Needed to build with IPv6 disabled using gcc 14 on some platforms to avoid:
In file included from /usr/X11/include/X11/Xtrans/transport.c:67,
from xstrans.c:17:
/usr/X11/include/X11/Xtrans/Xtranssock.c: In function ‘_XSERVTransSocketOpen’:
/usr/X11/include/X11/Xtrans/Xtranssock.c:467:28: error: passing argument 5
of ‘getsockopt’ from incompatible pointer type [-Wincompatible-pointer-types]
467 | (char *) &val, &len) == 0 && val < 64 * 1024)
| ^~~~
| |
| size_t * {aka long unsigned int *}
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1736>
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.
However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.
This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).
CVE-2024-9632, ZDI-CAN-24756
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Tested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: José Expósito <jexposit@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1733>
Found by Oracle Parfait 13.3 static analyzer:
Memory leak [memory-leak]:
Memory leak of pointer event allocated with calloc(1, 16)
at line 470 of hw/xfree86/drivers/modesetting/present.c in
function 'ms_present_unflip'.
event allocated at line 431 with calloc(1, 16)
event leaks when ms_present_check_unflip(...) == 0 at line 438
and i >= config->num_crtc at line 445
Fixes: 13c7d53df ("modesetting: Implement page flipping support for Present.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Previously, it was looping through sizeof(ev->valuators.mask) * 8
valuators, where valuators.mask is defined as an array of
(MAX_VALUATORS + 7) / 8 entries. Since MAX_VALUATORS is defined as 36,
this made it actually loop through 40 entries. The last 4 bits in this
array should never be set, so we should never access memory outside the
bounds of the arrays defined to be exactly MAX_VALUATORS in length, but
we can make the static analyzer happier and not waste time checking bits
that should never be set.
Found by Oracle Parfait 13.3 static analyzer:
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 741 of dix/eventconvert.c in function 'eventToDeviceEvent'.
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 808 of dix/eventconvert.c in function 'eventToRawEvent'.
Read outside array bounds [read-outside-array-bounds]:
In array dereference of ev->valuators.data_raw[i] with index i
Array size is 36 elements (of 8 bytes each), index >= 0 and index <= 39
at line 809 of dix/eventconvert.c in function 'eventToRawEvent'.
Fixes: b2ba77bac ("dix: add EventToXI2 and GetXI2Type.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Found by Oracle Parfait 13.3 static analyzer:
Buffer Overflow in STD C function [buffer-overflow-call-stdc]:
Buffer overflow in call to memcpy. Buffer &bev->buttons[4] of
size 24 is written at an offset of 28
Array size is 28 bytes, index is 32
at line 743 of dix/enterleave.c in function
'DeliverStateNotifyEvent'.
Fixes: a85f0d6b9 ("Xi: fix use of button->down - bitflags instead of int arrays.")
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Found by Oracle Parfait 13.3:
Null pointer dereference [null-pointer-deref]:
Read from null pointer pVisual
at line 257 of dix/colormap.c in function 'CreateColormap'.
Null pointer introduced at line 412 of render/picture.c in
function 'PictureFindVisual'.
Constant 'NULL' passed into function CreateColormap, argument
pVisual, from call at line 431 in function
'PictureInitIndexedFormat'.
Function PictureFindVisual may return constant 'NULL' at
line 412, called at line 429.
Fixes: d4a101d4e ("Integration of DAMAGE-XFIXES branch to trunk")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
The comments in that function say "This only happens if master is a
slave device. don't do that" but static analysis doesn't respect that.
Found by Oracle Parfait 13.3:
Null pointer dereference [null-pointer-deref]:
Read from null pointer XTestptr
at line 274 of Xi/xichangehierarchy.c in function 'remove_master'.
Null pointer introduced at line 691 of Xext/xtest.c in function
'GetXTestDevice'.
Function GetXTestDevice may return constant 'NULL' at line 691,
called at line 273 of Xi/xichangehierarchy.c in function
'remove_master'.
Null pointer dereference [null-pointer-deref]:
Read from null pointer XTestkeybd
at line 279 of Xi/xichangehierarchy.c in function 'remove_master'.
Null pointer introduced at line 691 of Xext/xtest.c in function
'GetXTestDevice'.
