xorg-server: Changes to 'ubuntu'

Bryce Harrington Mon, 14 Feb 2011 15:24:11 -0800

 debian/changelog                                                           |   
19 +++
 debian/patches/210_pixman_null_ptr_check.patch                             |   
25 ++++
 debian/patches/211_glx_fix_bindtextimageext_length_check.patch             |   
56 ++++++++++
 debian/patches/212_fix_request_length_check_for_createglxpbuffersgix.patch |   
26 ++++
 debian/patches/series                                                      |   
 3 
 5 files changed, 127 insertions(+), 2 deletions(-)


New commits:
commit ec2ca4e565e0b1385fdd03586f5dcc2aedf23a9f
Author: Bryce Harrington <br...@canonical.com>
Date:   Mon Feb 14 12:19:18 2011 -0800

    * Add 211_glx_fix_bindtextimageext_length_check.patch,
      212_fix_request_length_check_for_createglxpbuffersgix.patch:
      - Correct wrong request size match for xGLXCreateGLXPbufferSGIXReq.
        This can result in some invalid BadLength errors.
        (LP: #714280)

diff --git a/debian/changelog b/debian/changelog
index 7d23055..09158b6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu4) natty; urgency=low
+
+  * Add 211_glx_fix_bindtextimageext_length_check.patch,
+    212_fix_request_length_check_for_createglxpbuffersgix.patch:
+    - Correct wrong request size match for xGLXCreateGLXPbufferSGIXReq.
+      This can result in some invalid BadLength errors.
+      (LP: #714280)
+
+ -- Bryce Harrington <br...@ubuntu.com>  Mon, 14 Feb 2011 12:07:45 -0800
+
 xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu3) natty; urgency=low
 
   * Restore 208_switch_on_release.diff - the patch does not appear to be
@@ -7,7 +17,7 @@ xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu3) 
natty; urgency=low
     return NULL under a variety of circumstances, thus needs checked
     before dereferencing it in the pixman_image_set_has_client_clip()
     call.
-    (LP: #705078)
+    (LP: #705078, deb: 596155, fdo: 28882)
 
  -- Bryce Harrington <br...@ubuntu.com>  Thu, 03 Feb 2011 22:42:52 -0800
 
diff --git a/debian/patches/211_glx_fix_bindtextimageext_length_check.patch 
b/debian/patches/211_glx_fix_bindtextimageext_length_check.patch
new file mode 100644
index 0000000..114c0f7
--- /dev/null
+++ b/debian/patches/211_glx_fix_bindtextimageext_length_check.patch
@@ -0,0 +1,56 @@
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index 0b375c3..5d633df 100644
+--- a/glx/glxcmds.c
++++ b/glx/glxcmds.c
+@@ -1697,13 +1697,21 @@ int __glXDisp_BindTexImageEXT(__GLXclientState *cl, 
GLbyte *pc)
+     GLXDrawable                drawId;
+     int                        buffer;
+     int                        error;
++    CARD32             num_attribs;
+ 
+-    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
++    if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
++      return BadLength;
+ 
+     pc += __GLX_VENDPRIV_HDR_SIZE;
+ 
+     drawId = *((CARD32 *) (pc));
+     buffer = *((INT32 *)  (pc + 4));
++    num_attribs = *((CARD32 *) (pc + 8));
++    if (num_attribs > (UINT32_MAX >> 3)) {
++      client->errorValue = num_attribs;
++      return BadValue;
++    }
++    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 12 + (num_attribs << 3));
+ 
+     if (buffer != GLX_FRONT_LEFT_EXT)
+       return __glXError(GLXBadPixmap);
+diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
+index 9d96c9d..d58de62 100644
+--- a/glx/glxcmdsswap.c
++++ b/glx/glxcmdsswap.c
+@@ -648,19 +648,23 @@ int __glXDispSwap_BindTexImageEXT(__GLXclientState *cl, 
GLbyte *pc)
+     xGLXVendorPrivateReq *req = (xGLXVendorPrivateReq *) pc;
+     GLXDrawable                *drawId;
+     int                        *buffer;
++    CARD32             *num_attribs;
+     __GLX_DECLARE_SWAP_VARIABLES;
+ 
+-    REQUEST_FIXED_SIZE(xGLXVendorPrivateReq, 8);
++    if ((sizeof(xGLXVendorPrivateReq) + 12) >> 2 > client->req_len)
++      return BadLength;
+ 
+     pc += __GLX_VENDPRIV_HDR_SIZE;
+ 
+     drawId = ((GLXDrawable *) (pc));
+     buffer = ((int *)       (pc + 4));
++    num_attribs = ((CARD32 *) (pc + 8));
+     
+     __GLX_SWAP_SHORT(&req->length);
+     __GLX_SWAP_INT(&req->contextTag);
+     __GLX_SWAP_INT(drawId);
+     __GLX_SWAP_INT(buffer);
++    __GLX_SWAP_INT(num_attribs);
+ 
+     return __glXDisp_BindTexImageEXT(cl, (GLbyte *)pc);
+ }
diff --git 
a/debian/patches/212_fix_request_length_check_for_createglxpbuffersgix.patch 
b/debian/patches/212_fix_request_length_check_for_createglxpbuffersgix.patch
new file mode 100644
index 0000000..a8833d9
--- /dev/null
+++ b/debian/patches/212_fix_request_length_check_for_createglxpbuffersgix.patch
@@ -0,0 +1,26 @@
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index 3ef567d..0b375c3 100644
+--- a/glx/glxcmds.c
++++ b/glx/glxcmds.c
+@@ -1436,7 +1436,7 @@ int __glXDisp_CreateGLXPbufferSGIX(__GLXclientState *cl, 
GLbyte *pc)
+     ClientPtr client = cl->client;
+     xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;
+ 
+-    REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
++    REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
+ 
+     return DoCreatePbuffer(cl->client, req->screen, req->fbconfig,
+                          req->width, req->height, req->pbuffer);
+diff --git a/glx/glxcmdsswap.c b/glx/glxcmdsswap.c
+index 3bb4cad..9d96c9d 100644
+--- a/glx/glxcmdsswap.c
++++ b/glx/glxcmdsswap.c
+@@ -421,7 +421,7 @@ int __glXDispSwap_CreateGLXPbufferSGIX(__GLXclientState 
*cl, GLbyte *pc)
+     xGLXCreateGLXPbufferSGIXReq *req = (xGLXCreateGLXPbufferSGIXReq *) pc;    
+     __GLX_DECLARE_SWAP_VARIABLES;
+ 
+-    REQUEST_SIZE_MATCH(xGLXCreateGLXPbufferSGIXReq);
++    REQUEST_AT_LEAST_SIZE(xGLXCreateGLXPbufferSGIXReq);
+ 
+     __GLX_SWAP_INT(&req->screen);
+     __GLX_SWAP_INT(&req->fbconfig);
diff --git a/debian/patches/series b/debian/patches/series
index 760d1a7..ba03507 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -30,3 +30,5 @@
 208_switch_on_release.diff
 209_add_legacy_bgnone_option.patch
 210_pixman_null_ptr_check.patch
+211_glx_fix_bindtextimageext_length_check.patch
+212_fix_request_length_check_for_createglxpbuffersgix.patch

