Make it possible to call FreeGC() w/o prior NULL checks.
In case of NULL, BadMatch is returned.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Adding a little bit more logging to the startup process, eg. telling
when outputs or inputs have been initialized. Serving as a little aid for
debugging driver problems.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Even though it might never be actually hit, it's better to have an
(really cheap) extra check, just in case.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Even though it probably won't be hit ever, it's still better to be
really sure instead of some remote chance for hard segfault.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
As safety precaution, clear the pointers to extion records that just
have been free()ed.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
The checking / branchin isn't entirely trivial to understand, and the
analyzer also gets confused. So rewrite it in an simpler way that's
easier to understand both the human reader as well as the analyzer.
(and so get rid of yet another false alarm)
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
For type-safety turn xfreeData() macro into an inline function.
Also adding some checks against accidentially free()'ing global data.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
The analyzer giving a false alarm on potential NULL-pointer deref here.
Even though that case can't happen, it's also not immediately clear
to the human reader.
To make both the analyzer as well human reader happier, reformulating
this function to by using fast-return pattern.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
The analyzer is wrong here, because the free'd closure pointer really points
to some calloc()'d chunk, instead of the PolyText()'s stack frame.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
It's safer not relying on all ScreenProc's actually filled.
../dix/events.c: In function ‘CheckPhysLimits’:
../dix/events.c:780:14: warning: dereference of NULL ‘pScreen’ [CWE-476] [-Wanalyzer-null-dereference]
780 | (*pScreen->SetCursorPosition)
| ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
The pointer to the window properties is currently inside the WindowOptional
structure, which may or may not exist at any given time. Thus, before accessing
those fields, at least need to check whether it exists, potentially need to
create it first.
Since a pointer is small (in relation to WindowRec) and windows having properties
is a pretty common, we can make our life much simpler here by moving the pointer
directly into WindowRec, so we don't need extra WindowOptionalRec allocation.
This also fixes an analyzer warning on potential NULL dereference issue:
| ../dix/property.c: In function ‘dixChangeWindowProperty’:
|../dix/property.c:343:37: warning: dereference of NULL ‘*pWin.optional’ [CWE-476] [-Wanalyzer-null-dereference]
| 343 | pProp->next = pWin->optional->userProps;
| | ~~~~~~~~~~~~~~^~~~~~~~~~~
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
There's a (theoretical) chance that origGC might be NULL, so better
be cautious and check for this - doesn't cost us much, probably just
another JZ instruction.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Not used by any drivers, and subject to upcoming changes, so no need
to keep them exported.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
FOR_NSCREENS() is just alias for FOR_NSCREENS_BACKWARD(). In many cases
it really matters that we're going backwards and the last iteration visited
the screen #0, and that one is panoramix-wrapped.
Thus directly calling FOR_NSCREENS_BACKWARD() here and dropping the alias.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Not used by any exteral drivers (and really should not be used by them),
so can be replaced by more fitting error messages.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Not used by any drivers, so no need to keep it exported.
It's also so simple (and rarely called) that easily can be inlined.
Also unexport HWEventQueueType and HWEventQueuePtr, since they're
not used by any drivers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Just an internal resource destructor, not used by any external
drivers, so no need to keep it exported.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
* not needed by any drivers, so no need to keep it exported
* correct return type is `enum EventDeliveryState`
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Not used by any drivers, so no need to keep it exported.
Also spending it for a better fitter name.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Not used by any drivers, so no need to keep it exported.
Also spending it for a better fitter name.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Not used by any external drivers, so no need to keep it exported.
Also using XRetCode and marking paremters where NULL isn't allowed.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
* not used by any drivers, so no need to keep it exported
* fix parameter types to matching the protocol types
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
* not used by any drivers, so no need to keep it exported
* fix parameter types to matching the protocol types
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Not used by any external drivers, so no need to keep it exported.
