Any pad bytes in replies are written to the client from a zeroed
array. However, record extension tries to incorrectly access the pad
bytes from the end of reply data.
Signed-off-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi>
Also, fix whitespace, mainly around
swaps(&rep.sequenceNumber)
Reviewed-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Since RecordDeleteContext frees its argument, don't fall through to free
it again.
Error: Double free (CWE 415)
Double free of pointer 'malloc(1072)' defined by malloc
at line 1964 of record/record.c in function 'ProcRecordCreateContext'.
Previously freed at line 1960 with RecordDeleteContext.
'malloc(1072)' was allocated at line 1926 with malloc.
[ This bug was found by the Parfait 0.3.7 bug checking tool.
For more information see http://labs.oracle.com/projects/parfait/ ]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
record.c:810:9: warning: unused variable 'count'
Scope-shadowed by a later variable of the same name, safe to just
delete.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
RecordFlushReplyBuffer can call itself recursively through
WriteClient->CallCallbacks->_CallCallbacks->RecordFlushAllContexts
when the recording client's buffer cannot be completely emptied in one
WriteClient. When a such a recursion occurs, it will not be broken out
of which results in segmentation fault when the stack is exhausted.
This patch adds a counter (a flag, really) that guards against this
situation, to break out of the recursion.
One alternative to this change would be to change _CallCallbacks to
check the corresponding counter before the callback loop, but that
might affect existing behavior, which may be relied upon.
Reviewed-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi>
Signed-off-by: Keith Packard <keithp@keithp.com>
Some event types (notably Expose and GraphicsExpose) require multiple
events, a la XI 1.x. Bring the EventToCore API in line with EventToXI's
and allow it to generate multiple events.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Execute the following steps to reproduce the issue.
1. Run at least two recording clients simultaneously.
$ cnee --record --request-range 1-127 &
$ cnee --record --request-range 1-127 &
2. Kill the recording clients.
$ killall cnee
3. Give X server something to do so that the clients are closed.
$ xinput list
$ xinput list
As a result RecordUninstallHooks accesses NullClient, because
RecordAClientStateChange doesn't clean the recording clients up
properly.
Fix RecordUninstallHooks to fail locally on an assertion instead of
much later in privates code, if NullClient is still accessed because
of some other bug. Fix RecordAClientStateChange to iterate through all
contexts so that modifications of the iterated array during iteration
don't cause contexts to be skipped.
Signed-off-by: Rami Ylimäki <ext-rami.ylimaki@nokia.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Running the following command causes an assertion to fail:
cnee --record --request-range 1-127
3 in dixGetPrivateAddr at ../../include/privates.h:122
4 in dixGetPrivate at ../../include/privates.h:137
5 in dixLookupPrivate at ../../include/privates.h:167
6 in RecordInstallHooks at ../../record/record.c:911
7 in ProcRecordEnableContext at ../../record/record.c:2377
8 in ProcRecordDispatch at ../../record/record.c:2571
9 in Dispatch at ../../dix/dispatch.c:432
10 in main at ../../dix/main.c:289
Signed-off-by: Rami Ylimäki <ext-rami.ylimaki@nokia.com>
Reviewed-by: Oliver McFadden <oliver.mcfadden@nokia.com>
Reviewed-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
No functional change, since free doesn't change the value of the pointer
passed to it, but it makes this code less confusing.
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Signed-off-by: Matt Turner <mattst88@gmail.com>
This patch has been generated by the following Coccinelle semantic patch:
@@
expression E;
@@
-if(E) { free(E); }
+free(E);
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Fernando Carrijo <fcarrijo@yahoo.com.br>
Reviewed-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Marcin Baczyński <marbacz@gmail.com>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matt Turner <mattst88@gmail.com>
This patch only changes the API, not the implementation of the
devPrivates infrastructure. This will permit a new devPrivates
implementation to be layed into the server without requiring
simultaneous changes in every devPrivates user.
Signed-off-by: Keith Packard <keithp@keithp.com>
Tested-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Many references to the dixScreenOrigins array already had the
corresponding screen pointer handy, which meant they usually looked like
"dixScreenOrigins[pScreen->myNum]". Adding a field to ScreenRec instead
of keeping this information in a parallel array simplifies those
expressions, and eliminates a MAXSCREENS-sized array.
