Module Name: xsrc
Committed By: martin
Date: Sun Nov 3 15:52:50 UTC 2024
Modified Files:
xsrc/external/mit/xorg-server/dist/Xi [netbsd-9]: exevents.c
xichangehierarchy.c xipassivegrab.c xiquerypointer.c xiselectev.c
xsrc/external/mit/xorg-server/dist/dix [netbsd-9]: devices.c
enterleave.c
xsrc/external/mit/xorg-server/dist/glx [netbsd-9]: glxcmds.c
xsrc/external/mit/xorg-server/dist/randr [netbsd-9]: rrproperty.c
rrproviderproperty.c
xsrc/external/mit/xorg-server/dist/xkb [netbsd-9]: xkb.c
Log Message:
Apply patch, requested by mrg in ticket #1916:
xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c
xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c
xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c
xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c
xsrc/external/mit/xorg-server/dist/dix/devices.c
xsrc/external/mit/xorg-server/dist/dix/enterleave.c
xsrc/external/mit/xorg-server/dist/glx/glxcmds.c
xsrc/external/mit/xorg-server/dist/randr/rrproperty.c
xsrc/external/mit/xorg-server/dist/randr/rrproviderproperty.c
xsrc/external/mit/xorg-server/dist/xkb/xkb.c
Update xorg-server to have various missing CVE fixes:
CVE-2023-6377, CVE-2023-6478, CVE-2023-6816, CVE-2024-0229,
CVE-2024-0408, CVE-2024-21885, CVE-2024-21886, CVE-2024-31080,
CVE-2024-31081, CVE-2024-9632
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.9.2.1 -r1.1.1.9.2.2 \
xsrc/external/mit/xorg-server/dist/Xi/exevents.c
cvs rdiff -u -r1.5 -r1.5.2.1 \
xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c
cvs rdiff -u -r1.4.2.1 -r1.4.2.2 \
xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c
cvs rdiff -u -r1.4 -r1.4.2.1 \
xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c \
xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c
cvs rdiff -u -r1.10 -r1.10.2.1 \
xsrc/external/mit/xorg-server/dist/dix/devices.c
cvs rdiff -u -r1.6 -r1.6.2.1 \
xsrc/external/mit/xorg-server/dist/dix/enterleave.c
cvs rdiff -u -r1.12 -r1.12.2.1 \
xsrc/external/mit/xorg-server/dist/glx/glxcmds.c
cvs rdiff -u -r1.1.1.6.2.1 -r1.1.1.6.2.2 \
xsrc/external/mit/xorg-server/dist/randr/rrproperty.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \
xsrc/external/mit/xorg-server/dist/randr/rrproviderproperty.c
cvs rdiff -u -r1.4.2.2 -r1.4.2.3 xsrc/external/mit/xorg-server/dist/xkb/xkb.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/xorg-server/dist/Xi/exevents.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/exevents.c:1.1.1.9.2.1 xsrc/external/mit/xorg-server/dist/Xi/exevents.c:1.1.1.9.2.2
--- xsrc/external/mit/xorg-server/dist/Xi/exevents.c:1.1.1.9.2.1 Tue Feb 14 16:01:05 2023
+++ xsrc/external/mit/xorg-server/dist/Xi/exevents.c Sun Nov 3 15:52:49 2024
@@ -567,13 +567,13 @@ DeepCopyPointerClasses(DeviceIntPtr from
}
if (from->button->xkb_acts) {
- if (!to->button->xkb_acts) {
- to->button->xkb_acts = calloc(1, sizeof(XkbAction));
- if (!to->button->xkb_acts)
- FatalError("[Xi] not enough memory for xkb_acts.\n");
- }
+ size_t maxbuttons = max(to->button->numButtons, from->button->numButtons);
+ to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
memcpy(to->button->xkb_acts, from->button->xkb_acts,
- sizeof(XkbAction));
+ from->button->numButtons * sizeof(XkbAction));
} else {
free(to->button->xkb_acts);
to->button->xkb_acts = NULL;
Index: xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c:1.5 xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c:1.5.2.1
--- xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c:1.5 Mon Dec 31 09:49:58 2018
+++ xsrc/external/mit/xorg-server/dist/Xi/xichangehierarchy.c Sun Nov 3 15:52:49 2024
@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