Also renamed to dixClientSignal(), since there's a conflicting prototype
in fontsproto.h.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
The include has become empty now. Not used by any external drivers,
so it can be dropped now.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Not used by any external drivers, and not supposed to be used by them,
so no need to keep it exported.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Not used by any external drivers, and not supposed to be used by them,
so no need to keep it in public API.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Callers are only interested in whether event was actually sent
(retval==1) or not, so Bool is sufficient and easier.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Callers are only interesed in whether event was actually sent
(retval==1) or not, so Bool is suffient and easier.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
It's always called with just a single event, so no need for the count
parameter. Also renaming it in order to better fit it's new semantics.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Not used by any external drivers, and only supposed to be DIX internal,
so shouldn't be exported at all.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
* not used by any external drivers, so no need to keep it exported
* choose better fitting name: InputDevGetSpriteCursor()
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Request handlers aren't supposed to be called by external drivers directly,
so no need to keep them in the public SDK API.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This fixes a crash when we try to send focus events and dereference
FollowKeyboardWin (0x3) as WindowPtr.
A device set to XSetDeviceFocus(FollowKeyboard) is supposed to follow
the focus of the corresponding master device. During ActivateKeyboard
a slave device is detached from the master for the duration for the grab
so we don't actually have a master to follow - leaving our oldWin set to
the FollowKeyboardWin constant. This later crashes when we try to
dereference it.
Fix this by getting the current master (if any), or the saved master (if
temporarily detached due to a grab). And if failing that, use the VCK
as fallback device - that is technically wrong but it's such a niche use
case that it shouldn't matter.
Reproducer:
window = XCreateSimpleWindow(...)
deviceid = any device that is IsXExtensionKeyboard device
XSetDeviceFocus(deviceid, FollowKeyboard, ...)
XGrabDevice(deviceid, window, ...)
Fixes: f01ee198ff ("dix: don't use inputInfo.keyboard to get the focus window in ActivateKbdGrab")
Found-by: Olivier Fourdan <ofourdan@redhat.com>
Acked-by: Olivier Fourdan <ofourdan@redhat.com>
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1870>
When a device is removed while still frozen, the events queued for that
device remain while the device itself is freed.
As a result, replaying the events will cause a use after free.
To avoid the issue, make sure to dequeue and free any pending events on
a frozen device when removed.
CVE-2025-26600, ZDI-CAN-25871
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
CreateCursor returns a cursor with refcount 1 - that refcount is used by
the resource system, any caller needs to call RefCursor to get their own
reference. That happens correctly for normal cursors but for our
rootCursor we keep a variable to the cursor despite not having a ref for
ourselves.
Fix this by reffing/unreffing the rootCursor to ensure our pointer is
valid.
Related to CVE-2025-26594, ZDI-CAN-25544
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
If a cursor reference count drops to 0, the cursor is freed.
The root cursor however is referenced with a specific global variable,
and when the root cursor is freed, the global variable may still point
to freed memory.
Make sure to prevent the rootCursor from being explicitly freed by a
client.
CVE-2025-26594, ZDI-CAN-25544
This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
v2: Explicitly forbid XFreeCursor() on the root cursor (Peter Hutterer
<peter.hutterer@who-t.net>)
v3: Return BadCursor instead of BadValue (Michel Dänzer
<michel@daenzer.net>)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1828>
Only used at exactly one place, for trivial size computation, so not worth
having an extra macro in a public header for this.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1805>
Xrdp needs to know the current display name (for setting up it's
own server sockets accordingly). Instead of exporting an internal
field, adding a little getter for this.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1783>
Since LogVMessageVerb() is now signal safe, we can use this one instead.
Leaving VErrorF() macro for backwards compat with drivers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1691>
Since ErrorF() is now signal safe, we can use this one instead.
Leaving ErrorFSigSafe() macro for backwards compat with drivers.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1691>
Make dixDestroyPixmap() check for NULL pointer, so callers don't need to
do it anymore. Returning TRUE on NULL pointer - but most callers won't
even look at the retval anyways.
Together with subsequent commits, which will make use of that function,
instead of calling raw ScreenRec->DestroyPixmap vectors, this gives us some
more freedom for architectural changes, eg. get rid of the extremely
complicated and fragile wrapping chains.
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1709>
The request struct's length fields aren't used anymore - we have the
client->req_len field instead, which also is bigreq-compatible.
Also dropping now obsolete SProcNoOperation().
Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1639>
Enrico Weigelt, metux IT consult
Alan Coopersmith
Peter Hutterer
Olivier Fourdan