Instead of complex wrap/unwrap trickery in the error path, just protect
the DestroyPixmap() handlers from half-initialized state.
This not just makes the code flow simpler and easier to understand, but
also clears the road for decoupling the extension specific pixmap destructor
logic from the ScreenRec proc vectors (*1).
*1) see: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1755
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() blocks cleaning up the wrapping
jungle, so use the proper dix function instead.
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Direct calls to ScreenRec->DestroyPixmap() is fragile and blocks cleaning up
the wrapping jungle, so use the proper dix function instead.
While this function originally wasn't made for that purpose (and so we have an
useless parameter here, and the naming isn't entirely correct), it's the best
effort we have right now, without breaking existing API: it's already exported
since long time, so drivers can be easily converted and still work with both
new and older Xserver ABI versions.
Retrospectively, this already should have been done 20 years ago.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Make dixDestroyPixmap() check for NULL pointer, so callers don't need to
do it anymore. Returning TRUE on NULL pointer - but most callers won't
even look at the retval anyways.
Together with subsequent commits, which will make use of that function,
instead of calling raw ScreenRec->DestroyPixmap vectors, this gives us some
more freedom for architectural changes, eg. get rid of the extremely
complicated and fragile wrapping chains.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Right now, we're assuming that even when deep nesting involved, the proc
vector is always set to a valid function. One the one hand it requires
extra dummy procs in some cases, OTOH it's making upcoming refactoring
of the code flow unnecessarily complex.
The big plot (of subsequent commits) is splitting out the extension's
(and possibly subsystem's) special logic out of the wrapping chain and
let them be executed independently from the DDX/drivers - when applicable
even only when the pixmap is really destroyed (not just unref'ed).
(At some later point, it might even become be actually a valid situation
that DestroyPixmap vector really being NULL.)
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1754
See: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1755
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Needed to build with IPv6 disabled using gcc 14 on some platforms to avoid:
In file included from /usr/X11/include/X11/Xtrans/transport.c:67,
from xstrans.c:17:
/usr/X11/include/X11/Xtrans/Xtranssock.c: In function ‘_XSERVTransSocketOpen’:
/usr/X11/include/X11/Xtrans/Xtranssock.c:467:28: error: passing argument 5
of ‘getsockopt’ from incompatible pointer type [-Wincompatible-pointer-types]
467 | (char *) &val, &len) == 0 && val < 64 * 1024)
| ^~~~
| |
| size_t * {aka long unsigned int *}
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1736>
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.
However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.
This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).
CVE-2024-9632, ZDI-CAN-24756
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1733>
Found by Oracle Parfait 13.3 static analyzer:
Memory leak [memory-leak]:
Memory leak of pointer event allocated with calloc(1, 16)
at line 470 of hw/xfree86/drivers/modesetting/present.c in
function 'ms_present_unflip'.
event allocated at line 431 with calloc(1, 16)
event leaks when ms_present_check_unflip(...) == 0 at line 438
and i >= config->num_crtc at line 445
Fixes: 13c7d53df ("modesetting: Implement page flipping support for Present.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Previously, it was looping through sizeof(ev->valuators.mask) * 8
valuators, where valuators.mask is defined as an array of
(MAX_VALUATORS + 7) / 8 entries. Since MAX_VALUATORS is defined as 36,
this made it actually loop through 40 entries. The last 4 bits in this
array should never be set, so we should never access memory outside the
bounds of the arrays defined to be exactly MAX_VALUATORS in length, but
we can make the static analyzer happier and not waste time checking bits
that should never be set.
Found by Oracle Parfait 13.3 static analyzer:
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 741 of dix/eventconvert.c in function 'eventToDeviceEvent'.
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 808 of dix/eventconvert.c in function 'eventToRawEvent'.
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data_raw[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 809 of dix/eventconvert.c in function 'eventToRawEvent'.
Fixes: b2ba77bac ("dix: add EventToXI2 and GetXI2Type.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Found by Oracle Parfait 13.3 static analyzer:
Buffer Overflow in STD C function [buffer-overflow-call-stdc]:
Buffer overflow in call to memcpy. Buffer &bev->buttons[4] of
size 24 is written at an offset of 28
Array size is 28 bytes, index is 32
at line 743 of dix/enterleave.c in function
'DeliverStateNotifyEvent'.
Fixes: a85f0d6b9 ("Xi: fix use of button->down - bitflags instead of int arrays.")