commit 8243aa67ddddd1f5840247a87d9b758708af691e
Author: Bryce Harrington <br...@canonical.com>
Date:   Thu Feb 3 22:48:40 2011 -0800

    Add 210_pixman_null_ptr_check.patch: pixman_image_create_bits() can return 
NULL under a variety of circumstances, thus needs checked before dereferencing 
it in the pixman_image_set_has_client_clip() call. (LP: #705078)

diff --git a/debian/changelog b/debian/changelog
index 77d1b6d..7d23055 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,15 @@
-xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu2) UNRELEASED; 
urgency=low
+xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu3) natty; urgency=low
 
   * Restore 208_switch_on_release.diff - the patch does not appear to be
     upstream actually.  Users confirm the fix regressed without it.
     (LP: #711842)
+  * Add 210_pixman_null_ptr_check.patch: pixman_image_create_bits() can
+    return NULL under a variety of circumstances, thus needs checked
+    before dereferencing it in the pixman_image_set_has_client_clip()
+    call.
+    (LP: #705078)
 
- -- Bryce Harrington <br...@ubuntu.com>  Wed, 02 Feb 2011 09:39:54 -0800
+ -- Bryce Harrington <br...@ubuntu.com>  Thu, 03 Feb 2011 22:42:52 -0800
 
 xorg-server (2:1.9.99.901+git20110131.be3be758-0ubuntu1) natty; urgency=low
 
diff --git a/debian/patches/210_pixman_null_ptr_check.patch 
b/debian/patches/210_pixman_null_ptr_check.patch
new file mode 100644
index 0000000..9123bc7
--- /dev/null
+++ b/debian/patches/210_pixman_null_ptr_check.patch
@@ -0,0 +1,25 @@
+diff --git a/fb/fbpict.c b/fb/fbpict.c
+index 7636040..2798e24 100644
+--- a/fb/fbpict.c
++++ b/fb/fbpict.c
+@@ -163,7 +163,19 @@ create_bits_picture (PicturePtr pict,
+       pict->format,
+       pixmap->drawable.width, pixmap->drawable.height,
+       (uint32_t *)bits, stride * sizeof (FbStride));
+-    
++
++    /* pixman_image_create_bits() can return NULL under a variety of 
circumstances:
++       - bits is NULL
++       - stride * sizeof (FbStride) is not a whole number of uint32_t's
++       - pict->format has BPP greater than its DEPTH
++       - function could not instantiate bits (via the create_bits() routine)
++       - the image could not be allocated
++       This seems a rather wide range of circumstances!  Checking for NULL 
here
++       before pixman_image_set_accessors() seems extremely sensible.  How has
++       this not been crashing more frequently?
++      */
++    if (!image)
++        return NULL;
+     
+ #ifdef FB_ACCESS_WRAPPER
+ #if FB_SHIFT==5
diff --git a/debian/patches/series b/debian/patches/series
index f37494e..760d1a7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -29,3 +29,4 @@
 206_intel_8xx_default_to_fbdev.patch
 208_switch_on_release.diff
 209_add_legacy_bgnone_option.patch
+210_pixman_null_ptr_check.patch


-- 
To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1pp7ul-0005re...@alioth.debian.org

xorg-server: Changes to 'ubuntu'

Reply via email to