size_t len; /* length of data remaining in request */
int rc = Success;
int flags[MAXDEVICES] = { 0 };
+ enum {
+ NO_CHANGE,
+ FLUSH,
+ CHANGED,
+ } changes = NO_CHANGE;
REQUEST(xXIChangeHierarchyReq);
REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = add_master(client, c, flags);
if (rc != Success)
goto unwind;
- }
+ changes = FLUSH;
break;
+ }
case XIRemoveMaster:
{
xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = remove_master(client, r, flags);
if (rc != Success)
goto unwind;
- }
+ changes = FLUSH;
break;
+ }
case XIDetachSlave:
{
xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = detach_slave(client, c, flags);
if (rc != Success)
goto unwind;
- }
+ changes = CHANGED;
break;
+ }
case XIAttachSlave:
{
xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
rc = attach_slave(client, c, flags);
if (rc != Success)
goto unwind;
+ changes = CHANGED;
+ break;
}
+ default:
break;
}
+ if (changes == FLUSH) {
+ XISendDeviceHierarchyEvent(flags);
+ memset(flags, 0, sizeof(flags));
+ changes = NO_CHANGE;
+ }
+
len -= any->length * 4;
any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
}
unwind:
-
- XISendDeviceHierarchyEvent(flags);
+ if (changes != NO_CHANGE)
+ XISendDeviceHierarchyEvent(flags);
return rc;
}
Index: xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c:1.4.2.1 xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c:1.4.2.2
--- xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c:1.4.2.1 Mon Jan 23 13:40:00 2023
+++ xsrc/external/mit/xorg-server/dist/Xi/xipassivegrab.c Sun Nov 3 15:52:49 2024
@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client
GrabParameters param;
void *tmp;
int mask_len;
+ uint32_t length;
REQUEST(xXIPassiveGrabDeviceReq);
REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
@@ -234,9 +235,11 @@ ProcXIPassiveGrabDevice(ClientPtr client
}
}
+ /* save the value before SRepXIPassiveGrabDevice swaps it */
+ length = rep.length;
WriteReplyToClient(client, sizeof(rep), &rep);
if (rep.num_modifiers)
- WriteToClient(client, rep.length * 4, modifiers_failed);
+ WriteToClient(client, length * 4, modifiers_failed);
out:
free(modifiers_failed);
Index: xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c:1.4 xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c:1.4.2.1
--- xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c:1.4 Mon Dec 31 09:49:58 2018
+++ xsrc/external/mit/xorg-server/dist/Xi/xiquerypointer.c Sun Nov 3 15:52:49 2024
@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
if (pDev->button) {
int i;
- rep.buttons_len =
- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
+ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
rep.length += rep.buttons_len;
buttons = calloc(rep.buttons_len, 4);
if (!buttons)
Index: xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c
diff -u xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c:1.4 xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c:1.4.2.1
--- xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c:1.4 Mon Dec 31 09:49:58 2018
+++ xsrc/external/mit/xorg-server/dist/Xi/xiselectev.c Sun Nov 3 15:52:49 2024
@@ -297,6 +297,7 @@ ProcXIGetSelectedEvents(ClientPtr client
InputClientsPtr others = NULL;
xXIEventMask *evmask = NULL;
DeviceIntPtr dev;
+ uint32_t length;
REQUEST(xXIGetSelectedEventsReq);
REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
@@ -366,10 +367,12 @@ ProcXIGetSelectedEvents(ClientPtr client
}
}
+ /* save the value before SRepXIGetSelectedEvents swaps it */
+ length = reply.length;
WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), &reply);