Function GetXTestDevice may return constant 'NULL' at line 691,
called at line 278 of Xi/xichangehierarchy.c in function
'remove_master'.
Fixes: 0814f511d ("input: store the master device's ID in the devPrivate for XTest devices.")
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
Found by Oracle Parfait 13.3 static analyzer:
Memory leak [memory-leak]:
Memory leak of pointer optname allocated with asprintf(&optname,
"\"%s\"", p->name)
at line 326 of hw/xfree86/common/xf86Configure.c in function
'configureDeviceSection'.
optname allocated at line 309 with asprintf(&optname, "\"%s\"",
p->name)
Fixes: code inherited from XFree86
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1730>
If the compiler knows of a better algorithm for counting the number of
bits set in a word for the target CPU, let it use that, instead of the
classic algorithm optimized for PDP-6.
Based on xorg/lib/libxext@490a25e6f8a4d2482af4364c700b68ad11a4d10b
v2: make old version static inline, stop exporting after !1695
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1674>
eglCreateSyncKHR takes ownership of the file descriptor. Noticed by
inspection.
While we're at it, move the fence_fd declaration to the scope where
it's used.
Last but not least, close the fd in xwl_glamor_wait_fence when bailing
before calling eglCreateSyncKHR, and document that it takes ownership.
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1712>
The comment at the top of the function tells humans the fallthroughs
are intentional, but gcc doesn't parse that.
Clears 3 -Wimplicit-fallthrough warnings from gcc 14.1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1716>
This function is doing the same like LogMessageVerb(), so no need to keep
around a duplicate implementation. Leaving it as a macro, until all callers,
also in drivers, have been migrated.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1679>
This function is doing the same like LogMessageVerb(), so no need to keep
around a duplicate implementation. Leaving it as a macro, until all callers,
also in drivers, have been migrated.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1679>
ProcRRGetScreenResources() vs. RRGetScreenResourcesCurrent() have different
semantics - this also must be followed in byte-swapped case.
Fixes: fc70839431 - Add server support for RRGetScreenResourcesCurrent
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1630>
This function is only called inside dri.c, not used by any drivers
(and wouldn't make sense to do so), so no need to keep it exported.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1713>
Xwin's DestroyPixmap proc just free()s the PixmapRec directly, w/o catering
for devPrivate's, so leaving a memleak. The correct DIX function for this
is FreePixmap().
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1710>
Since we're only going through macros (that are calling these), this extra
wrapper function isn't needed at all - using LogMessageVerb() directly.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1689>
These aren't used by any modules/drivers, so no need to keep them exported.
Also drop the return value, which isn't used by any caller.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1687>
It's nothing but a wrapper, doing the same as LogMessageVerb(X_NONE, ...),
and no external module / driver needs it, so can be easily optimized away.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1683>
MingW also provides localtime_r(), but needs _POSIX_THREAD_SAFE_FUNCTIONS
symbol before including anything, in order for the prototype being defined.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1685>
These code pieces have been commented out since their introduction back
almost two decades ago, so probably no need for them anymore.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1603>
This macro doesn't do anything more than just making the function declarations
a few bytes smaller, but this makes the code harder to read (eg. when just
grepping through the code base).