Since dix declared the dixScreenOrigins array, I figure allocating a
screen private for these values is overkill.
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Tested-by: Tiago Vignatti <tiago.vignatti@nokia.com> (i686 GNU/Linux)
Just let Dispatch() check for a noClientException, rather than making
every single dispatch procedure take care of it.
Signed-off-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
The only remaining X-functions used in server are XNF*, the rest is converted to
plain alloc/calloc/realloc/free/strdup.
X* functions are still exported from server and x* macros are still defined in
header file, so both ABI and API are not affected by this change.
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
RECORD was disabled during the switch to internal events. This patch
modifies the record callback to work with internal events instead of
xEvents. The InternalEvents are converted to core/Xi events as needed.
Since record is a loadable extension, the EventTo* calls must be externed.
Signed-off-by: Chris Dekter <cdekter@gmail.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Convert all calls of CreateNewResourceType to pass name argument
Breaks DIX ABI.
ABI versions bumped:
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Calls RegisterResourceName to record the type name for
use by X-Resource, XACE/SELinux/XTsol, and DTrace.
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
include/protocol-versions.h specifies each extension version as supported by
the server and sent back on the wire to the client.
This fixes up several issues with the server potentially reporting a higher
version of the protocol if recompiled against a newer version of the
protocol.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Rémi Cardona <remi@gentoo.org>
Acked-by: Julien Cristau <jcristau@debian.org>
warning: passing argument 4 of ‘RecordAProtocolElement’ discards qualifiers
from pointer target type
note: expected ‘pointer’ but argument is of type ‘const void *’
record.c:2745: warning: passing argument 1 of ‘SwapConnSetupInfo’ from
incompatible pointer type
../include/swaprep.h:243: note: expected ‘char *’ but argument is of type
‘struct xConnSetup *’
record.c:2745: warning: passing argument 1 of ‘SwapConnSetupInfo’ from
incompatible pointer type
../include/swaprep.h:243: note: expected ‘char *’ but argument is of type
‘struct xConnSetup *’
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
The RECORD extension is currently broken. By ifdef'ing out the content of
RecordExtensionInit the extension isn't added to the server's internal list
and it does not get advertised to the client. Clients can thus fail
gracefully with a "extension not supported" instead of waiting forever for
events that never arrive.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
A grep on xorg/* revealed there's no consumer of this define.
Quote Alan Coopersmith:
"The consumer was in past versions of the headers now located
in proto/x11proto - for instance, in X11R6.0's xc/include/Xproto.h,
all the event definitions were only available if NEED_EVENTS were
defined, and all the reply definitions required NEED_REPLIES.
Looks like Xproto.h dropped them by X11R6.3, which didn't have
the #ifdef's anymore, so these are truly ancient now."
Signed-off-by: Peter Hutterer <peter.hutterer@redhat.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.
over to new system.
Need to update documentation and address some remaining vestiges of
old system such as CursorRec structure, fb "offman" structure, and
FontRec privates.
Add XSERV_t, TRANS_SERVER, TRANS_REOPEN to quash warnings.
Add #include <dix-config.h> or <xorg-config.h>, as appropriate, to all
source files in the xserver/xorg tree, predicated on defines of
HAVE_{DIX,XORG}_CONFIG_H. Change all Xfont includes to
<X11/fonts/foo.h>.
change "foo.h" to <X11/foo.h> for core headers, e.g. X.h, Xpoll.h;
change "foo.h", "extensions/foo.h" and "X11/foo.h" to
<X11/extensions/foo.h> for extension headers, e.g. Xv.h;
change "foo.[ch]" to <X11/Xtrans/foo.[ch]> for Xtrans files.
Rami Ylimäki
Matt Turner
Alan Coopersmith
Keith Packard
Adam Jackson
Erkki Seppälä
Daniel Stone
Rami Ylimäki
Mikhail Gusarov
Jamey Sharp
Chris Dekter
Alan Coopersmith
Peter Hutterer
Eamon Walsh
Peter Hutterer
Tomas Carnecky
Matthieu Herrb
Peter Hutterer
Adam Jackson
Adam Jackson
Eric Anholt
Egbert Eich