if (reply.num_masks)
- WriteToClient(client, reply.length * 4, buffer);
+ WriteToClient(client, length * 4, buffer);
free(buffer);
return Success;
Index: xsrc/external/mit/xorg-server/dist/dix/devices.c
diff -u xsrc/external/mit/xorg-server/dist/dix/devices.c:1.10 xsrc/external/mit/xorg-server/dist/dix/devices.c:1.10.2.1
--- xsrc/external/mit/xorg-server/dist/dix/devices.c:1.10 Mon Dec 31 09:49:59 2018
+++ xsrc/external/mit/xorg-server/dist/dix/devices.c Sun Nov 3 15:52:49 2024
@@ -451,14 +451,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sen
{
DeviceIntPtr *prev, other;
BOOL enabled;
+ BOOL dev_in_devices_list = FALSE;
int flags[MAXDEVICES] = { 0 };
if (!dev->enabled)
return TRUE;
- for (prev = &inputInfo.devices;
- *prev && (*prev != dev); prev = &(*prev)->next);
- if (*prev != dev)
+ for (other = inputInfo.devices; other; other = other->next) {
+ if (other == dev) {
+ dev_in_devices_list = TRUE;
+ break;
+ }
+ }
+
+ if (!dev_in_devices_list)
return FALSE;
TouchEndPhysicallyActiveTouches(dev);
@@ -474,6 +480,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sen
flags[other->id] |= XISlaveDetached;
}
}
+
+ for (other = inputInfo.off_devices; other; other = other->next) {
+ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
+ AttachDevice(NULL, other, NULL);
+ flags[other->id] |= XISlaveDetached;
+ }
+ }
}
else {
for (other = inputInfo.devices; other; other = other->next) {
@@ -508,6 +521,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sen
LeaveWindow(dev);
SetFocusOut(dev);
+ for (prev = &inputInfo.devices;
+ *prev && (*prev != dev); prev = &(*prev)->next);
+
*prev = dev->next;
dev->next = inputInfo.off_devices;
inputInfo.off_devices = dev;
@@ -1067,6 +1083,11 @@ CloseDownDevices(void)
dev->master = NULL;
}
+ for (dev = inputInfo.off_devices; dev; dev = dev->next) {
+ if (!IsMaster(dev) && !IsFloating(dev))
+ dev->master = NULL;
+ }
+
CloseDeviceList(&inputInfo.devices);
CloseDeviceList(&inputInfo.off_devices);
@@ -2499,6 +2520,8 @@ RecalculateMasterButtons(DeviceIntPtr sl
if (master->button && master->button->numButtons != maxbuttons) {
int i;
+ int last_num_buttons = master->button->numButtons;
+
DeviceChangedEvent event = {
.header = ET_Internal,
.type = ET_DeviceChanged,
@@ -2509,6 +2532,14 @@ RecalculateMasterButtons(DeviceIntPtr sl
};
master->button->numButtons = maxbuttons;
+ if (last_num_buttons < maxbuttons) {
+ master->button->xkb_acts = xnfreallocarray(master->button->xkb_acts,
+ maxbuttons,
+ sizeof(XkbAction));
+ memset(&master->button->xkb_acts[last_num_buttons],
+ 0,
+ (maxbuttons - last_num_buttons) * sizeof(XkbAction));
+ }
memcpy(&event.buttons.names, master->button->labels, maxbuttons *
sizeof(Atom));
Index: xsrc/external/mit/xorg-server/dist/dix/enterleave.c
diff -u xsrc/external/mit/xorg-server/dist/dix/enterleave.c:1.6 xsrc/external/mit/xorg-server/dist/dix/enterleave.c:1.6.2.1
--- xsrc/external/mit/xorg-server/dist/dix/enterleave.c:1.6 Mon Dec 31 09:49:59 2018
+++ xsrc/external/mit/xorg-server/dist/dix/enterleave.c Sun Nov 3 15:52:49 2024
@@ -675,7 +675,8 @@ static void
DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
{
int evcount = 1;
- deviceStateNotify *ev, *sev;
+ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
+ deviceStateNotify *ev;
deviceKeyStateNotify *kev;
deviceButtonStateNotify *bev;
@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev
}
}
- sev = ev = xallocarray(evcount, sizeof(xEvent));
+ ev = sev;
FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
if (b != NULL) {
@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev
DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