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1609>
The only consumer seems to be one BSD specific file, the few drivers using
the *_iopl seem to include it on their own. Thus, no need to keep it in
public headers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1420>
These only had been used by xf86-video-chips, but meanwhile this
defines them on it's own, so we can drop them from here now.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1420>
fix warning on unused variable:
> ../xkb/xkb.c:3576:18: warning: variable 'extDevReason' set but not used [-Wunused-but-set-variable]
> unsigned int extDevReason;
^
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1426>
On NetBSD gives warning:
In file included from /usr/include/ctype.h:100,
from ../xkb/xkbtext.c:32:
../xkb/xkbtext.c: In function ‘XkbAtomText’:
../xkb/xkbtext.c:94:44: warning: array subscript has type ‘char’ [-Wchar-subscripts]
94 | if ((tmp == rtrn) && (!isalpha(*tmp)))
| ^
../xkb/xkbtext.c:96:31: warning: array subscript has type ‘char’ [-Wchar-subscripts]
96 | else if (!isalnum(*tmp))
| ^
../xkb/xkbtext.c: In function ‘XkbIMWhichStateMaskText’:
../xkb/xkbtext.c:470:43: warning: array subscript has type ‘char’ [-Wchar-subscripts]
470 | buf[len + 9] = toupper(buf[len + 9]);
| ^
../xkb/xkbtext.c: In function ‘XkbControlsMaskText’:
../xkb/xkbtext.c:532:43: warning: array subscript has type ‘char’ [-Wchar-subscripts]
532 | buf[len + 3] = toupper(buf[len + 3]);
| ^
../xkb/xkbtext.c: In function ‘XkbStringText’:
../xkb/xkbtext.c:563:22: warning: array subscript has type ‘char’ [-Wchar-subscripts]
563 | if (!isprint(*in)) {
| ^
../xkb/xkbtext.c:584:21: warning: array subscript has type ‘char’ [-Wchar-subscripts]
584 | if (isprint(*in))
| ^
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1455>
On NetBSD gives warning:
In file included from /usr/include/ctype.h:100,
from ../include/misc.h:174,
from ../os/utils.c:75:
../os/utils.c: In function ‘VerifyDisplayName’:
../os/utils.c:624:23: warning: array subscript has type ‘char’ [-Wchar-subscripts]
624 | if (!isdigit(d[i])) {
| ^
../os/utils.c: In function ‘ProcessCommandLine’:
../os/utils.c:942:44: warning: array subscript has type ‘char’ [-Wchar-subscripts]
942 | if ((i + 1 < argc) && (isdigit(*argv[i + 1])))
| ^
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1455>
On NetBSD gives warning:
In file included from /usr/include/ctype.h:100,
from ../include/misc.h:174,
from ../os/access.c:96:
../os/access.c: In function ‘ResetHosts’:
../os/access.c:981:49: warning: array subscript has type ‘char’ [-Wchar-subscripts]
981 | lhostname[i] = tolower(ohostname[i]);
| ^
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1455>
On NetBSD gives warning:
In file included from /usr/include/ctype.h:100,
from ../hw/xfree86/common/xf86pciBus.c:35:
../hw/xfree86/common/xf86pciBus.c: In function ‘xf86ParsePciBusString’:
../hw/xfree86/common/xf86pciBus.c:286:27: warning: array subscript has type ‘char’ [-Wchar-subscripts]
286 | if (!isdigit(d[i])) {
| ^
../hw/xfree86/common/xf86pciBus.c:293:23: warning: array subscript has type ‘char’ [-Wchar-subscripts]
293 | if (!isdigit(p[i])) {
| ^
../hw/xfree86/common/xf86pciBus.c:307:23: warning: array subscript has type ‘char’ [-Wchar-subscripts]
307 | if (!isdigit(p[i])) {
| ^
../hw/xfree86/common/xf86pciBus.c:320:23: warning: array subscript has type ‘char’ [-Wchar-subscripts]
320 | if (!isdigit(p[i])) {
| ^
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1455>
On NetBSD gives warning:
In file included from /usr/include/ctype.h:100,
from ../hw/xfree86/common/xf86Option.c:39:
../hw/xfree86/common/xf86Option.c: In function ‘xf86NormalizeName’:
../hw/xfree86/common/xf86Option.c:915:25: warning: array subscript has type ‘char’ [-Wchar-subscripts]
915 | if (isupper(*p))
| ^
../hw/xfree86/common/xf86Option.c:916:32: warning: array subscript has type ‘char’ [-Wchar-subscripts]
916 | *q++ = tolower(*p);
| ^
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1455>
On NetBSD gives warning:
In file included from /usr/include/ctype.h:100,
from ../hw/xfree86/common/xf86Bus.c:36:
../hw/xfree86/common/xf86Bus.c: In function ‘StringToBusType’:
../hw/xfree86/common/xf86Bus.c:270:22: warning: array subscript has type ‘char’ [-Wchar-subscripts]
270 | if (isdigit(busID[0])) {
| ^
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1455>
* unexport functions from dixgrab.h, that aren't used by any driver/module.
* add paremeter names to prototypes
* add doxygen-style documentation for all the prototypes
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Alan Coopersmith
Michel Dänzer
Matthieu Herrb
Enrico Weigelt, metux IT consult
YaoBing Xiao
Tj