + (R->pending_nparams);
This bug was introduced with the following commit:
http://cgit.freedesktop.org/xcb/libxcb/commit/?id=4033d39d4da21842bb1396a419dfc299591c3b1f
The fix handles this by casting to char* before adding the align,
and then casting the result to the member type.
Signed-off-by: Christian Linhart <chris@demorecorder.com>
instead of using the lower bits of the pointer address.
This fixes a bug reported by Peter Hutterer in off-list communication
back in June 2015.
This requires the alignment-checker patches in xcb/proto.
Signed-off-by: Christian Linhart <chris@demorecorder.com>
Handle align-pads when generating an end-function
in the same way as handling them when generating
an accessor or iterator function.
Signed-off-by: Christian Linhart <chris@demorecorder.com>
and make it disabled by default with an EXPERIMENTAL warning
reason: this feature is unfinished and we want to have flexibility for
ABI/API changes, while still being able to make a release soon
Signed-off-by: Christian Linhart <chris@demorecorder.com>
Consider the following:
- Two threads are calling xcb_wait_for_special_event() and xcb_wait_for_reply()
concurrently.
- The thread doing xcb_wait_for_reply() wins the race and poll()s the socket for
readability.
- The other thread will be put to sleep on the special_event_cond of the special
event (this is done in _xcb_conn_wait() via the argument
xcb_wait_for_special_event() gives it).
- The first thread gets its reply, but does not yet receive any special event.
In this case, the first thread will return to its caller. On its way out, it
will call _xcb_in_wake_up_next_reader(), but that function cannot wake up
anything since so far it did not handle xcb_wait_for_special_event().
Thus, the first thread stays blocked on the condition variable and no thread
tries to read from the socket.
A test case demonstrating this problem is available at the bug report.
Fix this similar to how we handle this with xcb_wait_for_reply():
The function wait_for_reply() adds an entry into a linked list of threads that
wait for a reply. Via this list, _xcb_in_wake_up_next_reader() can wake up this
thread so that it can call _xcb_conn_wait() again and then poll()s the socket.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=84252
Signed-off-by: Uli Schlachter <psychon@znc.in>
Tested-by: Michel Dänzer <michel.daenzer@amd.com>
Ilya Pominov
Demi Marie Obenour
Matthieu Herrb
Daniel G
Jeremy Huddleston Sequoia
Demi Marie Obenour
Mike Sharov
Hodong
Thomas Anderson
Ran Benita
Julien Cristau
Uli Schlachter
Povilas Kanapickas
Peter Harris
Alan Coopersmith
Eduardo Sánchez Muñoz
Sam Varshavchik
Martin Dørum
Jon Turney
Erik Kurzinger
Daniel Stone
David McFarland
Tobias Stoeckmann
Christian Linhart
Thomas Klausner
Mark Kettenis
Jaya Tiwari