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Found by Oracle Parfait 13.3:
Null pointer dereference [null-pointer-deref]:
Read from null pointer pVisual
at line 257 of dix/colormap.c in function 'CreateColormap'.
Null pointer introduced at line 412 of render/picture.c in
function 'PictureFindVisual'.
Constant 'NULL' passed into function CreateColormap, argument
pVisual, from call at line 431 in function
'PictureInitIndexedFormat'.
Function PictureFindVisual may return constant 'NULL' at
line 412, called at line 429.
Fixes: d4a101d4e ("Integration of DAMAGE-XFIXES branch to trunk")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
The comments in that function say "This only happens if master is a
slave device. don't do that" but static analysis doesn't respect that.
Found by Oracle Parfait 13.3:
Null pointer dereference [null-pointer-deref]:
Read from null pointer XTestptr
at line 274 of Xi/xichangehierarchy.c in function 'remove_master'.
Null pointer introduced at line 691 of Xext/xtest.c in function
'GetXTestDevice'.
Function GetXTestDevice may return constant 'NULL' at line 691,
called at line 273 of Xi/xichangehierarchy.c in function
'remove_master'.
Null pointer dereference [null-pointer-deref]:
Read from null pointer XTestkeybd
at line 279 of Xi/xichangehierarchy.c in function 'remove_master'.
Null pointer introduced at line 691 of Xext/xtest.c in function
'GetXTestDevice'.
Function GetXTestDevice may return constant 'NULL' at line 691,
called at line 278 of Xi/xichangehierarchy.c in function
'remove_master'.
Fixes: 0814f511d ("input: store the master device's ID in the devPrivate for XTest devices.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Found by Oracle Parfait 13.3 static analyzer:
Memory leak [memory-leak]:
Memory leak of pointer optname allocated with asprintf(&optname,
"\"%s\"", p->name)
at line 326 of hw/xfree86/common/xf86Configure.c in function
'configureDeviceSection'.
optname allocated at line 309 with asprintf(&optname, "\"%s\"",
p->name)
Fixes: code inherited from XFree86
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
If the compiler knows of a better algorithm for counting the number of
bits set in a word for the target CPU, let it use that, instead of the
classic algorithm optimized for PDP-6.
Based on xorg/lib/libxext@490a25e6f8a4d2482af4364c700b68ad11a4d10b
v2: make old version static inline, stop exporting after !1695
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1674>
eglCreateSyncKHR takes ownership of the file descriptor. Noticed by
inspection.
While we're at it, move the fence_fd declaration to the scope where
it's used.
Last but not least, close the fd in xwl_glamor_wait_fence when bailing
before calling eglCreateSyncKHR, and document that it takes ownership.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1712>
The comment at the top of the function tells humans the fallthroughs
are intentional, but gcc doesn't parse that.
Clears 3 -Wimplicit-fallthrough warnings from gcc 14.1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1716>
This function is doing the same like LogMessageVerb(), so no need to keep
around a duplicate implementation. Leaving it as a macro, until all callers,
also in drivers, have been migrated.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1679>
This function is doing the same like LogMessageVerb(), so no need to keep
around a duplicate implementation. Leaving it as a macro, until all callers,
also in drivers, have been migrated.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1679>
ProcRRGetScreenResources() vs. RRGetScreenResourcesCurrent() have different
semantics - this also must be followed in byte-swapped case.
Fixes: fc70839431 - Add server support for RRGetScreenResourcesCurrent
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1630>
This function is only called inside dri.c, not used by any drivers
(and wouldn't make sense to do so), so no need to keep it exported.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1713>
Xwin's DestroyPixmap proc just free()s the PixmapRec directly, w/o catering
for devPrivate's, so leaving a memleak. The correct DIX function for this
is FreePixmap().
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1710>
Since we're only going through macros (that are calling these), this extra
wrapper function isn't needed at all - using LogMessageVerb() directly.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1689>
These aren't used by any modules/drivers, so no need to keep them exported.
Also drop the return value, which isn't used by any caller.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1687>
It's nothing but a wrapper, doing the same as LogMessageVerb(X_NONE, ...),
and no external module / driver needs it, so can be easily optimized away.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1683>
Enrico Weigelt, metux IT consult
Alan Coopersmith
Michel Dänzer
Matthieu Herrb
YaoBing Xiao
Tj