DeviceStateNotifyMask, NullGrab);
- free(sev);
}
void
@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int t
mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
- /* XI 2 event */
- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
+ /* XI 2 event contains the logical button map - maps are CARD8
+ * so we need 256 bits for the possibly maximum mapping */
+ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
btlen = bytes_to_int32(btlen);
len = sizeof(xXIFocusInEvent) + btlen * 4;
Index: xsrc/external/mit/xorg-server/dist/glx/glxcmds.c
diff -u xsrc/external/mit/xorg-server/dist/glx/glxcmds.c:1.12 xsrc/external/mit/xorg-server/dist/glx/glxcmds.c:1.12.2.1
--- xsrc/external/mit/xorg-server/dist/glx/glxcmds.c:1.12 Fri May 31 18:01:11 2019
+++ xsrc/external/mit/xorg-server/dist/glx/glxcmds.c Sun Nov 3 15:52:49 2024
@@ -48,6 +48,7 @@
#include "indirect_util.h"
#include "protocol-versions.h"
#include "glxvndabi.h"
+#include "xace.h"
static char GLXServerVendorName[] = "SGI";
@@ -1373,6 +1374,13 @@ DoCreatePbuffer(ClientPtr client, int sc
if (!pPixmap)
return BadAlloc;
+ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP,
+ pPixmap, RT_NONE, NULL, DixCreateAccess);
+ if (err != Success) {
+ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap);
+ return err;
+ }
+
/* Assign the pixmap the same id as the pbuffer and add it as a
* resource so it and the DRI2 drawable will be reclaimed when the
* pbuffer is destroyed. */
Index: xsrc/external/mit/xorg-server/dist/randr/rrproperty.c
diff -u xsrc/external/mit/xorg-server/dist/randr/rrproperty.c:1.1.1.6.2.1 xsrc/external/mit/xorg-server/dist/randr/rrproperty.c:1.1.1.6.2.2
--- xsrc/external/mit/xorg-server/dist/randr/rrproperty.c:1.1.1.6.2.1 Sun Oct 29 16:45:23 2023
+++ xsrc/external/mit/xorg-server/dist/randr/rrproperty.c Sun Nov 3 15:52:49 2024
@@ -530,7 +530,7 @@ ProcRRChangeOutputProperty(ClientPtr cli
char format, mode;
unsigned long len;
int sizeInBytes;
- int totalSize;
+ uint64_t totalSize;
int err;
REQUEST_AT_LEAST_SIZE(xRRChangeOutputPropertyReq);
Index: xsrc/external/mit/xorg-server/dist/randr/rrproviderproperty.c
diff -u xsrc/external/mit/xorg-server/dist/randr/rrproviderproperty.c:1.1.1.1 xsrc/external/mit/xorg-server/dist/randr/rrproviderproperty.c:1.1.1.1.4.1
--- xsrc/external/mit/xorg-server/dist/randr/rrproviderproperty.c:1.1.1.1 Wed Aug 10 07:44:32 2016
+++ xsrc/external/mit/xorg-server/dist/randr/rrproviderproperty.c Sun Nov 3 15:52:49 2024
@@ -498,7 +498,7 @@ ProcRRChangeProviderProperty(ClientPtr c
char format, mode;
unsigned long len;
int sizeInBytes;
- int totalSize;
+ uint64_t totalSize;
int err;
REQUEST_AT_LEAST_SIZE(xRRChangeProviderPropertyReq);
Index: xsrc/external/mit/xorg-server/dist/xkb/xkb.c
diff -u xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.4.2.2 xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.4.2.3
--- xsrc/external/mit/xorg-server/dist/xkb/xkb.c:1.4.2.2 Fri Jul 15 17:17:02 2022
+++ xsrc/external/mit/xorg-server/dist/xkb/xkb.c Sun Nov 3 15:52:50 2024
@@ -2987,13 +2987,13 @@ _XkbSetCompatMap(ClientPtr client, Devic
XkbSymInterpretPtr sym;
unsigned int skipped = 0;
- if ((unsigned) (req->firstSI + req->nSI) > compat->num_si) {
- compat->num_si = req->firstSI + req->nSI;
+ if ((unsigned) (req->firstSI + req->nSI) > compat->size_si) {
+ compat->num_si = compat->size_si = req->firstSI + req->nSI;
compat->sym_interpret = reallocarray(compat->sym_interpret,
- compat->num_si,
+ compat->size_si,
sizeof(XkbSymInterpretRec));
if (!compat->sym_interpret) {
- compat->num_si = 0;
+ compat->num_si = compat->size_si = 0;
return BadAlloc;
}
}
